Sep 21 07:25:31.903678: FIPS Product: YES Sep 21 07:25:31.903714: FIPS Kernel: NO Sep 21 07:25:31.903718: FIPS Mode: NO Sep 21 07:25:31.903720: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:25:31.903884: Initializing NSS Sep 21 07:25:31.903890: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:25:31.949240: NSS initialized Sep 21 07:25:31.949255: NSS crypto library initialized Sep 21 07:25:31.949257: FIPS HMAC integrity support [enabled] Sep 21 07:25:31.949259: FIPS mode disabled for pluto daemon Sep 21 07:25:32.004948: FIPS HMAC integrity verification self-test FAILED Sep 21 07:25:32.005051: libcap-ng support [enabled] Sep 21 07:25:32.005059: Linux audit support [enabled] Sep 21 07:25:32.005089: Linux audit activated Sep 21 07:25:32.005098: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:10132 Sep 21 07:25:32.005101: core dump dir: /tmp Sep 21 07:25:32.005103: secrets file: /etc/ipsec.secrets Sep 21 07:25:32.005105: leak-detective disabled Sep 21 07:25:32.005107: NSS crypto [enabled] Sep 21 07:25:32.005109: XAUTH PAM support [enabled] Sep 21 07:25:32.005180: | libevent is using pluto's memory allocator Sep 21 07:25:32.005188: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:25:32.005200: | libevent_malloc: new ptr-libevent@0x55f43a2f40e0 size 40 Sep 21 07:25:32.005203: | libevent_malloc: new ptr-libevent@0x55f43a2f4110 size 40 Sep 21 07:25:32.005206: | libevent_malloc: new ptr-libevent@0x55f43a2f5400 size 40 Sep 21 07:25:32.005208: | creating event base Sep 21 07:25:32.005211: | libevent_malloc: new ptr-libevent@0x55f43a2f53c0 size 56 Sep 21 07:25:32.005214: | libevent_malloc: new ptr-libevent@0x55f43a2f5430 size 664 Sep 21 07:25:32.005224: | libevent_malloc: new ptr-libevent@0x55f43a2f56d0 size 24 Sep 21 07:25:32.005229: | libevent_malloc: new ptr-libevent@0x55f43a2e6ef0 size 384 Sep 21 07:25:32.005237: | libevent_malloc: new ptr-libevent@0x55f43a2f56f0 size 16 Sep 21 07:25:32.005240: | libevent_malloc: new ptr-libevent@0x55f43a2f5710 size 40 Sep 21 07:25:32.005243: | libevent_malloc: new ptr-libevent@0x55f43a2f5740 size 48 Sep 21 07:25:32.005249: | libevent_realloc: new ptr-libevent@0x55f43a277370 size 256 Sep 21 07:25:32.005251: | libevent_malloc: new ptr-libevent@0x55f43a2f5780 size 16 Sep 21 07:25:32.005257: | libevent_free: release ptr-libevent@0x55f43a2f53c0 Sep 21 07:25:32.005260: | libevent initialized Sep 21 07:25:32.005264: | libevent_realloc: new ptr-libevent@0x55f43a2f57a0 size 64 Sep 21 07:25:32.005270: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:25:32.005283: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:25:32.005285: NAT-Traversal support [enabled] Sep 21 07:25:32.005288: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:25:32.005294: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:25:32.005298: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:25:32.005333: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:25:32.005337: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:25:32.005340: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:25:32.005390: Encryption algorithms: Sep 21 07:25:32.005399: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:25:32.005403: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:25:32.005406: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:25:32.005409: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:25:32.005413: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:25:32.005421: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:25:32.005425: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:25:32.005429: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:25:32.005432: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:25:32.005435: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:25:32.005439: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:25:32.005443: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:25:32.005446: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:25:32.005450: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:25:32.005453: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:25:32.005456: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:25:32.005459: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:25:32.005466: Hash algorithms: Sep 21 07:25:32.005468: MD5 IKEv1: IKE IKEv2: Sep 21 07:25:32.005471: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:25:32.005474: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:25:32.005477: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:25:32.005480: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:25:32.005493: PRF algorithms: Sep 21 07:25:32.005496: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:25:32.005499: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:25:32.005502: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:25:32.005505: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:25:32.005508: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:25:32.005511: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:25:32.005535: Integrity algorithms: Sep 21 07:25:32.005539: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:25:32.005542: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:25:32.005546: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:25:32.005550: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:25:32.005554: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:25:32.005556: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:25:32.005560: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:25:32.005563: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:25:32.005566: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:25:32.005577: DH algorithms: Sep 21 07:25:32.005581: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:25:32.005583: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:25:32.005586: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:25:32.005591: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:25:32.005594: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:25:32.005596: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:25:32.005599: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:25:32.005602: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:25:32.005605: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:25:32.005608: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:25:32.005611: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:25:32.005613: testing CAMELLIA_CBC: Sep 21 07:25:32.005616: Camellia: 16 bytes with 128-bit key Sep 21 07:25:32.005733: Camellia: 16 bytes with 128-bit key Sep 21 07:25:32.005760: Camellia: 16 bytes with 256-bit key Sep 21 07:25:32.005812: Camellia: 16 bytes with 256-bit key Sep 21 07:25:32.005855: testing AES_GCM_16: Sep 21 07:25:32.005859: empty string Sep 21 07:25:32.005885: one block Sep 21 07:25:32.005909: two blocks Sep 21 07:25:32.005932: two blocks with associated data Sep 21 07:25:32.005957: testing AES_CTR: Sep 21 07:25:32.005960: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:25:32.005985: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:25:32.006011: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:25:32.006037: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:25:32.006061: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:25:32.006087: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:25:32.006113: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:25:32.006139: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:25:32.006165: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:25:32.006190: testing AES_CBC: Sep 21 07:25:32.006193: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:25:32.006218: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:25:32.006245: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:25:32.006273: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:25:32.006329: testing AES_XCBC: Sep 21 07:25:32.006332: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:25:32.006459: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:25:32.006585: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:25:32.006705: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:25:32.006860: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:25:32.006987: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:25:32.007186: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:25:32.007479: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:25:32.007606: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:25:32.007743: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:25:32.007993: testing HMAC_MD5: Sep 21 07:25:32.007998: RFC 2104: MD5_HMAC test 1 Sep 21 07:25:32.008169: RFC 2104: MD5_HMAC test 2 Sep 21 07:25:32.008320: RFC 2104: MD5_HMAC test 3 Sep 21 07:25:32.008495: 8 CPU cores online Sep 21 07:25:32.008498: starting up 7 crypto helpers Sep 21 07:25:32.008529: started thread for crypto helper 0 Sep 21 07:25:32.008556: | starting up helper thread 0 Sep 21 07:25:32.008569: started thread for crypto helper 1 Sep 21 07:25:32.008571: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:25:32.008575: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:32.008587: started thread for crypto helper 2 Sep 21 07:25:32.008605: started thread for crypto helper 3 Sep 21 07:25:32.008609: | starting up helper thread 3 Sep 21 07:25:32.008617: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:25:32.008619: | crypto helper 3 waiting (nothing to do) Sep 21 07:25:32.008623: started thread for crypto helper 4 Sep 21 07:25:32.008641: started thread for crypto helper 5 Sep 21 07:25:32.008659: started thread for crypto helper 6 Sep 21 07:25:32.008662: | starting up helper thread 6 Sep 21 07:25:32.008667: | checking IKEv1 state table Sep 21 07:25:32.008669: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:25:32.008672: | crypto helper 6 waiting (nothing to do) Sep 21 07:25:32.008674: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008676: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:25:32.008679: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008682: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:25:32.008684: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:25:32.008686: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:25:32.008689: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:32.008691: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:32.008694: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:25:32.008696: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:25:32.008698: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:32.008700: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:32.008703: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:25:32.008705: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:32.008707: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:32.008710: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:32.008712: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:25:32.008715: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:32.008717: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:32.008719: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:32.008720: | starting up helper thread 4 Sep 21 07:25:32.008722: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:25:32.008739: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008742: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:25:32.008744: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008747: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008749: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:25:32.008752: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008754: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:32.008756: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:32.008759: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:25:32.008761: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:32.008764: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:32.008766: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:25:32.008768: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008771: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:25:32.008773: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008776: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:25:32.008790: | starting up helper thread 5 Sep 21 07:25:32.008735: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:25:32.008807: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:25:32.008810: | crypto helper 4 waiting (nothing to do) Sep 21 07:25:32.008790: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:25:32.008816: | crypto helper 5 waiting (nothing to do) Sep 21 07:25:32.008776: | starting up helper thread 1 Sep 21 07:25:32.008836: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:25:32.008839: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:32.008819: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:25:32.008848: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:25:32.008727: | starting up helper thread 2 Sep 21 07:25:32.008865: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:25:32.008868: | crypto helper 2 waiting (nothing to do) Sep 21 07:25:32.008852: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:25:32.008918: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:25:32.008921: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:25:32.008923: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008925: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:25:32.008926: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008928: | INFO: category: informational flags: 0: Sep 21 07:25:32.008930: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008931: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:25:32.008933: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008934: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:25:32.008936: | -> XAUTH_R1 EVENT_NULL Sep 21 07:25:32.008937: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:25:32.008939: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:32.008941: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:25:32.008942: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:25:32.008944: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:25:32.008945: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:25:32.008947: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:25:32.008948: | -> UNDEFINED EVENT_NULL Sep 21 07:25:32.008950: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:25:32.008952: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:32.008953: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:25:32.008955: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:25:32.008956: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:25:32.008958: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:25:32.008963: | checking IKEv2 state table Sep 21 07:25:32.008968: | PARENT_I0: category: ignore flags: 0: Sep 21 07:25:32.008970: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:25:32.008972: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008974: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:25:32.008976: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:25:32.008978: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:25:32.008979: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:25:32.008981: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:25:32.008983: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:25:32.008985: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:25:32.008986: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:25:32.008988: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:25:32.008990: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:25:32.008992: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:25:32.008993: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:25:32.008995: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:25:32.008997: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:32.008998: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:25:32.009000: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:25:32.009002: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:25:32.009004: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:25:32.009006: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:25:32.009010: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:25:32.009012: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:25:32.009014: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:25:32.009015: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:25:32.009017: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:25:32.009019: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:25:32.009021: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:25:32.009023: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:25:32.009024: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:25:32.009026: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:32.009028: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:25:32.009030: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:25:32.009032: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:25:32.009033: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:25:32.009035: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:25:32.009037: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:25:32.009039: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:25:32.009041: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:25:32.009042: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:32.009044: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:25:32.009046: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:25:32.009048: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:25:32.009050: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:25:32.009051: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:25:32.009053: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:25:32.009119: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:25:32.009176: | Hard-wiring algorithms Sep 21 07:25:32.009179: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:25:32.009182: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:25:32.009183: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:25:32.009185: | adding 3DES_CBC to kernel algorithm db Sep 21 07:25:32.009187: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:25:32.009188: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:25:32.009189: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:25:32.009191: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:25:32.009192: | adding AES_CTR to kernel algorithm db Sep 21 07:25:32.009194: | adding AES_CBC to kernel algorithm db Sep 21 07:25:32.009195: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:25:32.009197: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:25:32.009199: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:25:32.009200: | adding NULL to kernel algorithm db Sep 21 07:25:32.009202: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:25:32.009203: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:25:32.009205: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:25:32.009207: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:25:32.009208: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:25:32.009210: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:25:32.009211: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:25:32.009213: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:25:32.009214: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:25:32.009216: | adding NONE to kernel algorithm db Sep 21 07:25:32.009234: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:25:32.009239: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:25:32.009240: | setup kernel fd callback Sep 21 07:25:32.009242: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55f43a2fae40 Sep 21 07:25:32.009247: | libevent_malloc: new ptr-libevent@0x55f43a306fe0 size 128 Sep 21 07:25:32.009249: | libevent_malloc: new ptr-libevent@0x55f43a2fa120 size 16 Sep 21 07:25:32.009254: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55f43a2fae00 Sep 21 07:25:32.009256: | libevent_malloc: new ptr-libevent@0x55f43a307070 size 128 Sep 21 07:25:32.009257: | libevent_malloc: new ptr-libevent@0x55f43a2fa140 size 16 Sep 21 07:25:32.009394: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:25:32.009400: selinux support is enabled. Sep 21 07:25:32.009468: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:25:32.009596: | unbound context created - setting debug level