Sep 21 07:25:43.260327: FIPS Product: YES Sep 21 07:25:43.260368: FIPS Kernel: NO Sep 21 07:25:43.260372: FIPS Mode: NO Sep 21 07:25:43.260375: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:25:43.260552: Initializing NSS Sep 21 07:25:43.260556: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:25:43.309227: NSS initialized Sep 21 07:25:43.309240: NSS crypto library initialized Sep 21 07:25:43.309243: FIPS HMAC integrity support [enabled] Sep 21 07:25:43.309245: FIPS mode disabled for pluto daemon Sep 21 07:25:43.384782: FIPS HMAC integrity verification self-test FAILED Sep 21 07:25:43.384886: libcap-ng support [enabled] Sep 21 07:25:43.384899: Linux audit support [enabled] Sep 21 07:25:43.384923: Linux audit activated Sep 21 07:25:43.384928: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:17682 Sep 21 07:25:43.384931: core dump dir: /tmp Sep 21 07:25:43.384934: secrets file: /etc/ipsec.secrets Sep 21 07:25:43.384935: leak-detective disabled Sep 21 07:25:43.384937: NSS crypto [enabled] Sep 21 07:25:43.384939: XAUTH PAM support [enabled] Sep 21 07:25:43.385003: | libevent is using pluto's memory allocator Sep 21 07:25:43.385008: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:25:43.385018: | libevent_malloc: new ptr-libevent@0x55820104d4a0 size 40 Sep 21 07:25:43.385021: | libevent_malloc: new ptr-libevent@0x55820104d4d0 size 40 Sep 21 07:25:43.385023: | libevent_malloc: new ptr-libevent@0x55820104e7c0 size 40 Sep 21 07:25:43.385024: | creating event base Sep 21 07:25:43.385026: | libevent_malloc: new ptr-libevent@0x55820104e780 size 56 Sep 21 07:25:43.385028: | libevent_malloc: new ptr-libevent@0x55820104e7f0 size 664 Sep 21 07:25:43.385038: | libevent_malloc: new ptr-libevent@0x55820104ea90 size 24 Sep 21 07:25:43.385041: | libevent_malloc: new ptr-libevent@0x5582010401f0 size 384 Sep 21 07:25:43.385050: | libevent_malloc: new ptr-libevent@0x55820104eab0 size 16 Sep 21 07:25:43.385053: | libevent_malloc: new ptr-libevent@0x55820104ead0 size 40 Sep 21 07:25:43.385055: | libevent_malloc: new ptr-libevent@0x55820104eb00 size 48 Sep 21 07:25:43.385061: | libevent_realloc: new ptr-libevent@0x558200fd2370 size 256 Sep 21 07:25:43.385064: | libevent_malloc: new ptr-libevent@0x55820104eb40 size 16 Sep 21 07:25:43.385068: | libevent_free: release ptr-libevent@0x55820104e780 Sep 21 07:25:43.385072: | libevent initialized Sep 21 07:25:43.385075: | libevent_realloc: new ptr-libevent@0x55820104eb60 size 64 Sep 21 07:25:43.385078: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:25:43.385097: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:25:43.385100: NAT-Traversal support [enabled] Sep 21 07:25:43.385102: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:25:43.385108: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:25:43.385112: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:25:43.385141: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:25:43.385143: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:25:43.385145: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:25:43.385177: Encryption algorithms: Sep 21 07:25:43.385184: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:25:43.385186: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:25:43.385189: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:25:43.385191: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:25:43.385193: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:25:43.385199: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:25:43.385202: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:25:43.385209: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:25:43.385214: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:25:43.385218: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:25:43.385222: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:25:43.385226: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:25:43.385231: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:25:43.385235: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:25:43.385239: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:25:43.385243: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:25:43.385247: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:25:43.385257: Hash algorithms: Sep 21 07:25:43.385260: MD5 IKEv1: IKE IKEv2: Sep 21 07:25:43.385264: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:25:43.385267: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:25:43.385271: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:25:43.385274: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:25:43.385293: PRF algorithms: Sep 21 07:25:43.385297: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:25:43.385302: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:25:43.385306: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:25:43.385310: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:25:43.385314: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:25:43.385318: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:25:43.385363: Integrity algorithms: Sep 21 