to 5 Sep 21 07:25:32.009617: | /etc/hosts lookups activated Sep 21 07:25:32.009629: | /etc/resolv.conf usage activated Sep 21 07:25:32.009663: | outgoing-port-avoid set 0-65535 Sep 21 07:25:32.009680: | outgoing-port-permit set 32768-60999 Sep 21 07:25:32.009682: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:25:32.009684: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:25:32.009686: | Setting up events, loop start Sep 21 07:25:32.009688: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55f43a2f53c0 Sep 21 07:25:32.009690: | libevent_malloc: new ptr-libevent@0x55f43a3115e0 size 128 Sep 21 07:25:32.009692: | libevent_malloc: new ptr-libevent@0x55f43a311670 size 16 Sep 21 07:25:32.009697: | libevent_realloc: new ptr-libevent@0x55f43a2755b0 size 256 Sep 21 07:25:32.009699: | libevent_malloc: new ptr-libevent@0x55f43a311690 size 8 Sep 21 07:25:32.009701: | libevent_realloc: new ptr-libevent@0x55f43a306360 size 144 Sep 21 07:25:32.009703: | libevent_malloc: new ptr-libevent@0x55f43a3116b0 size 152 Sep 21 07:25:32.009706: | libevent_malloc: new ptr-libevent@0x55f43a311750 size 16 Sep 21 07:25:32.009708: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:25:32.009710: | libevent_malloc: new ptr-libevent@0x55f43a311770 size 8 Sep 21 07:25:32.009712: | libevent_malloc: new ptr-libevent@0x55f43a311790 size 152 Sep 21 07:25:32.009714: | signal event handler PLUTO_SIGTERM installed Sep 21 07:25:32.009715: | libevent_malloc: new ptr-libevent@0x55f43a311830 size 8 Sep 21 07:25:32.009717: | libevent_malloc: new ptr-libevent@0x55f43a311850 size 152 Sep 21 07:25:32.009719: | signal event handler PLUTO_SIGHUP installed Sep 21 07:25:32.009720: | libevent_malloc: new ptr-libevent@0x55f43a3118f0 size 8 Sep 21 07:25:32.009722: | libevent_realloc: release ptr-libevent@0x55f43a306360 Sep 21 07:25:32.009724: | libevent_realloc: new ptr-libevent@0x55f43a311910 size 256 Sep 21 07:25:32.009725: | libevent_malloc: new ptr-libevent@0x55f43a306360 size 152 Sep 21 07:25:32.009727: | signal event handler PLUTO_SIGSYS installed Sep 21 07:25:32.009977: | created addconn helper (pid:10209) using fork+execve Sep 21 07:25:32.009991: | forked child 10209 Sep 21 07:25:32.010021: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.010036: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:32.010041: listening for IKE messages Sep 21 07:25:32.010071: | Inspecting interface lo Sep 21 07:25:32.010076: | found lo with address 127.0.0.1 Sep 21 07:25:32.010078: | Inspecting interface eth0 Sep 21 07:25:32.010080: | found eth0 with address 192.0.2.254 Sep 21 07:25:32.010082: | Inspecting interface eth1 Sep 21 07:25:32.010084: | found eth1 with address 192.1.2.23 Sep 21 07:25:32.010191: Kernel supports NIC esp-hw-offload Sep 21 07:25:32.010305: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:25:32.010339: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:32.010350: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:32.010353: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:32.010454: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:25:32.010478: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:32.010483: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:32.010486: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:32.010570: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:25:32.010593: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:32.010597: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:32.010600: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:25:32.010679: | no interfaces to sort Sep 21 07:25:32.010683: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:32.010691: | add_fd_read_event_handler: new ethX-pe@0x55f43a311c80 Sep 21 07:25:32.010694: | libevent_malloc: new ptr-libevent@0x55f43a311cc0 size 128 Sep 21 07:25:32.010697: | libevent_malloc: new ptr-libevent@0x55f43a311d50 size 16 Sep 21 07:25:32.010704: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:32.010707: | add_fd_read_event_handler: new ethX-pe@0x55f43a311d70 Sep 21 07:25:32.010710: | libevent_malloc: new ptr-libevent@0x55f43a311db0 size 128 Sep 21 07:25:32.010712: | libevent_malloc: new ptr-libevent@0x55f43a311e40 size 16 Sep 21 07:25:32.010717: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:32.010720: | add_fd_read_event_handler: new ethX-pe@0x55f43a311e60 Sep 21 07:25:32.010722: | libevent_malloc: new ptr-libevent@0x55f43a311ea0 size 128 Sep 21 07:25:32.010725: | libevent_malloc: new ptr-libevent@0x55f43a311f30 size 16 Sep 21 07:25:32.010729: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:32.010732: | add_fd_read_event_handler: new ethX-pe@0x55f43a311f50 Sep 21 07:25:32.010734: | libevent_malloc: new ptr-libevent@0x55f43a311f90 size 128 Sep 21 07:25:32.010737: | libevent_malloc: new ptr-libevent@0x55f43a312020 size 16 Sep 21 07:25:32.010741: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:32.010743: | add_fd_read_event_handler: new ethX-pe@0x55f43a312040 Sep 21 07:25:32.010745: | libevent_malloc: new ptr-libevent@0x55f43a312080 size 128 Sep 21 07:25:32.010748: | libevent_malloc: new ptr-libevent@0x55f43a312110 size 16 Sep 21 07:25:32.010752: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:32.010755: | add_fd_read_event_handler: new ethX-pe@0x55f43a312130 Sep 21 07:25:32.010758: | libevent_malloc: new ptr-libevent@0x55f43a312170 size 128 Sep 21 07:25:32.010760: | libevent_malloc: new ptr-libevent@0x55f43a312200 size 16 Sep 21 07:25:32.010765: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:32.010769: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:32.010772: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:32.010797: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:32.010817: | saving Modulus Sep 21 07:25:32.010821: | saving PublicExponent Sep 21 07:25:32.010825: | ignoring PrivateExponent Sep 21 07:25:32.010828: | ignoring Prime1 Sep 21 07:25:32.010831: | ignoring Prime2 Sep 21 07:25:32.010834: | ignoring Exponent1 Sep 21 07:25:32.010837: | ignoring Exponent2 Sep 21 07:25:32.010841: | ignoring Coefficient Sep 21 07:25:32.010844: | ignoring CKAIDNSS Sep 21 07:25:32.010878: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:32.010882: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:25:32.010886: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:25:32.010893: | certs and keys locked by 'process_secret' Sep 21 07:25:32.010897: | certs and keys unlocked by 'process_secret' Sep 21 07:25:32.010903: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:32.010913: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.010924: | spent 0.899 milliseconds in whack Sep 21 07:25:32.035956: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.035975: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:32.035978: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:32.035980: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:32.035981: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:32.035984: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:32.035990: | Added new connection north-east with policy ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:32.035992: | No AUTH policy was set - defaulting to RSASIG Sep 21 07:25:32.036025: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:32.036027: | from whack: got --esp= Sep 21 07:25:32.036049: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:32.036053: | counting wild cards for @north is 0 Sep 21 07:25:32.036055: | counting wild cards for @east is 0 Sep 21 07:25:32.036064: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:25:32.036067: | new hp@0x55f43a2de5b0 Sep 21 07:25:32.036071: added connection description "north-east" Sep 21 07:25:32.036079: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:32.036089: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.254/32 Sep 21 07:25:32.036095: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.036102: | spent 0.152 milliseconds in whack Sep 21 07:25:32.036131: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.036139: add keyid @north Sep 21 07:25:32.036142: | add pubkey 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Sep 21 07:25:32.036144: | add pubkey 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Sep 21 07:25:32.036145: | add pubkey 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Sep 21 07:25:32.036146: | add pubkey 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Sep 21 07:25:32.036148: | add pubkey 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Sep 21 07:25:32.036149: | add pubkey f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Sep 21 07:25:32.036151: | add pubkey 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Sep 21 07:25:32.036152: | add pubkey c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Sep 21 07:25:32.036154: | add pubkey cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Sep 21 07:25:32.036155: | add pubkey 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Sep 21 07:25:32.036156: | add pubkey 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Sep 21 07:25:32.036158: | add pubkey 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Sep 21 07:25:32.036159: | add pubkey ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Sep 21 07:25:32.036161: | add pubkey 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Sep 21 07:25:32.036162: | add pubkey 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Sep 21 07:25:32.036164: | add pubkey 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Sep 21 07:25:32.036165: | add pubkey f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Sep 21 07:25:32.036166: | add pubkey c7 5e a5 99 Sep 21 07:25:32.036185: | computed rsa CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:25:32.036191: | computed rsa CKAID 88 aa 7c 5d Sep 21 07:25:32.036196: | keyid: *AQPl33O2P Sep 21 07:25:32.036198: | n e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Sep 21 07:25:32.036199: | n 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Sep 21 07:25:32.036201: | n 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Sep 21 07:25:32.036202: | n 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Sep 21 07:25:32.036204: | n b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Sep 21 07:25:32.036205: | n 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Sep 21 07:25:32.036207: | n 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Sep 21 07:25:32.036208: | n 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Sep 21 07:25:32.036209: | n 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Sep 21 07:25:32.036211: | n 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Sep 21 07:25:32.036212: | n 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Sep 21 07:25:32.036214: | n 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Sep 21 07:25:32.036215: | n 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Sep 21 07:25:32.036216: | n 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Sep 21 07:25:32.036218: | n 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Sep 21 07:25:32.036219: | n d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Sep 21 07:25:32.036221: | n 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Sep 21 07:25:32.036222: | n a5 99 Sep 21 07:25:32.036223: | e 03 Sep 21 07:25:32.036225: | CKAID 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Sep 21 07:25:32.036226: | CKAID 88 aa 7c 5d Sep 21 07:25:32.036232: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.036237: | spent 0.108 milliseconds in whack Sep 21 07:25:32.036263: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.036270: add keyid @east Sep 21 07:25:32.036272: | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Sep 21 07:25:32.036274: | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Sep 21 07:25:32.036276: | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Sep 21 07:25:32.036277: | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Sep 21 07:25:32.036278: | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Sep 21 07:25:32.036280: | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Sep 21 07:25:32.036281: | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Sep 21 07:25:32.036283: | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Sep 21 07:25:32.036284: | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Sep 21 07:25:32.036286: | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Sep 21 07:25:32.036287: | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Sep 21 07:25:32.036288: | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Sep 21 07:25:32.036290: | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Sep 21 07:25:32.036291: | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Sep 21 07:25:32.036293: | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Sep 21 07:25:32.036294: | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Sep 21 07:25:32.036296: | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Sep 21 07:25:32.036297: | add pubkey 51 51 48 ef Sep 21 07:25:32.036305: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:32.036307: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:25:32.036310: | keyid: *AQO9bJbr3 Sep 21 07:25:32.036311: | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Sep 21 07:25:32.036313: | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Sep 21 07:25:32.036314: | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Sep 21 07:25:32.036315: | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Sep 21 07:25:32.036319: | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Sep 21 07:25:32.036321: | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Sep 21 07:25:32.036322: | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Sep 21 07:25:32.036323: | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Sep 21 07:25:32.036325: | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Sep 21 07:25:32.036326: | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Sep 21 07:25:32.036328: | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Sep 21 07:25:32.036329: | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Sep 21 07:25:32.036330: | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Sep 21 07:25:32.036332: | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Sep 21 07:25:32.036333: | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Sep 21 07:25:32.036335: | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Sep 21 07:25:32.036336: | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Sep 21 07:25:32.036337: | n 48 ef Sep 21 07:25:32.036339: | e 03 Sep 21 07:25:32.036340: | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:32.036342: | CKAID 8a 82 25 f1 Sep 21 07:25:32.036347: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.036351: | spent 0.0918 milliseconds in whack Sep 21 07:25:32.036374: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.036383: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:32.036386: listening for IKE messages Sep 21 07:25:32.036416: | Inspecting interface lo Sep 21 07:25:32.036420: | found lo with address 127.0.0.1 Sep 21 07:25:32.036422: | Inspecting interface eth0 Sep 21 07:25:32.036424: | found eth0 with address 192.0.2.254 Sep 21 07:25:32.036426: | Inspecting interface eth1 Sep 21 07:25:32.036428: | found eth1 with address 192.1.2.23 Sep 21 07:25:32.036497: | no interfaces to sort Sep 21 07:25:32.036503: | libevent_free: release ptr-libevent@0x55f43a311cc0 Sep 21 07:25:32.036505: | free_event_entry: release EVENT_NULL-pe@0x55f43a311c80 Sep 21 07:25:32.036507: | add_fd_read_event_handler: new ethX-pe@0x55f43a311c80 Sep 21 07:25:32.036509: | libevent_malloc: new ptr-libevent@0x55f43a311cc0 size 128 Sep 21 07:25:32.036514: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:32.036517: | libevent_free: release ptr-libevent@0x55f43a311db0 Sep 21 07:25:32.036519: | free_event_entry: release EVENT_NULL-pe@0x55f43a311d70 Sep 21 07:25:32.036520: | add_fd_read_event_handler: new ethX-pe@0x55f43a311d70 Sep 21 07:25:32.036522: | libevent_malloc: new ptr-libevent@0x55f43a311db0 size 128 Sep 21 07:25:32.036525: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:32.036527: | libevent_free: release ptr-libevent@0x55f43a311ea0 Sep 21 07:25:32.036529: | free_event_entry: release EVENT_NULL-pe@0x55f43a311e60 Sep 21 07:25:32.036530: | add_fd_read_event_handler: new ethX-pe@0x55f43a311e60 Sep 21 07:25:32.036532: | libevent_malloc: new ptr-libevent@0x55f43a311ea0 size 128 Sep 21 07:25:32.036535: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:32.036538: | libevent_free: release ptr-libevent@0x55f43a311f90 Sep 21 07:25:32.036539: | free_event_entry: release EVENT_NULL-pe@0x55f43a311f50 Sep 21 07:25:32.036541: | add_fd_read_event_handler: new ethX-pe@0x55f43a311f50 Sep 21 07:25:32.036542: | libevent_malloc: new ptr-libevent@0x55f43a311f90 size 128 Sep 21 07:25:32.036545: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:32.036547: | libevent_free: release ptr-libevent@0x55f43a312080 Sep 21 07:25:32.036549: | free_event_entry: release EVENT_NULL-pe@0x55f43a312040 Sep 21 07:25:32.036550: | add_fd_read_event_handler: new ethX-pe@0x55f43a312040 Sep 21 07:25:32.036552: | libevent_malloc: new ptr-libevent@0x55f43a312080 size 128 Sep 21 07:25:32.036555: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:32.036560: | libevent_free: release ptr-libevent@0x55f43a312170 Sep 21 07:25:32.036561: | free_event_entry: release EVENT_NULL-pe@0x55f43a312130 Sep 21 07:25:32.036563: | add_fd_read_event_handler: new ethX-pe@0x55f43a312130 Sep 21 07:25:32.036564: | libevent_malloc: new ptr-libevent@0x55f43a312170 size 128 Sep 21 07:25:32.036567: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:32.036569: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:32.036571: forgetting secrets Sep 21 07:25:32.036577: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:32.036589: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:32.036602: | saving Modulus Sep 21 07:25:32.036604: | saving PublicExponent Sep 21 07:25:32.036606: | ignoring PrivateExponent Sep 21 07:25:32.036608: | ignoring Prime1 Sep 21 07:25:32.036610: | ignoring Prime2 Sep 21 07:25:32.036612: | ignoring Exponent1 Sep 21 07:25:32.036614: | ignoring Exponent2 Sep 21 07:25:32.036615: | ignoring Coefficient Sep 21 07:25:32.036617: | ignoring CKAIDNSS Sep 21 07:25:32.036625: | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Sep 21 07:25:32.036627: | computed rsa CKAID 8a 82 25 f1 Sep 21 07:25:32.036629: loaded private key for keyid: PKK_RSA:AQO9bJbr3 Sep 21 07:25:32.036633: | certs and keys locked by 'process_secret' Sep 21 07:25:32.036636: | certs and keys unlocked by 'process_secret' Sep 21 07:25:32.036640: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:32.036646: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.036651: | spent 0.279 milliseconds in whack Sep 21 07:25:32.036673: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:32.036680: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:32.036683: | start processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:106) Sep 21 07:25:32.036685: | could_route called for north-east (kind=CK_PERMANENT) Sep 21 07:25:32.036687: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:32.036689: | conn north-east mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.036691: | conn north-east mark 0/00000000, 0/00000000 Sep 21 07:25:32.036694: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Sep 21 07:25:32.036696: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:32.036698: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:32.036700: | conn north-east mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.036701: | conn north-east mark 0/00000000, 0/00000000 Sep 21 07:25:32.036703: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Sep 21 07:25:32.036705: | route_and_eroute with c: north-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 Sep 21 07:25:32.036709: | shunt_eroute() called for connection 'north-east' to 'add' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Sep 21 07:25:32.036713: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Sep 21 07:25:32.036715: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:32.036720: | IPsec Sa SPD priority set to 1042399 Sep 21 07:25:32.036762: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:32.036769: | route_and_eroute: firewall_notified: true Sep 21 07:25:32.036772: | running updown command "ipsec _updown" for verb prepare Sep 21 07:25:32.036775: | command executing prepare-client Sep 21 07:25:32.036819: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:25:32.036829: | popen cmd is 1028 chars long Sep 21 07:25:32.036833: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Sep 21 07:25:32.036837: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_: Sep 21 07:25:32.036840: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Sep 21 07:25:32.036843: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Sep 21 07:25:32.036846: | cmd( 320):REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north: Sep 21 07:25:32.036850: | cmd( 400):' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_P: Sep 21 07:25:32.036853: | cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:25:32.036856: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Sep 21 07:25:32.036859: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: Sep 21 07:25:32.036862: | cmd( 720):D='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Sep 21 07:25:32.036866: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Sep 21 07:25:32.036869: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Sep 21 07:25:32.036872: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:32.045329: | running updown command "ipsec _updown" for verb route Sep 21 07:25:32.045347: | command executing route-client Sep 21 07:25:32.045378: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0 Sep 21 07:25:32.045381: | popen cmd is 1026 chars long Sep 21 07:25:32.045384: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUT: Sep 21 07:25:32.045387: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: Sep 21 07:25:32.045389: | cmd( 160):='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY: Sep 21 07:25:32.045392: | cmd( 240):_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_RE: Sep 21 07:25:32.045394: | cmd( 320):QID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' : Sep 21 07:25:32.045396: | cmd( 400):PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEE: Sep 21 07:25:32.045404: | cmd( 480):R_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:25:32.045406: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+EN: Sep 21 07:25:32.045409: | cmd( 640):CRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND=: Sep 21 07:25:32.045411: | cmd( 720):'CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO=': Sep 21 07:25:32.045414: | cmd( 800):0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_C: Sep 21 07:25:32.045416: | cmd( 880):FG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUT: Sep 21 07:25:32.045418: | cmd( 960):ING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:32.058734: | stop processing: connection "north-east" (in whack_route_connection() at rcv_whack.c:116) Sep 21 07:25:32.058750: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:32.058758: | spent 0.473 milliseconds in whack Sep 21 07:25:32.058769: | processing signal PLUTO_SIGCHLD Sep 21 07:25:32.058773: | waitpid returned nothing left to do (all child processes are busy) Sep 21 07:25:32.058776: | spent 0.00413 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:32.058777: | processing signal PLUTO_SIGCHLD Sep 21 07:25:32.058780: | waitpid returned nothing left to do (all child processes are busy) Sep 21 07:25:32.058791: | spent 0.00258 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:32.059401: | processing signal PLUTO_SIGCHLD Sep 21 07:25:32.059412: | waitpid returned pid 10209 (exited with status 0) Sep 21 07:25:32.059415: | reaped addconn helper child (status 0) Sep 21 07:25:32.059419: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:32.059422: | spent 0.0133 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:32.783424: | spent 0.00268 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:32.783450: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:32.783452: | 03 21 a5 e1 75 03 63 18 00 00 00 00 00 00 00 00 Sep 21 07:25:32.783454: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:25:32.783468: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:25:32.783470: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:25:32.783471: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:25:32.783472: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:25:32.783474: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:25:32.783475: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:25:32.783476: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:25:32.783478: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:25:32.783479: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:25:32.783480: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:25:32.783482: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:25:32.783483: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:25:32.783485: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:25:32.783486: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:25:32.783487: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:25:32.783489: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:25:32.783490: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:25:32.783491: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:25:32.783493: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:25:32.783494: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:25:32.783495: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:25:32.783497: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:25:32.783498: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:25:32.783502: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:25:32.783504: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:25:32.783505: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:25:32.783507: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:25:32.783508: | 28 00 01 08 00 0e 00 00 c7 06 4a c8 52 35 14 07 Sep 21 07:25:32.783509: | 9a 3a 1c 3b 19 23 58 5f f1 9d ab 37 e1 5f b4 16 Sep 21 07:25:32.783511: | 26 ae 92 17 ba cd 1d f1 2a 01 4b 6b 08 ad 99 49 Sep 21 07:25:32.783512: | 8c 1a 83 03 f2 19 79 40 08 30 19 e3 c8 e2 dc ab Sep 21 07:25:32.783513: | ee 16 21 24 a8 7d bc 79 61 30 a2 15 3d 45 c7 f1 Sep 21 07:25:32.783515: | db eb 48 da 01 9e ae b6 e1 10 56 dd 56 6f 60 05 Sep 21 07:25:32.783516: | 22 7b 15 5f c1 66 1f ee b8 be 8d f3 15 0b 15 7b Sep 21 07:25:32.783518: | e4 95 99 91 47 67 29 d1 98 5a c9 b2 e5 87 10 8b Sep 21 07:25:32.783519: | 52 af 81 5b f0 05 58 78 08 9d d9 61 15 31 0b d1 Sep 21 07:25:32.783520: | bc bb 02 a4 b0 4c 58 5d 10 46 40 a5 ea 9e 96 b9 Sep 21 07:25:32.783522: | e1 01 50 c2 4e a1 c0 5d fe 33 40 45 93 11 04 d0 Sep 21 07:25:32.783523: | 62 ea 9d a0 b0 5b 7b 0d d5 f4 e6 db dd e4 ba 3a Sep 21 07:25:32.783524: | 42 fa 28 e0 9d 42 1e 45 26 67 dc 43 9d 63 39 b2 Sep 21 07:25:32.783526: | de 9b 2e 5a b4 01 44 87 2d c1 ba 23 01 39 53 03 Sep 21 07:25:32.783527: | a2 b2 e8 cd 8b 6d ac 82 7f 12 c9 b0 81 35 25 c4 Sep 21 07:25:32.783528: | 82 71 22 9d ea a5 e4 4b 6a ce 95 9f 9b 20 a8 88 Sep 21 07:25:32.783530: | 05 18 b8 de 36 16 31 57 29 00 00 24 1d 8e 08 64 Sep 21 07:25:32.783531: | 12 a6 bc f5 db fe 10 d5 d7 62 cd 16 95 29 b5 37 Sep 21 07:25:32.783532: | b7 93 79 9f e4 bf 93 dd cc a8 c8 19 29 00 00 08 Sep 21 07:25:32.783534: | 00 00 40 2e 29 00 00 1c 00 00 40 04 54 03 a0 9a Sep 21 07:25:32.783535: | 08 6e 3e c9 31 3d 77 ec ea 62 5e 9c b3 d7 b3 e9 Sep 21 07:25:32.783537: | 00 00 00 1c 00 00 40 05 ea 35 bb 81 ef 53 e2 f6 Sep 21 07:25:32.783538: | 9f a6 a5 99 62 8f a0 a3 fe 49 3c 1a Sep 21 07:25:32.783542: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:32.783545: | **parse ISAKMP Message: Sep 21 07:25:32.783546: | initiator cookie: Sep 21 07:25:32.783548: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.783549: | responder cookie: Sep 21 07:25:32.783551: | 00 00 00 00 00 00 00 00 Sep 21 07:25:32.783552: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:32.783554: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.783556: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:32.783557: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:32.783559: | Message ID: 0 (0x0) Sep 21 07:25:32.783560: | length: 828 (0x33c) Sep 21 07:25:32.783562: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:25:32.783564: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:25:32.783566: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:25:32.783568: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:32.783570: | ***parse IKEv2 Security Association Payload: Sep 21 07:25:32.783572: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:32.783574: | flags: none (0x0) Sep 21 07:25:32.783575: | length: 436 (0x1b4) Sep 21 07:25:32.783577: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:25:32.783578: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:32.783580: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:25:32.783581: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:32.783583: | flags: none (0x0) Sep 21 07:25:32.783584: | length: 264 (0x108) Sep 21 07:25:32.783586: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.783587: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:32.783588: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:32.783591: | ***parse IKEv2 Nonce Payload: Sep 21 07:25:32.783593: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:32.783594: | flags: none (0x0) Sep 21 07:25:32.783596: | length: 36 (0x24) Sep 21 07:25:32.783597: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:32.783599: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:32.783600: | ***parse IKEv2 Notify Payload: Sep 21 07:25:32.783602: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:32.783603: | flags: none (0x0) Sep 21 07:25:32.783605: | length: 8 (0x8) Sep 21 07:25:32.783606: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.783608: | SPI size: 0 (0x0) Sep 21 07:25:32.783609: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:32.783611: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:25:32.783612: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:32.783614: | ***parse IKEv2 Notify Payload: Sep 21 07:25:32.783615: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:32.783617: | flags: none (0x0) Sep 21 07:25:32.783618: | length: 28 (0x1c) Sep 21 07:25:32.783619: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.783621: | SPI size: 0 (0x0) Sep 21 07:25:32.783622: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:32.783624: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:32.783625: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:32.783627: | ***parse IKEv2 Notify Payload: Sep 21 07:25:32.783628: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.783629: | flags: none (0x0) Sep 21 07:25:32.783631: | length: 28 (0x1c) Sep 21 07:25:32.783632: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.783634: | SPI size: 0 (0x0) Sep 21 07:25:32.783635: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:32.783637: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:32.783638: | DDOS disabled and no cookie sent, continuing Sep 21 07:25:32.783642: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:32.783645: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:32.783647: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:32.783649: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-east) Sep 21 07:25:32.783651: | find_next_host_connection returns empty Sep 21 07:25:32.783653: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:32.783655: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:32.783656: | find_next_host_connection returns empty Sep 21 07:25:32.783659: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:25:32.783661: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:32.783664: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:32.783665: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:32.783667: | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (north-east) Sep 21 07:25:32.783669: | find_next_host_connection returns north-east Sep 21 07:25:32.783670: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:32.783672: | find_next_host_connection returns empty Sep 21 07:25:32.783673: | found connection: north-east with policy RSASIG+IKEV2_ALLOW Sep 21 07:25:32.783687: | creating state object #1 at 0x55f43a316270 Sep 21 07:25:32.783689: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:25:32.783695: | pstats #1 ikev2.ike started Sep 21 07:25:32.783697: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:25:32.783699: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:25:32.783705: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:32.783710: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:32.783712: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:32.783715: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:32.783717: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:25:32.783720: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:25:32.783722: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:25:32.783724: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:25:32.783726: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:25:32.783727: | Now let's proceed with state specific processing Sep 21 07:25:32.783729: | calling processor Respond to IKE_SA_INIT Sep 21 07:25:32.783736: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:32.783737: | constructing local IKE proposals for north-east (IKE SA responder matching remote proposals) Sep 21 07:25:32.783744: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:32.783749: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:32.783751: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:32.783754: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:32.783757: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:32.783760: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:32.783762: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:32.783765: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:32.783771: "north-east": constructed local IKE proposals for north-east (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:32.783774: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:25:32.783776: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:32.783777: | local proposal 1 type PRF has 2 transforms Sep 21 07:25:32.783779: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:32.783780: | local proposal 1 type DH has 8 transforms Sep 21 07:25:32.783787: | local proposal 1 type ESN has 0 transforms Sep 21 07:25:32.783807: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:32.783809: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:32.783810: | local proposal 2 type PRF has 2 transforms Sep 21 07:25:32.783812: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:32.783813: | local proposal 2 type DH has 8 transforms Sep 21 07:25:32.783815: | local proposal 2 type ESN has 0 transforms Sep 21 07:25:32.783817: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:32.783818: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:32.783820: | local proposal 3 type PRF has 2 transforms Sep 21 07:25:32.783821: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:32.783823: | local proposal 3 type DH has 8 transforms Sep 21 07:25:32.783824: | local proposal 3 type ESN has 0 transforms Sep 21 07:25:32.783826: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:32.783827: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:32.783841: | local proposal 4 type PRF has 2 transforms Sep 21 07:25:32.783843: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:32.783845: | local proposal 4 type DH has 8 transforms Sep 21 07:25:32.783846: | local proposal 4 type ESN has 0 transforms Sep 21 07:25:32.783848: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:32.783850: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.783851: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.783853: | length: 100 (0x64) Sep 21 07:25:32.783854: | prop #: 1 (0x1) Sep 21 07:25:32.783856: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:32.783857: | spi size: 0 (0x0) Sep 21 07:25:32.783859: | # transforms: 11 (0xb) Sep 21 07:25:32.783861: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:32.783863: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783864: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783866: | length: 12 (0xc) Sep 21 07:25:32.783867: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.783869: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.783871: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.783872: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.783874: | length/value: 256 (0x100) Sep 21 07:25:32.783876: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:32.783878: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783880: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783881: | length: 8 (0x8) Sep 21 07:25:32.783883: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.783884: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:32.783886: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:25:32.783888: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:25:32.783890: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:25:32.783892: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:25:32.783893: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783895: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783896: | length: 8 (0x8) Sep 21 07:25:32.783897: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.783899: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:32.783901: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783903: | length: 8 (0x8) Sep 21 07:25:32.783906: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783908: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.783910: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:32.783912: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:32.783913: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:32.783915: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:32.783917: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783918: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783920: | length: 8 (0x8) Sep 21 07:25:32.783921: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783922: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:32.783924: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783926: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783927: | length: 8 (0x8) Sep 21 07:25:32.783928: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783930: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:32.783931: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783933: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783934: | length: 8 (0x8) Sep 21 07:25:32.783936: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783937: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:32.783939: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783940: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783941: | length: 8 (0x8) Sep 21 07:25:32.783943: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783944: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:32.783946: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783947: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783949: | length: 8 (0x8) Sep 21 07:25:32.783950: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783952: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:32.783953: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783955: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783956: | length: 8 (0x8) Sep 21 07:25:32.783957: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783959: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:32.783960: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783962: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.783963: | length: 8 (0x8) Sep 21 07:25:32.783965: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.783966: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:32.783968: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:25:32.783971: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:25:32.783973: | remote proposal 1 matches local proposal 1 Sep 21 07:25:32.783974: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.783976: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.783977: | length: 100 (0x64) Sep 21 07:25:32.783979: | prop #: 2 (0x2) Sep 21 07:25:32.783980: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:32.783981: | spi size: 0 (0x0) Sep 21 07:25:32.783983: | # transforms: 11 (0xb) Sep 21 07:25:32.783985: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.783986: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.783988: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.783989: | length: 12 (0xc) Sep 21 07:25:32.783991: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.783993: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.783995: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.783996: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.783997: | length/value: 128 (0x80) Sep 