07:25:43.385368: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:25:43.385373: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:25:43.385379: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:25:43.385384: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:25:43.385390: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:25:43.385394: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:25:43.385399: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:25:43.385403: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:25:43.385407: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:25:43.385426: DH algorithms: Sep 21 07:25:43.385431: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:25:43.385435: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:25:43.385439: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:25:43.385446: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:25:43.385450: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:25:43.385454: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:25:43.385457: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:25:43.385461: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:25:43.385464: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:25:43.385467: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:25:43.385473: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:25:43.385476: testing CAMELLIA_CBC: Sep 21 07:25:43.385479: Camellia: 16 bytes with 128-bit key Sep 21 07:25:43.385602: Camellia: 16 bytes with 128-bit key Sep 21 07:25:43.385628: Camellia: 16 bytes with 256-bit key Sep 21 07:25:43.385648: Camellia: 16 bytes with 256-bit key Sep 21 07:25:43.385666: testing AES_GCM_16: Sep 21 07:25:43.385668: empty string Sep 21 07:25:43.385686: one block Sep 21 07:25:43.385701: two blocks Sep 21 07:25:43.385717: two blocks with associated data Sep 21 07:25:43.385732: testing AES_CTR: Sep 21 07:25:43.385734: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:25:43.385750: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:25:43.385766: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:25:43.385788: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:25:43.385811: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:25:43.385829: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:25:43.385846: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:25:43.385862: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:25:43.385878: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:25:43.385894: testing AES_CBC: Sep 21 07:25:43.385896: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:25:43.385912: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:25:43.385930: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:25:43.385947: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:25:43.385967: testing AES_XCBC: Sep 21 07:25:43.385969: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:25:43.386043: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:25:43.386121: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:25:43.386195: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:25:43.386270: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:25:43.386367: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:25:43.386449: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:25:43.386616: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:25:43.386694: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:25:43.386817: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:25:43.386966: testing HMAC_MD5: Sep 21 07:25:43.386969: RFC 2104: MD5_HMAC test 1 Sep 21 07:25:43.387076: RFC 2104: MD5_HMAC test 2 Sep 21 07:25:43.387170: RFC 2104: MD5_HMAC test 3 Sep 21 07:25:43.387281: 8 CPU cores online Sep 21 07:25:43.387284: starting up 7 crypto helpers Sep 21 07:25:43.387323: started thread for crypto helper 0 Sep 21 07:25:43.387328: | starting up helper thread 0 Sep 21 07:25:43.387339: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:25:43.387342: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:43.387347: started thread for crypto helper 1 Sep 21 07:25:43.387353: | starting up helper thread 1 Sep 21 07:25:43.387365: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:25:43.387371: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:43.387366: started thread for crypto helper 2 Sep 21 07:25:43.387396: started thread for crypto helper 3 Sep 21 07:25:43.387412: started thread for crypto helper 4 Sep 21 07:25:43.387415: | starting up helper thread 4 Sep 21 07:25:43.387422: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:25:43.387424: | crypto helper 4 waiting (nothing to do) Sep 21 07:25:43.387425: started thread for crypto helper 5 Sep 21 07:25:43.387430: | starting up helper thread 5 Sep 21 07:25:43.387435: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:25:43.387438: | crypto helper 5 waiting (nothing to do) Sep 21 07:25:43.387443: started thread for crypto helper 6 Sep 21 07:25:43.387446: | checking IKEv1 state table Sep 21 07:25:43.387452: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387457: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:25:43.387450: | starting up helper thread 6 Sep 21 07:25:43.387472: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:25:43.387476: | crypto helper 6 waiting (nothing to do) Sep 21 07:25:43.387459: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387462: | starting up helper thread 3 Sep 21 07:25:43.387526: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:25:43.387536: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:25:43.387537: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:25:43.387543: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:25:43.387547: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:43.387550: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:43.387553: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:25:43.387556: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:25:43.387559: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:43.387562: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:25:43.387565: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:25:43.387540: | crypto helper 3 waiting (nothing to do) Sep 21 07:25:43.387569: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:43.387575: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:43.387576: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:43.387578: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:25:43.387579: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:43.387581: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:43.387582: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:25:43.387584: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:25:43.387585: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387587: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:25:43.387588: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387590: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387591: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:25:43.387593: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387594: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:43.387595: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:25:43.387597: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:25:43.387598: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:43.387600: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:25:43.387601: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:25:43.387603: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387604: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:25:43.387606: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387607: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:25:43.387609: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:25:43.387610: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:25:43.387612: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:25:43.387613: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:25:43.387617: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:25:43.387619: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:25:43.387620: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387622: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:25:43.387623: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387625: | INFO: category: informational flags: 0: Sep 21 07:25:43.387626: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387628: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:25:43.387629: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387631: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:25:43.387632: | -> XAUTH_R1 EVENT_NULL Sep 21 07:25:43.387633: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:25:43.387635: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:25:43.387636: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:25:43.387638: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:25:43.387640: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:25:43.387641: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:25:43.387643: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:25:43.387644: | -> UNDEFINED EVENT_NULL Sep 21 07:25:43.387646: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:25:43.387647: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:25:43.387648: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:25:43.387650: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:25:43.387651: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:25:43.387653: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:25:43.387658: | checking IKEv2 state table Sep 21 07:25:43.387662: | PARENT_I0: category: ignore flags: 0: Sep 21 07:25:43.387663: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:25:43.387665: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387667: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:25:43.387669: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:25:43.387670: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:25:43.387672: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:25:43.387674: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:25:43.387675: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:25:43.387677: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:25:43.387679: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:25:43.387680: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:25:43.387682: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:25:43.387683: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:25:43.387685: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:25:43.387686: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:25:43.387688: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387690: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:25:43.387691: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:25:43.387693: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:25:43.387695: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:25:43.387696: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:25:43.387698: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:25:43.387699: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:25:43.387701: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:25:43.387704: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:25:43.387705: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:25:43.387707: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:25:43.387708: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:25:43.387710: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:25:43.387712: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:25:43.387713: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:43.387715: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:25:43.387717: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:25:43.387718: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:25:43.387720: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:25:43.387722: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:25:43.387723: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:25:43.387725: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:25:43.387727: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:25:43.387728: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:25:43.387730: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:25:43.387732: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:25:43.387733: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:25:43.387735: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:25:43.387736: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:25:43.387738: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:25:43.387806: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:25:43.387874: | Hard-wiring algorithms Sep 21 07:25:43.387878: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:25:43.387881: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:25:43.387884: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:25:43.387886: | adding 3DES_CBC to kernel algorithm db Sep 21 07:25:43.387889: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:25:43.387891: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:25:43.387893: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:25:43.387896: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:25:43.387898: | adding AES_CTR to kernel algorithm db Sep 21 07:25:43.387900: | adding AES_CBC to kernel algorithm db Sep 21 07:25:43.387903: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:25:43.387905: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:25:43.387908: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:25:43.387910: | adding NULL to kernel algorithm db Sep 21 07:25:43.387913: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:25:43.387915: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:25:43.387917: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:25:43.387918: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:25:43.387920: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:25:43.387922: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:25:43.387923: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:25:43.387925: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:25:43.387927: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:25:43.387929: | adding NONE to kernel algorithm db Sep 21 07:25:43.387947: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:25:43.387951: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:25:43.387952: | setup kernel fd callback Sep 21 07:25:43.387956: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x558201058f10 Sep 21 07:25:43.387959: | libevent_malloc: new ptr-libevent@0x5582010603e0 size 128 Sep 21 07:25:43.387961: | libevent_malloc: new ptr-libevent@0x55820104eca0 size 16 Sep 21 07:25:43.387966: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5582010537b0 Sep 21 07:25:43.387967: | libevent_malloc: new ptr-libevent@0x558201060470 size 128 Sep 21 07:25:43.387969: | libevent_malloc: new ptr-libevent@0x558201053700 size 16 Sep 21 07:25:43.388102: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:25:43.388108: selinux