21 07:25:32.783999: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784001: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784002: | length: 8 (0x8) Sep 21 07:25:32.784004: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784005: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:32.784007: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784008: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784009: | length: 8 (0x8) Sep 21 07:25:32.784011: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784012: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:32.784014: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784015: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784017: | length: 8 (0x8) Sep 21 07:25:32.784018: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784020: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.784021: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784023: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784024: | length: 8 (0x8) Sep 21 07:25:32.784025: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784027: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:32.784028: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784030: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784031: | length: 8 (0x8) Sep 21 07:25:32.784032: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784034: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:32.784036: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784037: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784038: | length: 8 (0x8) Sep 21 07:25:32.784040: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784041: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:32.784043: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784044: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784046: | length: 8 (0x8) Sep 21 07:25:32.784047: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784048: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:32.784050: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784051: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784053: | length: 8 (0x8) Sep 21 07:25:32.784054: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784056: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:32.784057: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784059: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784060: | length: 8 (0x8) Sep 21 07:25:32.784061: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784063: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:32.784064: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784066: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.784067: | length: 8 (0x8) Sep 21 07:25:32.784069: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784070: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:32.784072: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:25:32.784074: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:25:32.784075: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.784077: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.784079: | length: 116 (0x74) Sep 21 07:25:32.784080: | prop #: 3 (0x3) Sep 21 07:25:32.784082: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:32.784083: | spi size: 0 (0x0) Sep 21 07:25:32.784085: | # transforms: 13 (0xd) Sep 21 07:25:32.784087: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.784088: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784090: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784091: | length: 12 (0xc) Sep 21 07:25:32.784092: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.784094: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:32.784095: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.784097: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.784098: | length/value: 256 (0x100) Sep 21 07:25:32.784100: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784101: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784103: | length: 8 (0x8) Sep 21 07:25:32.784104: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784106: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:32.784107: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784109: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784110: | length: 8 (0x8) Sep 21 07:25:32.784111: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784113: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:32.784114: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784116: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784117: | length: 8 (0x8) Sep 21 07:25:32.784119: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.784120: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:32.784122: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784123: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784125: | length: 8 (0x8) Sep 21 07:25:32.784126: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.784128: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:32.784129: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784131: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784132: | length: 8 (0x8) Sep 21 07:25:32.784133: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784135: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.784136: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784138: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784139: | length: 8 (0x8) Sep 21 07:25:32.784140: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784142: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:32.784143: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784145: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784146: | length: 8 (0x8) Sep 21 07:25:32.784148: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784149: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:32.784151: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784152: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784154: | length: 8 (0x8) Sep 21 07:25:32.784155: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784156: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:32.784158: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784159: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784161: | length: 8 (0x8) Sep 21 07:25:32.784162: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784164: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:32.784165: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784167: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784169: | length: 8 (0x8) Sep 21 07:25:32.784170: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784172: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:32.784173: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784175: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784176: | length: 8 (0x8) Sep 21 07:25:32.784178: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784179: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:32.784181: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784182: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.784183: | length: 8 (0x8) Sep 21 07:25:32.784185: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784186: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:32.784188: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:32.784190: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:32.784192: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.784193: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:32.784194: | length: 116 (0x74) Sep 21 07:25:32.784196: | prop #: 4 (0x4) Sep 21 07:25:32.784197: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:32.784199: | spi size: 0 (0x0) Sep 21 07:25:32.784200: | # transforms: 13 (0xd) Sep 21 07:25:32.784202: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.784203: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784205: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784206: | length: 12 (0xc) Sep 21 07:25:32.784208: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.784209: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:32.784210: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.784212: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.784213: | length/value: 128 (0x80) Sep 21 07:25:32.784215: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784217: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784218: | length: 8 (0x8) Sep 21 07:25:32.784219: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784221: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:32.784222: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784224: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784225: | length: 8 (0x8) Sep 21 07:25:32.784227: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.784228: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:32.784230: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784231: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784232: | length: 8 (0x8) Sep 21 07:25:32.784234: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.784235: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:32.784237: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784238: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784240: | length: 8 (0x8) Sep 21 07:25:32.784241: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.784243: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:32.784244: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784246: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784247: | length: 8 (0x8) Sep 21 07:25:32.784248: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784250: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.784251: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784253: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784254: | length: 8 (0x8) Sep 21 07:25:32.784256: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784258: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:32.784259: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784261: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784262: | length: 8 (0x8) Sep 21 07:25:32.784264: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784265: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:32.784267: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784268: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784269: | length: 8 (0x8) Sep 21 07:25:32.784271: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784272: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:32.784274: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784275: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784277: | length: 8 (0x8) Sep 21 07:25:32.784278: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784280: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:32.784281: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784283: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784284: | length: 8 (0x8) Sep 21 07:25:32.784285: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784287: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:32.784288: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784290: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.784291: | length: 8 (0x8) Sep 21 07:25:32.784293: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784294: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:32.784296: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.784297: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.784298: | length: 8 (0x8) Sep 21 07:25:32.784300: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.784301: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:32.784303: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:32.784305: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:32.784308: "north-east" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:25:32.784310: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:25:32.784312: | converting proposal to internal trans attrs Sep 21 07:25:32.784314: | natd_hash: rcookie is zero Sep 21 07:25:32.784320: | natd_hash: hasher=0x55f439dfa7a0(20) Sep 21 07:25:32.784322: | natd_hash: icookie= 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.784323: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:32.784325: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:32.784326: | natd_hash: port= 01 f4 Sep 21 07:25:32.784327: | natd_hash: hash= ea 35 bb 81 ef 53 e2 f6 9f a6 a5 99 62 8f a0 a3 Sep 21 07:25:32.784329: | natd_hash: hash= fe 49 3c 1a Sep 21 07:25:32.784330: | natd_hash: rcookie is zero Sep 21 07:25:32.784334: | natd_hash: hasher=0x55f439dfa7a0(20) Sep 21 07:25:32.784336: | natd_hash: icookie= 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.784338: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:32.784339: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:32.784340: | natd_hash: port= 01 f4 Sep 21 07:25:32.784342: | natd_hash: hash= 54 03 a0 9a 08 6e 3e c9 31 3d 77 ec ea 62 5e 9c Sep 21 07:25:32.784343: | natd_hash: hash= b3 d7 b3 e9 Sep 21 07:25:32.784345: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:25:32.784346: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:25:32.784347: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:25:32.784349: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:25:32.784353: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:25:32.784355: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f43a314d70 Sep 21 07:25:32.784357: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:32.784359: | libevent_malloc: new ptr-libevent@0x55f43a314db0 size 128 Sep 21 07:25:32.784367: | #1 spent 0.633 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:25:32.784372: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:32.784374: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:32.784376: | suspending state #1 and saving MD Sep 21 07:25:32.784375: | crypto helper 0 resuming Sep 21 07:25:32.784388: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:25:32.784392: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:25:32.784378: | #1 is busy; has a suspended MD Sep 21 07:25:32.784434: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:32.784438: | "north-east" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:32.784441: | stop processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:32.784445: | #1 spent 1 milliseconds in ikev2_process_packet() Sep 21 07:25:32.784448: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:32.784450: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:32.784451: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:32.784454: | spent 1.01 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:32.785488: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001095 seconds Sep 21 07:25:32.785499: | (#1) spent 1.1 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:25:32.785502: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:25:32.785505: | scheduling resume sending helper answer for #1 Sep 21 07:25:32.785508: | libevent_malloc: new ptr-libevent@0x7fbae8006900 size 128 Sep 21 07:25:32.785516: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:32.785524: | processing resume sending helper answer for #1 Sep 21 07:25:32.785533: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:32.785538: | crypto helper 0 replies to request ID 1 Sep 21 07:25:32.785541: | calling continuation function 0x55f439d24630 Sep 21 07:25:32.785544: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:25:32.785605: | **emit ISAKMP Message: Sep 21 07:25:32.785613: | initiator cookie: Sep 21 07:25:32.785616: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.785619: | responder cookie: Sep 21 07:25:32.785622: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.785626: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:32.785630: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.785637: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:32.785641: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:32.785644: | Message ID: 0 (0x0) Sep 21 07:25:32.785648: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:32.785651: | Emitting ikev2_proposal ... Sep 21 07:25:32.785654: | ***emit IKEv2 Security Association Payload: Sep 21 07:25:32.785658: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.785661: | flags: none (0x0) Sep 21 07:25:32.785665: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:32.785668: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785671: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.785674: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:32.785675: | prop #: 1 (0x1) Sep 21 07:25:32.785677: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:32.785678: | spi size: 0 (0x0) Sep 21 07:25:32.785680: | # transforms: 3 (0x3) Sep 21 07:25:32.785684: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:32.785687: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:32.785689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.785692: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.785694: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.785696: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:32.785699: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.785702: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.785703: | length/value: 256 (0x100) Sep 21 07:25:32.785705: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:32.785707: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:32.785708: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.785711: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:32.785713: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:32.785715: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.785717: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:32.785719: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:32.785720: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:32.785722: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.785723: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:32.785725: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.785727: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.785729: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:32.785730: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:32.785732: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:25:32.785733: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:32.785735: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:25:32.785737: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:32.785739: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:25:32.785740: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.785744: | flags: none (0x0) Sep 21 07:25:32.785746: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:32.785748: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:32.785750: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785752: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:32.785753: | ikev2 g^x db 91 ea 4d d2 3d 08 1f ce b4 44 a7 37 30 63 32 Sep 21 07:25:32.785755: | ikev2 g^x 6c dc b8 0c f7 55 0a 19 b2 a8 6d f4 3a 06 87 db Sep 21 07:25:32.785756: | ikev2 g^x 7d 89 c5 1f 21 48 52 59 32 5f 01 c7 bf 9a 61 5e Sep 21 07:25:32.785758: | ikev2 g^x ed 44 26 ac 7c fd c4 4a 93 f3 17 33 04 ce 1f fd Sep 21 07:25:32.785759: | ikev2 g^x c8 56 5e a1 14 1a 2d 5d 36 de 03 a2 bf 93 91 d0 Sep 21 07:25:32.785761: | ikev2 g^x bd 25 7e 61 cf 58 11 93 5f fc 24 71 cb c8 ca 14 Sep 21 07:25:32.785762: | ikev2 g^x 94 73 9f 94 2c 70 1d 64 4b 15 83 f6 86 eb 86 d0 Sep 21 07:25:32.785764: | ikev2 g^x 9e f0 d8 9f 1b 58 ed 2f 26 ab 54 8c 3d 67 a6 ce Sep 21 07:25:32.785765: | ikev2 g^x 2c 82 0f ff dc 51 a5 7d 59 2f bc d7 08 6e 84 ee Sep 21 07:25:32.785766: | ikev2 g^x e2 3c ea c1 45 65 5d a3 56 48 a1 4c 06 27 8f 52 Sep 21 07:25:32.785768: | ikev2 g^x 6d 74 14 3e b1 c6 cc 4b ff e6 fa b0 fd f8 2e 52 Sep 21 07:25:32.785769: | ikev2 g^x 42 e9 3a 33 d7 e0 6b 07 d2 45 c6 97 b0 42 03 a8 Sep 21 07:25:32.785771: | ikev2 g^x 85 9f 03 26 59 3c 74 8f d3 2d 1d 3a 2f 19 54 d1 Sep 21 07:25:32.785772: | ikev2 g^x a0 44 5f cc f7 c4 db 0c 86 f7 2b 8d 7b 94 c2 38 Sep 21 07:25:32.785774: | ikev2 g^x 68 8f 67 6d a5 10 b4 cf 4a e2 3f d6 1c d6 fe c5 Sep 21 07:25:32.785775: | ikev2 g^x aa d1 e2 fe 5e a5 21 a3 78 4f 69 db a4 dc 55 ca Sep 21 07:25:32.785777: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:32.785778: | ***emit IKEv2 Nonce Payload: Sep 21 07:25:32.785780: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:32.785781: | flags: none (0x0) Sep 21 