support is enabled. Sep 21 07:25:43.388232: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:25:43.388414: | unbound context created - setting debug level to 5 Sep 21 07:25:43.388448: | /etc/hosts lookups activated Sep 21 07:25:43.388464: | /etc/resolv.conf usage activated Sep 21 07:25:43.388497: | outgoing-port-avoid set 0-65535 Sep 21 07:25:43.388513: | outgoing-port-permit set 32768-60999 Sep 21 07:25:43.388515: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:25:43.388518: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:25:43.388520: | Setting up events, loop start Sep 21 07:25:43.388522: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x558201053500 Sep 21 07:25:43.388524: | libevent_malloc: new ptr-libevent@0x55820106a9e0 size 128 Sep 21 07:25:43.388527: | libevent_malloc: new ptr-libevent@0x55820106aa70 size 16 Sep 21 07:25:43.388531: | libevent_realloc: new ptr-libevent@0x558200fd05b0 size 256 Sep 21 07:25:43.388533: | libevent_malloc: new ptr-libevent@0x55820106aa90 size 8 Sep 21 07:25:43.388535: | libevent_realloc: new ptr-libevent@0x55820105f6e0 size 144 Sep 21 07:25:43.388537: | libevent_malloc: new ptr-libevent@0x55820106aab0 size 152 Sep 21 07:25:43.388539: | libevent_malloc: new ptr-libevent@0x55820106ab50 size 16 Sep 21 07:25:43.388542: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:25:43.388544: | libevent_malloc: new ptr-libevent@0x55820106ab70 size 8 Sep 21 07:25:43.388545: | libevent_malloc: new ptr-libevent@0x55820106ab90 size 152 Sep 21 07:25:43.388547: | signal event handler PLUTO_SIGTERM installed Sep 21 07:25:43.388549: | libevent_malloc: new ptr-libevent@0x55820106ac30 size 8 Sep 21 07:25:43.388550: | libevent_malloc: new ptr-libevent@0x55820106ac50 size 152 Sep 21 07:25:43.388552: | signal event handler PLUTO_SIGHUP installed Sep 21 07:25:43.388554: | libevent_malloc: new ptr-libevent@0x55820106acf0 size 8 Sep 21 07:25:43.388555: | libevent_realloc: release ptr-libevent@0x55820105f6e0 Sep 21 07:25:43.388557: | libevent_realloc: new ptr-libevent@0x55820106ad10 size 256 Sep 21 07:25:43.388559: | libevent_malloc: new ptr-libevent@0x55820105f6e0 size 152 Sep 21 07:25:43.388561: | signal event handler PLUTO_SIGSYS installed Sep 21 07:25:43.388589: | starting up helper thread 2 Sep 21 07:25:43.388873: | created addconn helper (pid:17801) using fork+execve Sep 21 07:25:43.388889: | forked child 17801 Sep 21 07:25:43.388877: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:25:43.388908: | crypto helper 2 waiting (nothing to do) Sep 21 07:25:43.388933: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.388945: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:43.388950: listening for IKE messages Sep 21 07:25:43.389287: | Inspecting interface lo Sep 21 07:25:43.389293: | found lo with address 127.0.0.1 Sep 21 07:25:43.389294: | Inspecting interface eth0 Sep 21 07:25:43.389297: | found eth0 with address 192.0.2.254 Sep 21 07:25:43.389298: | Inspecting interface eth1 Sep 21 07:25:43.389301: | found eth1 with address 192.1.2.23 Sep 21 07:25:43.389339: Kernel supports NIC esp-hw-offload Sep 21 07:25:43.389347: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:25:43.389386: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:43.389393: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:43.389396: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:43.389416: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:25:43.389432: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:43.389434: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:43.389437: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:43.389455: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:25:43.389471: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:25:43.389474: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:25:43.389476: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:25:43.389542: | no interfaces to sort Sep 21 07:25:43.389545: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:43.389550: | add_fd_read_event_handler: new ethX-pe@0x558201054280 Sep 21 07:25:43.389553: | libevent_malloc: new ptr-libevent@0x55820106b080 size 128 Sep 21 07:25:43.389555: | libevent_malloc: new ptr-libevent@0x55820106b110 size 16 Sep 21 07:25:43.389561: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:43.389563: | add_fd_read_event_handler: new ethX-pe@0x55820106b130 Sep 21 07:25:43.389565: | libevent_malloc: new ptr-libevent@0x55820106b170 size 128 Sep 21 07:25:43.389567: | libevent_malloc: new ptr-libevent@0x55820106b200 size 16 Sep 21 07:25:43.389569: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:43.389571: | add_fd_read_event_handler: new ethX-pe@0x55820106b220 Sep 21 07:25:43.389572: | libevent_malloc: new ptr-libevent@0x55820106b260 size 128 Sep 21 07:25:43.389574: | libevent_malloc: new ptr-libevent@0x55820106b2f0 size 16 Sep 21 07:25:43.389577: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:43.389579: | add_fd_read_event_handler: new ethX-pe@0x55820106b310 Sep 21 07:25:43.389580: | libevent_malloc: new ptr-libevent@0x55820106b350 size 128 Sep 21 07:25:43.389582: | libevent_malloc: new ptr-libevent@0x55820106b3e0 size 16 Sep 21 07:25:43.389584: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:43.389586: | add_fd_read_event_handler: new ethX-pe@0x55820106b400 Sep 21 07:25:43.389588: | libevent_malloc: new ptr-libevent@0x55820106b440 size 128 Sep 21 07:25:43.389589: | libevent_malloc: new ptr-libevent@0x55820106b4d0 size 16 Sep 21 07:25:43.389592: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:43.389593: | add_fd_read_event_handler: new ethX-pe@0x55820106b4f0 Sep 21 07:25:43.389595: | libevent_malloc: new ptr-libevent@0x55820106b530 size 128 Sep 21 07:25:43.389597: | libevent_malloc: new ptr-libevent@0x55820106b5c0 size 16 Sep 21 07:25:43.389599: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:43.389603: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:43.389605: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:43.389620: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:43.389630: | id type added to secret(0x5582010605c0) PKK_PSK: @east Sep 21 07:25:43.389632: | id type added to secret(0x5582010605c0) PKK_PSK: @north Sep 21 07:25:43.389635: | Processing PSK at line 1: passed Sep 21 07:25:43.389637: | certs and keys locked by 'process_secret' Sep 21 07:25:43.389638: | certs and keys unlocked by 'process_secret' Sep 21 07:25:43.389642: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:43.389648: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.389653: | spent 0.727 milliseconds in whack Sep 21 07:25:43.416427: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.416446: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:25:43.416451: listening for IKE messages Sep 21 07:25:43.427696: | Inspecting interface lo Sep 21 07:25:43.427726: | found lo with address 127.0.0.1 Sep 21 07:25:43.427731: | Inspecting interface eth0 Sep 21 07:25:43.427736: | found eth0 with address 192.0.2.254 Sep 21 07:25:43.427738: | Inspecting interface eth1 Sep 21 07:25:43.427741: | found eth1 with address 192.1.2.23 Sep 21 07:25:43.427819: | no interfaces to sort Sep 21 07:25:43.427831: | libevent_free: release ptr-libevent@0x55820106b080 Sep 21 07:25:43.427834: | free_event_entry: release EVENT_NULL-pe@0x558201054280 Sep 21 07:25:43.427836: | add_fd_read_event_handler: new ethX-pe@0x558201054280 Sep 21 07:25:43.427838: | libevent_malloc: new ptr-libevent@0x55820106b080 size 128 Sep 21 07:25:43.427845: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:25:43.427847: | libevent_free: release ptr-libevent@0x55820106b170 Sep 21 07:25:43.427849: | free_event_entry: release EVENT_NULL-pe@0x55820106b130 Sep 21 07:25:43.427851: | add_fd_read_event_handler: new ethX-pe@0x55820106b130 Sep 21 07:25:43.427852: | libevent_malloc: new ptr-libevent@0x55820106b170 size 128 Sep 21 07:25:43.427856: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:25:43.427858: | libevent_free: release ptr-libevent@0x55820106b260 Sep 21 07:25:43.427860: | free_event_entry: release EVENT_NULL-pe@0x55820106b220 Sep 21 07:25:43.427861: | add_fd_read_event_handler: new ethX-pe@0x55820106b220 Sep 21 07:25:43.427863: | libevent_malloc: new ptr-libevent@0x55820106b260 size 128 Sep 21 07:25:43.427866: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:25:43.427869: | libevent_free: release ptr-libevent@0x55820106b350 Sep 21 07:25:43.427870: | free_event_entry: release EVENT_NULL-pe@0x55820106b310 Sep 21 07:25:43.427872: | add_fd_read_event_handler: new ethX-pe@0x55820106b310 Sep 21 07:25:43.427873: | libevent_malloc: new ptr-libevent@0x55820106b350 size 128 Sep 21 07:25:43.427876: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:25:43.427879: | libevent_free: release ptr-libevent@0x55820106b440 Sep 21 07:25:43.427880: | free_event_entry: release EVENT_NULL-pe@0x55820106b400 Sep 21 07:25:43.427882: | add_fd_read_event_handler: new ethX-pe@0x55820106b400 Sep 21 07:25:43.427883: | libevent_malloc: new ptr-libevent@0x55820106b440 size 128 Sep 21 07:25:43.427887: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:25:43.427889: | libevent_free: release ptr-libevent@0x55820106b530 Sep 21 07:25:43.427890: | free_event_entry: release EVENT_NULL-pe@0x55820106b4f0 Sep 21 07:25:43.427892: | add_fd_read_event_handler: new ethX-pe@0x55820106b4f0 Sep 21 07:25:43.427894: | libevent_malloc: new ptr-libevent@0x55820106b530 size 128 Sep 21 07:25:43.427896: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:25:43.427899: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:43.427900: forgetting secrets Sep 21 07:25:43.427908: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:43.427920: loading secrets from "/etc/ipsec.secrets" Sep 21 07:25:43.427927: | id type added to secret(0x5582010605c0) PKK_PSK: @east Sep 21 07:25:43.427929: | id type added to secret(0x5582010605c0) PKK_PSK: @north Sep 21 07:25:43.427932: | Processing PSK at line 1: passed Sep 21 07:25:43.427933: | certs and keys locked by 'process_secret' Sep 21 07:25:43.427935: | certs and keys unlocked by 'process_secret' Sep 21 07:25:43.427939: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:25:43.427946: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.427953: | spent 0.653 milliseconds in whack Sep 21 07:25:43.428400: | processing signal PLUTO_SIGCHLD Sep 21 07:25:43.428408: | waitpid returned pid 17801 (exited with status 0) Sep 21 07:25:43.428411: | reaped addconn helper child (status 0) Sep 21 07:25:43.428414: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:43.428417: | spent 0.0107 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:43.486674: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.486703: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486707: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:43.486709: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486711: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:43.486715: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486723: | Added new connection northnet-eastnet/0x1 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:43.486777: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:43.486788: | from whack: got --esp= Sep 21 07:25:43.486827: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:43.486832: | counting wild cards for @north is 0 Sep 21 07:25:43.486835: | counting wild cards for @east is 0 Sep 21 07:25:43.486844: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:25:43.486848: | new hp@0x5582010379e0 Sep 21 07:25:43.486852: added connection description "northnet-eastnet/0x1" Sep 21 07:25:43.486860: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:43.486872: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:25:43.486878: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.486885: | spent 0.208 milliseconds in whack Sep 21 07:25:43.486933: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.486945: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486948: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:43.486951: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486953: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:25:43.486958: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:25:43.486963: | Added new connection northnet-eastnet/0x2 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:43.487004: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:25:43.487007: | from whack: got --esp= Sep 21 07:25:43.487040: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Sep 21 07:25:43.487044: | counting wild cards for @north is 0 Sep 21 07:25:43.487047: | counting wild cards for @east is 0 Sep 21 07:25:43.487053: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:43.487058: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x5582010379e0: northnet-eastnet/0x1 Sep 21 07:25:43.487061: added connection description "northnet-eastnet/0x2" Sep 21 07:25:43.487067: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO Sep 21 07:25:43.487077: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Sep 21 07:25:43.487085: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.487089: | spent 0.156 milliseconds in whack Sep 21 07:25:43.555296: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.555502: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:43.555509: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:43.555618: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:43.555630: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.555638: | spent 0.349 milliseconds in whack Sep 21 07:25:43.633811: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:43.633835: | old debugging base+cpu-usage + none Sep 21 07:25:43.633839: | base debugging = base+cpu-usage Sep 21 07:25:43.633842: | old impairing none + suppress-retransmits Sep 21 07:25:43.633845: | base impairing = suppress-retransmits Sep 21 07:25:43.633853: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:43.633861: | spent 0.0577 milliseconds in whack Sep 21 07:25:44.857615: | spent 0.00261 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:44.857647: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:44.857650: | ed 77 91 86 49 b9 d1 07 00 00 00 00 00 00 00 00 Sep 21 07:25:44.857653: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:25:44.857655: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:25:44.857657: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:25:44.857660: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:25:44.857662: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:25:44.857664: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:25:44.857666: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:25:44.857668: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:25:44.857671: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:25:44.857673: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:25:44.857675: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:25:44.857677: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:25:44.857679: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:25:44.857682: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:25:44.857684: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:25:44.857686: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:25:44.857688: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