07:25:32.785788: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:25:32.785794: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:32.785795: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785797: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:32.785799: | IKEv2 nonce 5d 85 dc c8 3b f4 78 69 d4 0c ec 0e 59 45 62 b6 Sep 21 07:25:32.785800: | IKEv2 nonce 80 77 5c b5 9d 74 29 7c b1 44 f7 e6 fb de c0 aa Sep 21 07:25:32.785802: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:32.785805: | Adding a v2N Payload Sep 21 07:25:32.785806: | ***emit IKEv2 Notify Payload: Sep 21 07:25:32.785808: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.785809: | flags: none (0x0) Sep 21 07:25:32.785811: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.785812: | SPI size: 0 (0x0) Sep 21 07:25:32.785814: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:32.785816: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:32.785818: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785819: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:25:32.785821: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:25:32.785829: | natd_hash: hasher=0x55f439dfa7a0(20) Sep 21 07:25:32.785831: | natd_hash: icookie= 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.785833: | natd_hash: rcookie= 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.785834: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:32.785835: | natd_hash: port= 01 f4 Sep 21 07:25:32.785839: | natd_hash: hash= af f1 94 38 88 72 35 7a 91 36 fc 71 f7 c9 3a 05 Sep 21 07:25:32.785840: | natd_hash: hash= 95 62 81 6b Sep 21 07:25:32.785842: | Adding a v2N Payload Sep 21 07:25:32.785843: | ***emit IKEv2 Notify Payload: Sep 21 07:25:32.785845: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.785846: | flags: none (0x0) Sep 21 07:25:32.785848: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.785849: | SPI size: 0 (0x0) Sep 21 07:25:32.785851: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:32.785852: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:32.785854: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785856: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:32.785858: | Notify data af f1 94 38 88 72 35 7a 91 36 fc 71 f7 c9 3a 05 Sep 21 07:25:32.785859: | Notify data 95 62 81 6b Sep 21 07:25:32.785860: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:32.785869: | natd_hash: hasher=0x55f439dfa7a0(20) Sep 21 07:25:32.785875: | natd_hash: icookie= 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.785877: | natd_hash: rcookie= 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.785879: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:32.785882: | natd_hash: port= 01 f4 Sep 21 07:25:32.785897: | natd_hash: hash= 36 a4 cb 75 85 ce ff b7 e4 53 b8 d3 0d b0 6d bf Sep 21 07:25:32.785899: | natd_hash: hash= 27 e6 de 16 Sep 21 07:25:32.785902: | Adding a v2N Payload Sep 21 07:25:32.785904: | ***emit IKEv2 Notify Payload: Sep 21 07:25:32.785907: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.785909: | flags: none (0x0) Sep 21 07:25:32.785912: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:32.785914: | SPI size: 0 (0x0) Sep 21 07:25:32.785916: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:32.785919: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:32.785922: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.785925: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:32.785927: | Notify data 36 a4 cb 75 85 ce ff b7 e4 53 b8 d3 0d b0 6d bf Sep 21 07:25:32.785929: | Notify data 27 e6 de 16 Sep 21 07:25:32.785931: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:32.785934: | emitting length of ISAKMP Message: 432 Sep 21 07:25:32.785942: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:32.785946: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:25:32.785949: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:25:32.785952: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:25:32.785955: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:25:32.785960: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:25:32.785964: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:25:32.785983: "north-east" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:25:32.785987: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:32.785994: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:32.785996: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.785997: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:25:32.786000: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:25:32.786002: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:25:32.786016: | 04 00 00 0e 28 00 01 08 00 0e 00 00 db 91 ea 4d Sep 21 07:25:32.786017: | d2 3d 08 1f ce b4 44 a7 37 30 63 32 6c dc b8 0c Sep 21 07:25:32.786019: | f7 55 0a 19 b2 a8 6d f4 3a 06 87 db 7d 89 c5 1f Sep 21 07:25:32.786020: | 21 48 52 59 32 5f 01 c7 bf 9a 61 5e ed 44 26 ac Sep 21 07:25:32.786021: | 7c fd c4 4a 93 f3 17 33 04 ce 1f fd c8 56 5e a1 Sep 21 07:25:32.786023: | 14 1a 2d 5d 36 de 03 a2 bf 93 91 d0 bd 25 7e 61 Sep 21 07:25:32.786024: | cf 58 11 93 5f fc 24 71 cb c8 ca 14 94 73 9f 94 Sep 21 07:25:32.786025: | 2c 70 1d 64 4b 15 83 f6 86 eb 86 d0 9e f0 d8 9f Sep 21 07:25:32.786027: | 1b 58 ed 2f 26 ab 54 8c 3d 67 a6 ce 2c 82 0f ff Sep 21 07:25:32.786028: | dc 51 a5 7d 59 2f bc d7 08 6e 84 ee e2 3c ea c1 Sep 21 07:25:32.786029: | 45 65 5d a3 56 48 a1 4c 06 27 8f 52 6d 74 14 3e Sep 21 07:25:32.786031: | b1 c6 cc 4b ff e6 fa b0 fd f8 2e 52 42 e9 3a 33 Sep 21 07:25:32.786032: | d7 e0 6b 07 d2 45 c6 97 b0 42 03 a8 85 9f 03 26 Sep 21 07:25:32.786034: | 59 3c 74 8f d3 2d 1d 3a 2f 19 54 d1 a0 44 5f cc Sep 21 07:25:32.786035: | f7 c4 db 0c 86 f7 2b 8d 7b 94 c2 38 68 8f 67 6d Sep 21 07:25:32.786036: | a5 10 b4 cf 4a e2 3f d6 1c d6 fe c5 aa d1 e2 fe Sep 21 07:25:32.786038: | 5e a5 21 a3 78 4f 69 db a4 dc 55 ca 29 00 00 24 Sep 21 07:25:32.786039: | 5d 85 dc c8 3b f4 78 69 d4 0c ec 0e 59 45 62 b6 Sep 21 07:25:32.786040: | 80 77 5c b5 9d 74 29 7c b1 44 f7 e6 fb de c0 aa Sep 21 07:25:32.786042: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:25:32.786043: | af f1 94 38 88 72 35 7a 91 36 fc 71 f7 c9 3a 05 Sep 21 07:25:32.786044: | 95 62 81 6b 00 00 00 1c 00 00 40 05 36 a4 cb 75 Sep 21 07:25:32.786046: | 85 ce ff b7 e4 53 b8 d3 0d b0 6d bf 27 e6 de 16 Sep 21 07:25:32.786078: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:32.786097: | libevent_free: release ptr-libevent@0x55f43a314db0 Sep 21 07:25:32.786099: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f43a314d70 Sep 21 07:25:32.786101: | event_schedule: new EVENT_SO_DISCARD-pe@0x55f43a314d70 Sep 21 07:25:32.786103: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:25:32.786105: | libevent_malloc: new ptr-libevent@0x55f43a314b40 size 128 Sep 21 07:25:32.786108: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:32.786112: | #1 spent 0.521 milliseconds in resume sending helper answer Sep 21 07:25:32.786115: | stop processing: state #1 connection "north-east" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:32.786117: | libevent_free: release ptr-libevent@0x7fbae8006900 Sep 21 07:25:32.791749: | spent 0.00212 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:32.791763: | *received 539 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:32.791766: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.791768: | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff Sep 21 07:25:32.791769: | 00 01 00 02 70 bd cb 77 46 fa f2 02 d2 1e 71 32 Sep 21 07:25:32.791771: | 3a 64 52 80 07 3a da 36 20 95 df 7b 1f 9d b3 39 Sep 21 07:25:32.791772: | c9 0d a2 c2 7c 82 fe 79 06 25 65 09 e5 3c d7 34 Sep 21 07:25:32.791774: | 91 a1 c0 3b b0 07 25 cc 78 63 17 54 c8 a7 60 ad Sep 21 07:25:32.791776: | a4 2a b5 ef a6 67 60 a3 3f ba ef ff e8 56 f7 e2 Sep 21 07:25:32.791777: | ba 87 e0 99 fd 63 3e 62 91 90 86 76 ff 01 50 71 Sep 21 07:25:32.791779: | 9b 4b 0c 7c a1 da 32 9b 0e 97 a5 17 15 a4 1e 2c Sep 21 07:25:32.791780: | 0a f0 9e 64 1d 8b 28 90 42 57 0c e5 1f 2b 27 51 Sep 21 07:25:32.791782: | 0d a8 44 24 a1 e0 24 08 b4 f3 ea 37 b8 2d d8 e3 Sep 21 07:25:32.791789: | 61 84 73 3f 42 81 bd 79 f2 97 24 20 8b 48 3f e2 Sep 21 07:25:32.791791: | 93 69 30 0f 50 44 af 98 8c c7 8d a4 f5 e8 ab 21 Sep 21 07:25:32.791794: | d7 53 32 2e 08 e7 ae 59 ef 63 91 ba 7f 2f 52 57 Sep 21 07:25:32.791796: | f5 65 50 0c 48 22 35 7f 81 89 7c 71 ce 5a f5 92 Sep 21 07:25:32.791797: | 4b b0 bc 2a 5c 22 03 07 ed cf de 18 ac c6 87 3e Sep 21 07:25:32.791799: | 11 00 a3 d0 30 c6 c3 8c e1 11 11 ec d1 93 75 72 Sep 21 07:25:32.791800: | 4b 4b 42 7e 2f aa dc db c3 4c cb d7 6b 3f 2a 10 Sep 21 07:25:32.791801: | d4 89 3a e0 1f 34 3e 73 39 80 b4 5b 68 33 22 e5 Sep 21 07:25:32.791803: | de 67 0a 4e f6 65 09 45 bb 85 f1 35 01 29 e1 90 Sep 21 07:25:32.791804: | 2a 34 4f 1f 4b 6b 41 14 02 5a 7e 70 65 90 df 40 Sep 21 07:25:32.791806: | cb fc cc c5 e2 a0 dd b3 f8 f8 88 ae b0 ff c7 62 Sep 21 07:25:32.791807: | ce ed b5 4f 49 f5 c8 63 94 b8 15 43 a0 2e c5 62 Sep 21 07:25:32.791808: | 21 04 06 fc d8 2a da 17 64 81 48 c9 a5 87 99 2c Sep 21 07:25:32.791823: | 72 7a 3e bd fa 24 57 e7 1c 23 dd 12 8b b3 3b 44 Sep 21 07:25:32.791824: | 66 d7 26 76 86 2f 9c 54 b2 f8 52 af 60 c6 33 bf Sep 21 07:25:32.791825: | 46 23 3a 9e 30 18 57 97 73 19 07 e5 80 83 bf 01 Sep 21 07:25:32.791827: | 34 32 7e 29 7e 7c 06 ac 3d e8 d5 f6 55 07 58 4d Sep 21 07:25:32.791828: | a0 53 be 07 8e d5 97 b4 e0 54 91 25 fc 4e df 8f Sep 21 07:25:32.791830: | 6f 02 e3 5b 30 6d d1 32 41 cd 29 dc 5f 39 11 42 Sep 21 07:25:32.791831: | ce b5 f6 72 ea 0f 65 14 14 aa 2f 87 a1 4d f5 a0 Sep 21 07:25:32.791832: | 83 44 9c 25 a1 5e b2 3b 6a 35 ba b8 15 cb 6e 5b Sep 21 07:25:32.791834: | d1 d1 98 10 a2 9f 8e fe 89 48 af 5d aa 97 d9 5b Sep 21 07:25:32.791835: | 55 a5 4a 66 95 9e af 57 60 ae 27 Sep 21 07:25:32.791838: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:32.791840: | **parse ISAKMP Message: Sep 21 07:25:32.791842: | initiator cookie: Sep 21 07:25:32.791843: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.791845: | responder cookie: Sep 21 07:25:32.791846: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.791848: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:32.791849: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.791851: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:32.791853: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:32.791854: | Message ID: 1 (0x1) Sep 21 07:25:32.791856: | length: 539 (0x21b) Sep 21 07:25:32.791858: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:32.791860: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:32.791862: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:32.791865: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:32.791867: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:32.791870: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:32.791872: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:32.791874: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:25:32.791876: | unpacking clear payload Sep 21 07:25:32.791877: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:32.791879: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:32.791881: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:25:32.791882: | flags: none (0x0) Sep 21 07:25:32.791884: | length: 511 (0x1ff) Sep 21 07:25:32.791885: | fragment number: 1 (0x1) Sep 21 07:25:32.791887: | total fragments: 2 (0x2) Sep 21 07:25:32.791888: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Sep 21 07:25:32.791891: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:32.791893: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:32.791896: | received IKE encrypted fragment number '1', total number '2', next payload '35' Sep 21 07:25:32.791897: | updated IKE fragment state to respond using fragments without waiting for re-transmits Sep 21 07:25:32.791901: | stop processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:32.791904: | #1 spent 0.143 milliseconds in ikev2_process_packet() Sep 21 07:25:32.791906: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:32.791908: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:32.791910: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:32.791912: | spent 0.152 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:32.791918: | spent 0.00112 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:32.791924: | *received 102 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:32.791925: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.791927: | 35 20 23 08 00 00 00 01 00 00 00 66 00 00 00 4a Sep 21 07:25:32.791928: | 00 02 00 02 ca b0 3a 60 c0 1f 5d 77 ab ca 3f 23 Sep 21 07:25:32.791929: | ce 9a 83 1c 43 1a 7e 7e 53 1f 5c 14 3c b1 03 56 Sep 21 07:25:32.791931: | 62 e1 8c 31 5e b0 7c 4a d2 33 fb 73 56 a2 a7 df Sep 21 07:25:32.791932: | af ba be 02 c5 1a d2 cb b8 27 db 1a 81 96 08 e1 Sep 21 07:25:32.791933: | a3 66 72 cc dc c0 Sep 21 07:25:32.791936: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:32.791937: | **parse ISAKMP Message: Sep 21 07:25:32.791939: | initiator cookie: Sep 21 07:25:32.791940: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.791942: | responder cookie: Sep 21 07:25:32.791943: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.791945: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Sep 21 07:25:32.791946: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.791948: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:32.791949: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:32.791951: | Message ID: 1 (0x1) Sep 21 07:25:32.791952: | length: 102 (0x66) Sep 21 07:25:32.791954: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:32.791955: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:32.791957: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:32.791960: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:32.791963: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2062) Sep 21 07:25:32.791964: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:32.791966: | #1 is idle Sep 21 07:25:32.791967: | #1 idle Sep 21 07:25:32.791970: | Message ID: #1 not a duplicate - responder is accumulating fragments; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1 Sep 21 07:25:32.791971: | unpacking clear payload Sep 21 07:25:32.791973: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Sep 21 07:25:32.791974: | ***parse IKEv2 Encrypted Fragment: Sep 21 07:25:32.791976: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.791977: | flags: none (0x0) Sep 21 07:25:32.791979: | length: 74 (0x4a) Sep 21 07:25:32.791980: | fragment number: 2 (0x2) Sep 21 07:25:32.791982: | total fragments: 2 (0x2) Sep 21 07:25:32.791983: | processing payload: ISAKMP_NEXT_v2SKF (len=66) Sep 21 07:25:32.791985: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:32.791986: | received IKE encrypted fragment number '2', total number '2', next payload '0' Sep 21 07:25:32.791988: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:32.791990: | Now let's proceed with state specific processing Sep 21 07:25:32.791991: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:32.791996: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:25:32.792001: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:25:32.792003: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:25:32.792005: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:25:32.792007: | libevent_free: release ptr-libevent@0x55f43a314b40 Sep 21 07:25:32.792009: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55f43a314d70 Sep 21 07:25:32.792011: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55f43a314d70 Sep 21 07:25:32.792013: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:32.792015: | libevent_malloc: new ptr-libevent@0x55f43a314b40 size 128 Sep 21 07:25:32.792022: | #1 spent 0.0247 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:25:32.792025: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:32.792027: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:32.792029: | suspending state #1 and saving MD Sep 21 07:25:32.792030: | #1 is busy; has a suspended MD Sep 21 07:25:32.792030: | crypto helper 3 resuming Sep 21 07:25:32.792041: | crypto helper 3 starting work-order 2 for state #1 Sep 21 07:25:32.792033: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:32.792045: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:25:32.792051: | "north-east" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:32.792058: | stop processing: state #1 connection "north-east" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:32.792061: | #1 spent 0.135 milliseconds in ikev2_process_packet() Sep 21 07:25:32.792063: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:32.792065: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:32.792066: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:32.792069: | spent 0.143 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:32.793008: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:25:32.793418: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001373 seconds Sep 21 07:25:32.793425: | (#1) spent 1.37 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:25:32.793428: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Sep 21 07:25:32.793431: | scheduling resume sending helper answer for #1 Sep 21 07:25:32.793434: | libevent_malloc: new ptr-libevent@0x7fbae0006b90 size 128 Sep 21 07:25:32.793440: | crypto helper 3 waiting (nothing to do) Sep 21 07:25:32.793475: | processing resume sending helper answer for #1 Sep 21 07:25:32.793483: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:32.793487: | crypto helper 3 replies to request ID 2 Sep 21 07:25:32.793488: | calling continuation function 0x55f439d24630 Sep 21 07:25:32.793490: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:25:32.793492: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:32.793494: | already have all fragments, skipping fragment collection Sep 21 07:25:32.793495: | already have all fragments, skipping fragment collection Sep 21 07:25:32.793508: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:25:32.793510: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:25:32.793512: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:25:32.793516: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:32.793518: | flags: none (0x0) Sep 21 07:25:32.793520: | length: 13 (0xd) Sep 21 07:25:32.793521: | ID type: ID_FQDN (0x2) Sep 21 07:25:32.793523: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Sep 21 07:25:32.793524: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:25:32.793526: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:25:32.793528: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:25:32.793529: | flags: none (0x0) Sep 21 07:25:32.793530: | length: 12 (0xc) Sep 21 07:25:32.793532: | ID type: ID_FQDN (0x2) Sep 21 07:25:32.793533: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:25:32.793535: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:25:32.793536: | **parse IKEv2 Authentication Payload: Sep 21 07:25:32.793538: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:32.793539: | flags: none (0x0) Sep 21 07:25:32.793541: | length: 282 (0x11a) Sep 21 07:25:32.793542: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:25:32.793544: | processing payload: ISAKMP_NEXT_v2AUTH (len=274) Sep 21 07:25:32.793545: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:32.793547: | **parse IKEv2 Security Association Payload: Sep 21 07:25:32.793548: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:32.793550: | flags: none (0x0) Sep 21 07:25:32.793551: | length: 164 (0xa4) Sep 21 07:25:32.793552: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:25:32.793554: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:32.793556: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:32.793557: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:32.793559: | flags: none (0x0) Sep 21 07:25:32.793560: | length: 24 (0x18) Sep 21 07:25:32.793562: | number of TS: 1 (0x1) Sep 21 07:25:32.793563: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:32.793564: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:32.793566: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:32.793567: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.793569: | flags: none (0x0) Sep 21 07:25:32.793570: | length: 24 (0x18) Sep 21 07:25:32.793572: | number of TS: 1 (0x1) Sep 21 07:25:32.793573: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:32.793575: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:25:32.793576: | Now let's proceed with state specific processing Sep 21 07:25:32.793578: | calling processor Responder: process IKE_AUTH request Sep 21 07:25:32.793581: "north-east" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:25:32.793585: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:32.793587: | received IDr payload - extracting our alleged ID Sep 21 07:25:32.793589: | refine_host_connection for IKEv2: starting with "north-east" Sep 21 07:25:32.793592: | match_id a=@north Sep 21 07:25:32.793594: | b=@north Sep 21 07:25:32.793595: | results matched Sep 21 07:25:32.793598: | refine_host_connection: checking "north-east" against "north-east", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:25:32.793599: | Warning: not switching back to template of current instance Sep 21 07:25:32.793601: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:25:32.793603: | This connection's local id is @east (ID_FQDN) Sep 21 07:25:32.793605: | refine_host_connection: checked north-east against north-east, now for see if best Sep 21 07:25:32.793607: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:25:32.793609: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:25:32.793611: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:25:32.793613: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:25:32.793616: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:25:32.793618: | line 1: match=002 Sep 21 07:25:32.793620: | match 002 beats previous best_match 000 match=0x55f43a3071c0 (line=1) Sep 21 07:25:32.793621: | concluding with best_match=002 best=0x55f43a3071c0 (lineno=1) Sep 21 07:25:32.793623: | returning because exact peer id match Sep 21 07:25:32.793624: | offered CA: '%none' Sep 21 07:25:32.793626: "north-east" #1: IKEv2 mode peer ID is ID_FQDN: '@north' Sep 21 07:25:32.793639: | verifying AUTH payload Sep 21 07:25:32.793648: | required RSA CA is '%any' Sep 21 07:25:32.793650: | checking RSA keyid '@east' for match with '@north' Sep 21 07:25:32.793652: | checking RSA keyid '@north' for match with '@north' Sep 21 07:25:32.793654: | RSA key issuer CA is '%any' Sep 21 07:25:32.793697: | an RSA Sig check passed with *AQPl33O2P [preloaded keys] Sep 21 07:25:32.793701: | #1 spent 0.0441 milliseconds in try_all_keys() trying a pubkey Sep 21 07:25:32.793703: "north-east" #1: Authenticated using RSA Sep 21 07:25:32.793706: | #1 spent 0.0631 milliseconds in ikev2_verify_rsa_hash() Sep 21 07:25:32.793708: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:25:32.793711: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:32.793713: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:32.793715: | libevent_free: release ptr-libevent@0x55f43a314b40 Sep 21 07:25:32.793717: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55f43a314d70 Sep 21 07:25:32.793718: | event_schedule: new EVENT_SA_REKEY-pe@0x55f43a314d70 Sep 21 07:25:32.793721: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:25:32.793722: | libevent_malloc: new ptr-libevent@0x55f43a314b40 size 128 Sep 21 07:25:32.793880: | pstats #1 ikev2.ike established Sep 21 07:25:32.793892: | **emit ISAKMP Message: Sep 21 07:25:32.793896: | initiator cookie: Sep 21 07:25:32.793899: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:32.793901: | responder cookie: Sep 21 07:25:32.793903: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.793906: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:32.793909: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:32.793912: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:32.793915: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:32.793918: | Message ID: 1 (0x1) Sep 21 07:25:32.793922: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:32.793925: | IKEv2 CERT: send a certificate? Sep 21 07:25:32.793927: | IKEv2 CERT: no certificate to send Sep 21 07:25:32.793930: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:32.793933: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.793948: | flags: none (0x0) Sep 21 07:25:32.793952: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:32.793955: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.793958: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:32.793966: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:32.793980: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:25:32.793983: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.793985: | flags: none (0x0) Sep 21 07:25:32.793988: | ID type: ID_FQDN (0x2) Sep 21 07:25:32.793992: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:25:32.793995: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.793999: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:25:32.794001: | my identity 65 61 73 74 Sep 21 07:25:32.794007: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:25:32.794014: | assembled IDr payload Sep 21 07:25:32.794015: | CHILD SA proposals received Sep 21 07:25:32.794017: | going to assemble AUTH payload Sep 21 07:25:32.794018: | ****emit IKEv2 Authentication Payload: Sep 21 07:25:32.794020: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:32.794022: | flags: none (0x0) Sep 21 07:25:32.794023: | auth method: IKEv2_AUTH_RSA (0x1) Sep 21 07:25:32.794025: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:25:32.794027: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:25:32.794028: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.794032: | started looking for secret for @east->@north of kind PKK_RSA Sep 21 07:25:32.794034: | actually looking for secret for @east->@north of kind PKK_RSA Sep 21 07:25:32.794036: | line 1: key type PKK_RSA(@east) to type PKK_RSA Sep 21 07:25:32.794038: | 1: compared key (none) to @east / @north -> 002 Sep 21 07:25:32.794040: | 2: compared key (none) to @east / @north -> 002 Sep 21 07:25:32.794041: | line 1: match=002 Sep 21 07:25:32.794043: | match 002 beats previous best_match 000 match=0x55f43a3071c0 (line=1) Sep 21 07:25:32.794045: | concluding with best_match=002 best=0x55f43a3071c0 (lineno=1) Sep 21 07:25:32.797082: | #1 spent 3 milliseconds in ikev2_calculate_rsa_hash() calling sign_hash_RSA() Sep 21 07:25:32.797090: | emitting 274 raw bytes of rsa signature into IKEv2 Authentication Payload Sep 21 07:25:32.797092: | rsa signature 7e c1 7d b3 44 23 db f4 00 96 0a 13 b7 a1 79 91 Sep 21 07:25:32.797094: | rsa signature 65 b1 ab 3e 9a cb a9 7a eb 8b 3c a2 22 c0 07 98 Sep 21 07:25:32.797095: | rsa signature e1 14 23 8c 3f 8a 75 d3 88 ef 2e 1d 7f d8 7a b1 Sep 21 07:25:32.797096: | rsa signature 72 7a 10 5e c0 45 29 3c 62 52 a9 89 9d bf 2b c2 Sep 21 07:25:32.797098: | rsa signature b9 12 a9 e4 b0 e9 ee 44 6a 33 71 f5 4f d3 1a 51 Sep 21 07:25:32.797099: | rsa signature e5 36 41 bb 89 88 be 14 74 75 50 8b 14 b3 0d 05 Sep 21 07:25:32.797101: | rsa signature 9b 11 de f4 0b 7b 71 bb ff e4 17 e0 89 6d fc c9 Sep 21 07:25:32.797102: | rsa signature 77 f4 0f 9b 2c ff 30 5c b0 4a 7a 2c c0 41 90 4f Sep 21 07:25:32.797103: | rsa signature 8c e2 44 c1 49 7e 6d 02 cc 3a b6 e6 34 56 ec 45 Sep 21 07:25:32.797105: | rsa signature fc ff 64 09 e3 23 e8 e8 81 c8 06 b7 5b 3a 38 c7 Sep 21 07:25:32.797106: | rsa signature 3e 55 1b ec 47 64 b7 0f 00 f3 c8 f0 e3 8d 3f 02 Sep 21 07:25:32.797108: | rsa signature c4 34 aa 41 ae 80 58 6c d9 68 9a 93 12 36 17 85 Sep 21 07:25:32.797109: | rsa signature 19 0d 23 50 f4 b1 a5 ef e6 42 86 ca df 00 d3 b7 Sep 21 07:25:32.797111: | rsa signature ef 4f 9a 1b 27 f2 f0 88 52 ed 9b b0 1c 39 34 fd Sep 21 07:25:32.797112: | rsa signature af 0e 18 8f b2 3b 47 3e 76 01 2f 37 c2 bc 50 90 Sep 21 07:25:32.797113: | rsa signature 17 ec 0a d8 b1 68 ef c6 71 74 0e 3f e2 c5 57 fe Sep 21 07:25:32.797115: | rsa signature 41 b0 dc 08 4f 98 ea 35 62 b3 81 8c 6a c5 97 dd Sep 21 07:25:32.797116: | rsa signature 51 be Sep 21 07:25:32.797119: | #1 spent 3.06 milliseconds in ikev2_calculate_rsa_hash() Sep 21 07:25:32.797121: | emitting length of IKEv2 Authentication Payload: 282 Sep 21 07:25:32.797124: | creating state object #2 at 0x55f43a31bef0 Sep 21 07:25:32.797126: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:25:32.797129: | pstats #2 ikev2.child started Sep 21 07:25:32.797130: | duplicating state object #1 "north-east" as #2 for IPSEC SA Sep 21 07:25:32.797134: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:32.797137: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:32.797142: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:32.797145: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:32.797147: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:25:32.797149: | TSi: parsing 1 traffic selectors Sep 21 07:25:32.797151: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:32.797153: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:32.797154: | IP Protocol ID: 0 (0x0) Sep 21 07:25:32.797156: | length: 16 (0x10) Sep 21 07:25:32.797157: | start port: 0 (0x0) Sep 21 07:25:32.797159: | end port: 65535 (0xffff) Sep 21 07:25:32.797160: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:32.797162: | TS low c0 00 03 fe Sep 21 07:25:32.797163: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:32.797165: | TS high c0 00 03 fe Sep 21 07:25:32.797166: | TSi: parsed 1 traffic selectors Sep 21 07:25:32.797168: | TSr: parsing 1 traffic selectors Sep 21 07:25:32.797169: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:32.797171: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:32.797172: | IP Protocol ID: 0 (0x0) Sep 21 07:25:32.797174: | length: 16 (0x10) Sep 21 07:25:32.797175: | start port: 0 (0x0) Sep 21 07:25:32.797176: | end port: 65535 (0xffff) Sep 21 07:25:32.797178: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:32.797179: | TS low c0 00 02 00 Sep 21 07:25:32.797181: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:32.797182: | TS high c0 00 02 ff Sep 21 07:25:32.797184: | TSr: parsed 1 traffic selectors Sep 21 07:25:32.797185: | looking for best SPD in current connection Sep 21 07:25:32.797189: | evaluating our conn="north-east" I=192.0.3.254/32:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:32.797192: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:32.797196: | match address end->client=192.0.3.254/32 == TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Sep 21 07:25:32.797198: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:32.797199: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:32.797201: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:32.797203: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:32.797206: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:32.797209: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:32.797211: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:32.797212: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:32.797214: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:32.797215: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:32.797217: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:32.797218: | found better spd route for TSi[0],TSr[0] Sep 21 07:25:32.797220: | looking for better host pair Sep 21 07:25:32.797223: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:32.797226: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.254/32:0 is found Sep 21 07:25:32.797227: | investigating connection "north-east" as a better match Sep 21 07:25:32.797229: | match_id a=@north Sep 21 07:25:32.797231: | b=@north Sep 21 07:25:32.797232: | results matched Sep 21 07:25:32.797235: | evaluating our conn="north-east" I=192.0.3.254/32:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:32.797238: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:32.797242: | match address end->client=192.0.3.254/32 == TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Sep 21 07:25:32.797244: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:32.797245: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:32.797247: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:32.797248: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:32.797251: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:32.797254: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:32.797256: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:32.797257: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:32.797259: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:32.797260: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:32.797262: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:32.797263: | did not find a better connection using host pair Sep 21 07:25:32.797265: | printing contents struct traffic_selector Sep 21 07:25:32.797266: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:32.797268: | ipprotoid: 0 Sep 21 07:25:32.797269: | port range: 0-65535 Sep 21 07:25:32.797271: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:25:32.797273: | printing contents struct traffic_selector Sep 21 07:25:32.797274: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:32.797275: | ipprotoid: 0 Sep 21 07:25:32.797277: | port range: 0-65535 Sep 21 07:25:32.797279: | ip range: 192.0.3.254-192.0.3.254 Sep 21 07:25:32.797281: | constructing ESP/AH proposals with all DH removed for north-east (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:25:32.797284: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:32.797287: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:32.797289: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:32.797291: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:32.797294: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:32.797296: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:32.797298: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:32.797300: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:32.797305: "north-east": constructed local ESP/AH proposals for north-east (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:32.797307: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:32.797309: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:32.797311: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:32.797312: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:32.797314: | local proposal 1 type DH has 1 transforms Sep 21 07:25:32.797315: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:32.797317: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:32.797318: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:32.797320: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:32.797321: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:32.797323: | local proposal 2 type DH has 1 transforms Sep 21 07:25:32.797324: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:32.797326: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:32.797328: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:32.797330: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:32.797331: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:32.797333: | local proposal 3 type DH has 1 transforms Sep 21 07:25:32.797334: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:32.797336: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:32.797337: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:32.797339: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:32.797340: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:32.797342: | local proposal 4 type DH has 1 transforms Sep 21 07:25:32.797343: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:32.797345: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:32.797347: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.797348: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.797350: | length: 32 (0x20) Sep 21 07:25:32.797351: | prop #: 1 (0x1) Sep 21 07:25:32.797353: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:32.797354: | spi size: 4 (0x4) Sep 21 07:25:32.797356: | # transforms: 2 (0x2) Sep 21 07:25:32.797358: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:32.797359: | remote SPI 19 5b ba 99 Sep 21 07:25:32.797361: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:32.797363: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797364: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797366: | length: 12 (0xc) Sep 21 07:25:32.797367: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.797369: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.797370: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.797372: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.797374: | length/value: 256 (0x100) Sep 21 07:25:32.797376: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:32.797378: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797380: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.797381: | length: 8 (0x8) Sep 21 07:25:32.797382: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:32.797384: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:32.797386: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:32.797388: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:32.797390: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:32.797392: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:32.797394: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:25:32.797396: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:25:32.797398: | remote proposal 1 matches local proposal 1 Sep 21 07:25:32.797399: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.797401: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.797402: | length: 32 (0x20) Sep 21 07:25:32.797404: | prop #: 2 (0x2) Sep 21 07:25:32.797405: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:32.797406: | spi size: 4 (0x4) Sep 21 07:25:32.797408: | # transforms: 2 (0x2) Sep 21 07:25:32.797410: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:32.797411: | remote SPI 19 5b ba 99 Sep 21 07:25:32.797413: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.797414: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797417: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797418: | length: 12 (0xc) Sep 21 07:25:32.797420: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.797421: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.797423: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.797424: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.797426: | length/value: 128 (0x80) Sep 21 07:25:32.797427: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797429: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.797430: | length: 8 (0x8) Sep 21 07:25:32.797432: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:32.797433: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:32.797435: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:25:32.797437: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:25:32.797438: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.797440: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:32.797441: | length: 48 (0x30) Sep 21 07:25:32.797442: | prop #: 3 (0x3) Sep 21 07:25:32.797444: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:32.797445: | spi size: 4 (0x4) Sep 21 07:25:32.797447: | # transforms: 4 (0x4) Sep 21 07:25:32.797448: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:32.797450: | remote SPI 19 5b ba 99 Sep 21 07:25:32.797451: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.797453: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797454: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797456: | length: 12 (0xc) Sep 21 07:25:32.797457: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.797458: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:32.797460: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.797461: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.797463: | length/value: 256 (0x100) Sep 21 07:25:32.797465: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797466: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797467: | length: 8 (0x8) Sep 21 07:25:32.797469: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.797470: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:32.797472: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797473: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797475: | length: 8 (0x8) Sep 21 07:25:32.797476: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.797478: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:32.797479: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797481: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.797482: | length: 8 (0x8) Sep 21 07:25:32.797484: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:32.797485: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:32.797487: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:32.797489: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:32.797490: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.797492: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:32.797493: | length: 48 (0x30) Sep 21 07:25:32.797494: | prop #: 4 (0x4) Sep 21 07:25:32.797496: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:32.797497: | spi size: 4 (0x4) Sep 21 07:25:32.797498: | # transforms: 4 (0x4) Sep 21 07:25:32.797500: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:32.797501: | remote SPI 19 5b ba 99 Sep 21 07:25:32.797503: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:32.797505: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797507: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797508: | length: 12 (0xc) Sep 21 07:25:32.797510: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.797511: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:32.797513: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.797514: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.797515: | length/value: 128 (0x80) Sep 21 07:25:32.797517: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797519: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797520: | length: 8 (0x8) Sep 21 07:25:32.797521: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.797523: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:32.797524: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797526: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797527: | length: 8 (0x8) Sep 21 07:25:32.797529: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:32.797530: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:32.797532: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797533: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.797534: | length: 8 (0x8) Sep 21 07:25:32.797536: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:32.797537: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:32.797539: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:32.797541: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:32.797544: "north-east" #1: proposal 1:ESP:SPI=195bba99;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:25:32.797547: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=195bba99;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:25:32.797548: | converting proposal to internal trans attrs Sep 21 07:25:32.797560: | netlink_get_spi: allocated 0xfd641040 for esp.0@192.1.2.23 Sep 21 07:25:32.797562: | Emitting ikev2_proposal ... Sep 21 07:25:32.797564: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:32.797565: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.797567: | flags: none (0x0) Sep 21 07:25:32.797569: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:32.797571: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.797573: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:32.797574: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:32.797575: | prop #: 1 (0x1) Sep 21 07:25:32.797577: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:32.797578: | spi size: 4 (0x4) Sep 21 07:25:32.797580: | # transforms: 2 (0x2) Sep 21 07:25:32.797581: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:32.797583: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:32.797585: | our spi fd 64 10 40 Sep 21 07:25:32.797586: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797588: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797604: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:32.797606: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:32.797608: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:32.797611: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:32.797612: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:32.797614: | length/value: 256 (0x100) Sep 21 07:25:32.797616: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:32.797617: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:32.797619: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:32.797620: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:32.797622: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:32.797623: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:32.797625: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:32.797627: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:32.797629: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:25:32.797630: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:32.797632: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:25:32.797634: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:32.797635: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:32.797637: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.797638: | flags: none (0x0) Sep 21 07:25:32.797640: | number of TS: 1 (0x1) Sep 21 07:25:32.797642: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:32.797644: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.797645: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:32.797647: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:32.797648: | IP Protocol ID: 0 (0x0) Sep 21 07:25:32.797650: | start port: 0 (0x0) Sep 21 07:25:32.797651: | end port: 65535 (0xffff) Sep 21 07:25:32.797653: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:32.797655: | IP start c0 00 03 fe Sep 21 07:25:32.797656: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:32.797658: | IP end c0 00 03 fe Sep 21 07:25:32.797659: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:32.797661: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:32.797662: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:32.797664: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:32.797665: | flags: none (0x0) Sep 21 07:25:32.797667: | number of TS: 1 (0x1) Sep 21 07:25:32.797669: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:32.797670: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:32.797672: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:32.797673: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:32.797675: | IP Protocol ID: 0 (0x0) Sep 21 07:25:32.797676: | start port: 0 (0x0) Sep 21 07:25:32.797678: | end port: 65535 (0xffff) Sep 21 07:25:32.797679: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:32.797681: | IP start c0 00 02 00 Sep 21 07:25:32.797682: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:32.797684: | IP end c0 00 02 ff Sep 21 07:25:32.797685: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:32.797687: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:32.797689: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:32.797691: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:32.797799: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:25:32.797805: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:25:32.797807: | could_route called for north-east (kind=CK_PERMANENT) Sep 21 07:25:32.797809: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:32.797811: | conn north-east mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.797813: | conn north-east mark 0/00000000, 0/00000000 Sep 21 07:25:32.797815: | route owner of "north-east" prospective erouted: self; eroute owner: self Sep 21 07:25:32.797818: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:32.797820: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:32.797822: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:32.797824: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:32.797826: | setting IPsec SA replay-window to 32 Sep 21 07:25:32.797828: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Sep 21 07:25:32.797830: | netlink: enabling tunnel mode Sep 21 07:25:32.797832: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:32.797834: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:32.797906: | netlink response for Add SA esp.195bba99@192.1.3.33 included non-error error Sep 21 07:25:32.797911: | set up outgoing SA, ref=0/0 Sep 21 07:25:32.797916: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:32.797920: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:32.797923: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:32.797926: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:32.797930: | setting IPsec SA replay-window to 32 Sep 21 07:25:32.797934: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Sep 21 07:25:32.797937: | netlink: enabling tunnel mode Sep 21 07:25:32.797940: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:32.797943: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:32.797993: | netlink response for Add SA esp.fd641040@192.1.2.23 included non-error error Sep 21 07:25:32.797998: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:32.798007: | add inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:32.798011: | IPsec Sa SPD priority set to 1042399 Sep 21 07:25:32.798062: | raw_eroute result=success Sep 21 07:25:32.798067: | set up incoming SA, ref=0/0 Sep 21 07:25:32.798070: | sr for #2: prospective erouted Sep 21 07:25:32.798073: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:32.798076: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:32.798079: | conn north-east mark 0/00000000, 0/00000000 vs Sep 21 07:25:32.798083: | conn north-east mark 0/00000000, 0/00000000 Sep 21 07:25:32.798087: | route owner of "north-east" prospective erouted: self; eroute owner: self Sep 21 07:25:32.798091: | route_and_eroute with c: north-east (next: none) ero:north-east esr:{(nil)} ro:north-east rosr:{(nil)} and state: #2 Sep 21 07:25:32.798095: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:32.798105: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.254/32:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:25:32.798109: | IPsec Sa SPD priority set to 1042399 Sep 21 07:25:32.798134: | raw_eroute result=success Sep 21 07:25:32.798139: | running updown command "ipsec _updown" for verb up Sep 21 07:25:32.798142: | command executing up-client Sep 21 07:25:32.798181: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x195bba Sep 21 07:25:32.798190: | popen cmd is 1036 chars long Sep 21 07:25:32.798193: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_I: Sep 21 07:25:32.798196: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@: Sep 21 07:25:32.798199: | cmd( 160):east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CL: Sep 21 07:25:32.798202: | cmd( 240):IENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID: Sep 21 07:25:32.798204: | cmd( 320):='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUT: Sep 21 07:25:32.798207: | cmd( 400):O_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CL: Sep 21 07:25:32.798209: | cmd( 480):IENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PE: Sep 21 07:25:32.798212: | cmd( 560):ER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYP: Sep 21 07:25:32.798215: | cmd( 640):T+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_: Sep 21 07:25:32.798217: | cmd( 720):PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Sep 21 07:25:32.798220: | cmd( 800):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Sep 21 07:25:32.798223: | cmd( 880):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Sep 21 07:25:32.798225: | cmd( 960):'no' VTI_SHARED='no' SPI_IN=0x195bba99 SPI_OUT=0xfd641040 ipsec _updown 2>&1: Sep 21 07:25:32.805468: | route_and_eroute: firewall_notified: true Sep 21 07:25:32.805485: | route_and_eroute: instance "north-east", setting eroute_owner {spd=0x55f43a312b50,sr=0x55f43a312b50} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:25:32.805562: | #1 spent 0.566 milliseconds in install_ipsec_sa() Sep 21 07:25:32.805571: | ISAKMP_v2_IKE_AUTH: instance north-east[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:25:32.805575: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:32.805579: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:32.805583: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:32.805586: | emitting length of IKEv2 Encryption Payload: 407 Sep 21 07:25:32.805590: | emitting length of ISAKMP Message: 435 Sep 21 07:25:32.805612: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:25:32.805619: | #1 spent 4.81 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:25:32.805626: | suspend processing: state #1 connection "north-east" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:32.805630: | start processing: state #2 connection "north-east" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:32.805633: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:25:32.805638: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:25:32.805641: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:32.805643: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:25:32.805647: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:32.805650: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:32.805652: | pstats #2 ikev2.child established Sep 21 07:25:32.805657: "north-east" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.254-192.0.3.254:0-65535 0] Sep 21 07:25:32.805660: | NAT-T: encaps is 'auto' Sep 21 07:25:32.805663: "north-east" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x195bba99 <0xfd641040 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:25:32.805667: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:32.805670: | sending 435 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:32.805672: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:32.805674: | 2e 20 23 20 00 00 00 01 00 00 01 b3 24 00 01 97 Sep 21 07:25:32.805675: | f5 04 23 1b 70 23 56 b0 d4 06 01 48 31 a2 59 e0 Sep 21 07:25:32.805676: | 56 69 1d 03 72 55 0e 85 e1 23 13 31 7c 18 b4 b7 Sep 21 07:25:32.805678: | 44 e9 bc 01 04 a6 26 8f 8f 18 4e e2 f1 bc 96 3f Sep 21 07:25:32.805679: | 41 a6 13 f3 26 aa 3a 5f 02 90 4d b4 b3 6a 20 a5 Sep 21 07:25:32.805681: | 11 88 49 3c b5 a4 c3 59 dd 14 c8 2e e1 ab 67 4b Sep 21 07:25:32.805682: | 2e 14 5b 21 3b 42 1b a4 f7 8f 66 c8 61 5f f2 4b Sep 21 07:25:32.805683: | 03 cb fb d1 8a 6f ad 27 60 fe 59 dd f8 7e bf 14 Sep 21 07:25:32.805685: | 8e 45 cf 84 4b d8 b0 cb a7 ed 63 97 8a 7d ff 63 Sep 21 07:25:32.805686: | 55 21 4e 43 bb da 24 e2 13 ef 86 82 b1 06 c8 fd Sep 21 07:25:32.805688: | 29 17 aa 51 d3 e3 69 64 e2 9e ee 5b b4 43 bc 0d Sep 21 07:25:32.805689: | d7 cd 7c 3e 9b 1f 3a 79 d1 af fd d1 f9 f8 b4 e3 Sep 21 07:25:32.805690: | e8 e6 ab 69 be 13 13 e0 96 db ab 96 9c 4b cd 57 Sep 21 07:25:32.805692: | 37 43 62 cd ad 8a 89 37 c4 0e f5 7b dd d4 46 bd Sep 21 07:25:32.805693: | 03 c6 1c 57 26 54 9f f1 78 3d 6d b8 f4 b4 31 31 Sep 21 07:25:32.805695: | 0b 1b d3 87 53 5a c2 77 85 ea da 20 77 0f 32 ef Sep 21 07:25:32.805696: | eb a4 8d 63 6c f7 14 4b 04 84 47 ce 0e 3f 8d 85 Sep 21 07:25:32.805697: | 19 87 df 68 ce 7b 06 dc a8 38 8f d4 b0 0c e4 24 Sep 21 07:25:32.805699: | bc 17 49 30 98 c5 47 54 b5 82 19 af 47 59 32 1c Sep 21 07:25:32.805700: | 91 70 a2 17 23 fe 6b 70 26 e3 58 64 46 ec 80 97 Sep 21 07:25:32.805702: | 01 0b 4b a4 8e c6 03 ee 91 25 27 04 29 c0 ef e5 Sep 21 07:25:32.805703: | 4b dd 5a 3d 1c 12 8d df 97 a6 18 35 f1 f9 7e 93 Sep 21 07:25:32.805704: | 86 f3 d7 be c2 c9 f6 0d 0e 9e 55 1e e7 7c 85 93 Sep 21 07:25:32.805706: | b1 70 2d 68 81 62 88 6a 57 45 30 b4 94 53 90 38 Sep 21 07:25:32.805707: | 58 eb 4b 52 65 f9 bc 4f c1 f5 c9 df d2 84 41 05 Sep 21 07:25:32.805709: | 6a 4f 97 0f 29 1e a5 63 3f 02 14 6b 33 5c 6f 89 Sep 21 07:25:32.805710: | 18 1e cf Sep 21 07:25:32.805752: | releasing whack for #2 (sock=fd@-1) Sep 21 07:25:32.805758: | releasing whack and unpending for parent #1 Sep 21 07:25:32.805760: | unpending state #1 connection "north-east" Sep 21 07:25:32.805765: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:32.805768: | event_schedule: new EVENT_SA_REKEY-pe@0x55f43a31e0b0 Sep 21 07:25:32.805771: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:25:32.805775: | libevent_malloc: new ptr-libevent@0x55f43a31d470 size 128 Sep 21 07:25:32.805781: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:32.805796: | #1 spent 5.06 milliseconds in resume sending helper answer Sep 21 07:25:32.805803: | stop processing: state #2 connection "north-east" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:32.805807: | libevent_free: release ptr-libevent@0x7fbae0006b90 Sep 21 07:25:32.805818: | processing signal PLUTO_SIGCHLD Sep 21 07:25:32.805823: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:32.805828: | spent 0.00486 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:37.368894: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:37.369147: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:37.369154: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:37.369225: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:37.369230: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:37.369245: | get_sa_info esp.fd641040@192.1.2.23 Sep 21 07:25:37.369264: | get_sa_info esp.195bba99@192.1.3.33 Sep 21 07:25:37.369289: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:37.369298: | spent 0.388 milliseconds in whack Sep 21 07:25:41.585379: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:41.585401: shutting down Sep 21 07:25:41.585410: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:25:41.585414: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:25:41.585420: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:41.585423: forgetting secrets Sep 21 07:25:41.585428: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:41.585432: | unreference key: 0x55f43a2756c0 @east cnt 1-- Sep 21 07:25:41.585436: | unreference key: 0x55f43a26c8f0 @north cnt 2-- Sep 21 07:25:41.585441: | start processing: connection "north-east" (in delete_connection() at connections.c:189) Sep 21 07:25:41.585444: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:41.585447: | pass 0 Sep 21 07:25:41.585449: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:41.585452: | state #2 Sep 21 07:25:41.585456: | suspend processing: connection "north-east" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:41.585462: | start processing: state #2 connection "north-east" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:41.585465: | pstats #2 ikev2.child deleted completed Sep 21 07:25:41.585470: | [RE]START processing: state #2 connection "north-east" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:41.585474: "north-east" #2: deleting state (STATE_V2_IPSEC_R) aged 8.788s and sending notification Sep 21 07:25:41.585477: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:41.585482: | get_sa_info esp.195bba99@192.1.3.33 Sep 21 07:25:41.585498: | get_sa_info esp.fd641040@192.1.2.23 Sep 21 07:25:41.585506: "north-east" #2: ESP traffic information: in=336B out=336B Sep 21 07:25:41.585510: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:41.585513: | Opening output PBS informational exchange delete request Sep 21 07:25:41.585516: | **emit ISAKMP Message: Sep 21 07:25:41.585518: | initiator cookie: Sep 21 07:25:41.585521: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:41.585523: | responder cookie: Sep 21 07:25:41.585525: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:41.585528: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:41.585531: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:41.585533: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:41.585536: | flags: none (0x0) Sep 21 07:25:41.585538: | Message ID: 0 (0x0) Sep 21 07:25:41.585541: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:41.585548: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:41.585551: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:41.585554: | flags: none (0x0) Sep 21 07:25:41.585557: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:41.585559: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:41.585563: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:41.585572: | ****emit IKEv2 Delete Payload: Sep 21 07:25:41.585575: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:41.585578: | flags: none (0x0) Sep 21 07:25:41.585580: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:41.585582: | SPI size: 4 (0x4) Sep 21 07:25:41.585585: | number of SPIs: 1 (0x1) Sep 21 07:25:41.585588: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:41.585591: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:41.585594: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:41.585596: | local spis fd 64 10 40 Sep 21 07:25:41.585599: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:41.585601: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:41.585604: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:41.585607: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:41.585610: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:41.585612: | emitting length of ISAKMP Message: 69 Sep 21 07:25:41.585639: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:25:41.585643: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:41.585645: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:25:41.585648: | 6a fa 59 89 53 55 ba 21 1a 15 e4 98 1b 05 c9 b8 Sep 21 07:25:41.585650: | 33 ef 52 56 84 d3 d1 40 70 c4 2f 54 b9 22 58 f2 Sep 21 07:25:41.585652: | de 5c 8e cc 74 Sep 21 07:25:41.585698: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:25:41.585702: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:25:41.585707: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:25:41.585711: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:41.585715: | libevent_free: release ptr-libevent@0x55f43a31d470 Sep 21 07:25:41.585718: | free_event_entry: release EVENT_SA_REKEY-pe@0x55f43a31e0b0 Sep 21 07:25:41.586280: | running updown command "ipsec _updown" for verb down Sep 21 07:25:41.586289: | command executing down-client Sep 21 07:25:41.586316: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050732' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SP Sep 21 07:25:41.586321: | popen cmd is 1047 chars long Sep 21 07:25:41.586324: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO: Sep 21 07:25:41.586327: | cmd( 80):_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=: Sep 21 07:25:41.586329: | cmd( 160):'@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_: Sep 21 07:25:41.586331: | cmd( 240):CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQ: Sep 21 07:25:41.586334: | cmd( 320):ID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PL: Sep 21 07:25:41.586336: | cmd( 400):UTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_: Sep 21 07:25:41.586338: | cmd( 480):CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: Sep 21 07:25:41.586341: | cmd( 560):PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050732' PLUTO_CONN_POLICY='RS: Sep 21 07:25:41.586343: | cmd( 640):ASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Sep 21 07:25:41.586346: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Sep 21 07:25:41.586348: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Sep 21 07:25:41.586351: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Sep 21 07:25:41.586353: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x195bba99 SPI_OUT=0xfd641040 ipsec _updo: Sep 21 07:25:41.586356: | cmd(1040):wn 2>&1: Sep 21 07:25:41.690911: | shunt_eroute() called for connection 'north-east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Sep 21 07:25:41.690932: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Sep 21 07:25:41.690936: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:41.690940: | IPsec Sa SPD priority set to 1042399 Sep 21 07:25:41.690986: | delete esp.195bba99@192.1.3.33 Sep 21 07:25:41.691019: | netlink response for Del SA esp.195bba99@192.1.3.33 included non-error error Sep 21 07:25:41.691023: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:41.691030: | delete inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:41.691072: | raw_eroute result=success Sep 21 07:25:41.691076: | delete esp.fd641040@192.1.2.23 Sep 21 07:25:41.691100: | netlink response for Del SA esp.fd641040@192.1.2.23 included non-error error Sep 21 07:25:41.691107: | stop processing: connection "north-east" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:25:41.691110: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:25:41.691112: | in connection_discard for connection north-east Sep 21 07:25:41.691115: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:25:41.691119: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:41.691125: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:41.691131: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:41.691134: | state #1 Sep 21 07:25:41.691136: | pass 1 Sep 21 07:25:41.691138: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:41.691140: | state #1 Sep 21 07:25:41.691145: | start processing: state #1 connection "north-east" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:41.691148: | pstats #1 ikev2.ike deleted completed Sep 21 07:25:41.691154: | #1 spent 9.33 milliseconds in total Sep 21 07:25:41.691158: | [RE]START processing: state #1 connection "north-east" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:41.691166: "north-east" #1: deleting state (STATE_PARENT_R2) aged 8.907s and sending notification Sep 21 07:25:41.691170: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:25:41.691235: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:25:41.691239: | Opening output PBS informational exchange delete request Sep 21 07:25:41.691242: | **emit ISAKMP Message: Sep 21 07:25:41.691245: | initiator cookie: Sep 21 07:25:41.691247: | 03 21 a5 e1 75 03 63 18 Sep 21 07:25:41.691250: | responder cookie: Sep 21 07:25:41.691252: | 86 9b be cc 2d bd 0c ec Sep 21 07:25:41.691255: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:41.691257: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:41.691260: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:41.691263: | flags: none (0x0) Sep 21 07:25:41.691265: | Message ID: 1 (0x1) Sep 21 07:25:41.691268: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:41.691271: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:41.691274: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:41.691276: | flags: none (0x0) Sep 21 07:25:41.691279: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:41.691282: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:41.691286: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:41.691299: | ****emit IKEv2 Delete Payload: Sep 21 07:25:41.691302: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:41.691304: | flags: none (0x0) Sep 21 07:25:41.691307: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:25:41.691309: | SPI size: 0 (0x0) Sep 21 07:25:41.691311: | number of SPIs: 0 (0x0) Sep 21 07:25:41.691314: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:41.691317: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:41.691320: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:25:41.691322: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:41.691325: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:41.691328: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:41.691331: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:25:41.691333: | emitting length of ISAKMP Message: 65 Sep 21 07:25:41.691353: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:41.691356: | 03 21 a5 e1 75 03 63 18 86 9b be cc 2d bd 0c ec Sep 21 07:25:41.691358: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:25:41.691361: | 92 fb 33 6b 9a eb 49 cb 4b d1 e3 0e 89 04 d3 16 Sep 21 07:25:41.691363: | 42 9f 30 83 ec 1c 8b a1 e5 8f f5 ef eb 04 c9 45 Sep 21 07:25:41.691365: | 4b Sep 21 07:25:41.691404: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:25:41.691408: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:25:41.691413: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=1 wip.responder=-1 Sep 21 07:25:41.691417: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=0->1 wip.responder=-1 Sep 21 07:25:41.691420: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:41.691425: | libevent_free: release ptr-libevent@0x55f43a314b40 Sep 21 07:25:41.691428: | free_event_entry: release EVENT_SA_REKEY-pe@0x55f43a314d70 Sep 21 07:25:41.691434: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:25:41.691437: | in connection_discard for connection north-east Sep 21 07:25:41.691440: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:25:41.691443: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:25:41.691446: | unreference key: 0x55f43a26c8f0 @north cnt 1-- Sep 21 07:25:41.691461: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:41.691474: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:41.691481: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Sep 21 07:25:41.691486: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Sep 21 07:25:41.691489: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:41.691516: | priority calculation of connection "north-east" is 0xfe7df Sep 21 07:25:41.691525: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:41.691528: | conn north-east mark 0/00000000, 0/00000000 vs Sep 21 07:25:41.691531: | conn north-east mark 0/00000000, 0/00000000 Sep 21 07:25:41.691534: | route owner of "north-east" unrouted: NULL Sep 21 07:25:41.691537: | running updown command "ipsec _updown" for verb unroute Sep 21 07:25:41.691540: | command executing unroute-client Sep 21 07:25:41.691566: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:25:41.691569: | popen cmd is 1028 chars long Sep 21 07:25:41.691572: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Sep 21 07:25:41.691574: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_: Sep 21 07:25:41.691577: | cmd( 160):ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_: Sep 21 07:25:41.691580: | cmd( 240):MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_: Sep 21 07:25:41.691582: | cmd( 320):REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north: Sep 21 07:25:41.691585: | cmd( 400):' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_P: Sep 21 07:25:41.691587: | cmd( 480):EER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:25:41.691590: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+: Sep 21 07:25:41.691592: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIN: Sep 21 07:25:41.691595: | cmd( 720):D='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO: Sep 21 07:25:41.691597: | cmd( 800):='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO: Sep 21 07:25:41.691600: | cmd( 880):_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_RO: Sep 21 07:25:41.691602: | cmd( 960):UTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:41.794948: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.794970: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.794975: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.794986: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.794999: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795048: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795053: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795055: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795057: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795061: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795069: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795083: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795129: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795134: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795136: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795139: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795143: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795156: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795499: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795507: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795519: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795534: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795546: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795564: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795576: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795589: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795603: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795616: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795628: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795640: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795653: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795666: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795678: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795691: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795702: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795715: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795728: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795740: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795753: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795765: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795817: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795825: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795828: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795832: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795834: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795843: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795857: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795870: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795882: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795894: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795907: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795920: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795933: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795945: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795956: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795969: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795983: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.795997: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796009: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796021: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796034: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796047: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796059: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796072: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796085: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796098: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796111: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796124: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796136: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796149: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796161: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796174: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796187: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796199: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796212: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796224: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796237: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796249: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796261: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796273: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796285: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796299: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796311: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796323: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796336: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796348: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796378: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796394: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796406: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796420: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796432: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796446: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796475: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796478: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796483: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796499: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796511: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.796523: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:41.896294: | free hp@0x55f43a2de5b0 Sep 21 07:25:41.896308: | flush revival: connection 'north-east' wasn't on the list Sep 21 07:25:41.896312: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:25:41.896320: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:25:41.896322: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:25:41.896339: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:25:41.896344: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:25:41.896348: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:41.896352: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:25:41.896356: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:41.896360: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:25:41.896365: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:25:41.896375: | libevent_free: release ptr-libevent@0x55f43a311cc0 Sep 21 07:25:41.896378: | free_event_entry: release EVENT_NULL-pe@0x55f43a311c80 Sep 21 07:25:41.896389: | libevent_free: release ptr-libevent@0x55f43a311db0 Sep 21 07:25:41.896391: | free_event_entry: release EVENT_NULL-pe@0x55f43a311d70 Sep 21 07:25:41.896398: | libevent_free: release ptr-libevent@0x55f43a311ea0 Sep 21 07:25:41.896401: | free_event_entry: release EVENT_NULL-pe@0x55f43a311e60 Sep 21 07:25:41.896407: | libevent_free: release ptr-libevent@0x55f43a311f90 Sep 21 07:25:41.896411: | free_event_entry: release EVENT_NULL-pe@0x55f43a311f50 Sep 21 07:25:41.896418: | libevent_free: release ptr-libevent@0x55f43a312080 Sep 21 07:25:41.896421: | free_event_entry: release EVENT_NULL-pe@0x55f43a312040 Sep 21 07:25:41.896429: | libevent_free: release ptr-libevent@0x55f43a312170 Sep 21 07:25:41.896432: | free_event_entry: release EVENT_NULL-pe@0x55f43a312130 Sep 21 07:25:41.896438: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:41.900102: | libevent_free: release ptr-libevent@0x55f43a3115e0 Sep 21 07:25:41.900116: | free_event_entry: release EVENT_NULL-pe@0x55f43a2f53c0 Sep 21 07:25:41.900121: | libevent_free: release ptr-libevent@0x55f43a307070 Sep 21 07:25:41.900124: | free_event_entry: release EVENT_NULL-pe@0x55f43a2fae00 Sep 21 07:25:41.900128: | libevent_free: release ptr-libevent@0x55f43a306fe0 Sep 21 07:25:41.900130: | free_event_entry: release EVENT_NULL-pe@0x55f43a2fae40 Sep 21 07:25:41.900134: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:25:41.900137: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:25:41.900139: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:25:41.900142: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:25:41.900144: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:25:41.900147: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:25:41.900149: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:25:41.900152: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:25:41.900154: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:25:41.900159: | libevent_free: release ptr-libevent@0x55f43a3116b0 Sep 21 07:25:41.900162: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:25:41.900165: | libevent_free: release ptr-libevent@0x55f43a311790 Sep 21 07:25:41.900168: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:25:41.900171: | libevent_free: release ptr-libevent@0x55f43a311850 Sep 21 07:25:41.900173: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:25:41.900177: | libevent_free: release ptr-libevent@0x55f43a306360 Sep 21 07:25:41.900179: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:25:41.900181: | releasing event base Sep 21 07:25:41.900198: | libevent_free: release ptr-libevent@0x55f43a311910 Sep 21 07:25:41.900202: | libevent_free: release ptr-libevent@0x55f43a2e6ef0 Sep 21 07:25:41.900205: | libevent_free: release ptr-libevent@0x55f43a2f56d0 Sep 21 07:25:41.900208: | libevent_free: release ptr-libevent@0x55f43a2f57a0 Sep 21 07:25:41.900210: | libevent_free: release ptr-libevent@0x55f43a2f56f0 Sep 21 07:25:41.900213: | libevent_free: release ptr-libevent@0x55f43a311670 Sep 21 07:25:41.900215: | libevent_free: release ptr-libevent@0x55f43a311750 Sep 21 07:25:41.900218: | libevent_free: release ptr-libevent@0x55f43a2f5780 Sep 21 07:25:41.900220: | libevent_free: release ptr-libevent@0x55f43a2fa120 Sep 21 07:25:41.900223: | libevent_free: release ptr-libevent@0x55f43a2fa140 Sep 21 07:25:41.900225: | libevent_free: release ptr-libevent@0x55f43a312200 Sep 21 07:25:41.900228: | libevent_free: release ptr-libevent@0x55f43a312110 Sep 21 07:25:41.900230: | libevent_free: release ptr-libevent@0x55f43a312020 Sep 21 07:25:41.900232: | libevent_free: release ptr-libevent@0x55f43a311f30 Sep 21 07:25:41.900235: | libevent_free: release ptr-libevent@0x55f43a311e40 Sep 21 07:25:41.900237: | libevent_free: release ptr-libevent@0x55f43a311d50 Sep 21 07:25:41.900240: | libevent_free: release ptr-libevent@0x55f43a277370 Sep 21 07:25:41.900242: | libevent_free: release ptr-libevent@0x55f43a311830 Sep 21 07:25:41.900245: | libevent_free: release ptr-libevent@0x55f43a311770 Sep 21 07:25:41.900247: | libevent_free: release ptr-libevent@0x55f43a311690 Sep 21 07:25:41.900249: | libevent_free: release ptr-libevent@0x55f43a3118f0 Sep 21 07:25:41.900252: | libevent_free: release ptr-libevent@0x55f43a2755b0 Sep 21 07:25:41.900254: | libevent_free: release ptr-libevent@0x55f43a2f5710 Sep 21 07:25:41.900257: | libevent_free: release ptr-libevent@0x55f43a2f5740 Sep 21 07:25:41.900259: | libevent_free: release ptr-libevent@0x55f43a2f5430 Sep 21 07:25:41.900262: | releasing global libevent data Sep 21 07:25:41.900265: | libevent_free: release ptr-libevent@0x55f43a2f40e0 Sep 21 07:25:41.900267: | libevent_free: release ptr-libevent@0x55f43a2f4110 Sep 21 07:25:41.900270: | libevent_free: release ptr-libevent@0x55f43a2f5400