:25:44.857691: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:25:44.857693: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:25:44.857695: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:25:44.857697: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:25:44.857700: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:25:44.857702: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:25:44.857704: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:25:44.857706: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:25:44.857708: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:25:44.857711: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:25:44.857713: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:25:44.857715: | 28 00 01 08 00 0e 00 00 c1 08 c5 63 42 74 46 d5 Sep 21 07:25:44.857717: | 1d 92 bd 58 98 88 c2 e4 94 fc 9a 7f ec 5c 39 99 Sep 21 07:25:44.857720: | 93 3c 0d ff 0f e5 16 3e 35 d7 af a4 7b c3 35 c7 Sep 21 07:25:44.857722: | 30 7d 16 0a fa fe 6b 38 07 fd 3a 68 99 7b 2b 16 Sep 21 07:25:44.857724: | 9d 07 da 62 96 37 c6 07 11 87 14 4b 73 4f d9 dc Sep 21 07:25:44.857729: | 1c b5 bc b1 2d 1c f7 6f 60 c9 d8 23 c2 f8 8a 55 Sep 21 07:25:44.857732: | 91 ae 3a 0c f5 e3 49 8e 69 c6 af 8b 50 eb be 0b Sep 21 07:25:44.857734: | 94 54 13 c3 41 7c ce 6b 8d 9d c0 ec a1 30 51 e0 Sep 21 07:25:44.857736: | be fc 85 19 32 71 ad 36 59 bd c4 cd ea c5 40 03 Sep 21 07:25:44.857738: | 85 36 34 c0 27 e1 58 7c a3 be 07 f1 7e 6b 77 c1 Sep 21 07:25:44.857741: | 94 94 4e 88 64 6d 08 8e 83 af af 37 5e 76 41 96 Sep 21 07:25:44.857743: | 9f 93 fc 1e 83 d0 13 8f c5 f5 b0 4f 47 f5 82 ec Sep 21 07:25:44.857745: | b4 14 2b d1 1e bd 85 c3 56 b2 f9 e1 a5 21 4b 2a Sep 21 07:25:44.857747: | b5 b5 7e 72 fe b3 b8 ce 3d 29 5c 49 00 6c 53 10 Sep 21 07:25:44.857750: | 2c 4f d5 e7 51 3f 45 dc d7 3c b3 99 5f 8d a6 44 Sep 21 07:25:44.857752: | 49 0f 3a c7 0a 3c 6a 1e fb 95 24 c2 46 03 0f 28 Sep 21 07:25:44.857754: | e7 98 d7 7b cd aa 0a 27 29 00 00 24 ef 44 59 40 Sep 21 07:25:44.857756: | e4 20 11 b9 87 81 d1 4b 91 b3 8c 7e 10 68 7d 33 Sep 21 07:25:44.857758: | a4 fa 02 a5 4c 4f d8 fe ae 1a b3 fa 29 00 00 08 Sep 21 07:25:44.857761: | 00 00 40 2e 29 00 00 1c 00 00 40 04 bb 86 91 11 Sep 21 07:25:44.857763: | a8 34 53 f1 58 bf f6 b8 c4 87 05 61 b2 b8 b2 3b Sep 21 07:25:44.857765: | 00 00 00 1c 00 00 40 05 13 77 5f ee b4 c4 a6 87 Sep 21 07:25:44.857767: | 0e 5e 69 d9 d5 bc 45 cc df 0f 70 1f Sep 21 07:25:44.857773: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:44.857777: | **parse ISAKMP Message: Sep 21 07:25:44.857779: | initiator cookie: Sep 21 07:25:44.857782: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.857791: | responder cookie: Sep 21 07:25:44.857793: | 00 00 00 00 00 00 00 00 Sep 21 07:25:44.857796: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:44.857799: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.857801: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:44.857804: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:44.857806: | Message ID: 0 (0x0) Sep 21 07:25:44.857809: | length: 828 (0x33c) Sep 21 07:25:44.857812: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:25:44.857820: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:25:44.857823: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:25:44.857826: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:44.857829: | ***parse IKEv2 Security Association Payload: Sep 21 07:25:44.857832: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:44.857834: | flags: none (0x0) Sep 21 07:25:44.857836: | length: 436 (0x1b4) Sep 21 07:25:44.857839: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:25:44.857841: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:44.857844: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:25:44.857846: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:44.857849: | flags: none (0x0) Sep 21 07:25:44.857851: | length: 264 (0x108) Sep 21 07:25:44.857853: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.857856: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:44.857858: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:44.857861: | ***parse IKEv2 Nonce Payload: Sep 21 07:25:44.857863: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:44.857865: | flags: none (0x0) Sep 21 07:25:44.857867: | length: 36 (0x24) Sep 21 07:25:44.857870: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:44.857872: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:44.857875: | ***parse IKEv2 Notify Payload: Sep 21 07:25:44.857877: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:44.857880: | flags: none (0x0) Sep 21 07:25:44.857882: | length: 8 (0x8) Sep 21 07:25:44.857884: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.857887: | SPI size: 0 (0x0) Sep 21 07:25:44.857891: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:44.857894: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:25:44.857896: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:44.857898: | ***parse IKEv2 Notify Payload: Sep 21 07:25:44.857901: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:44.857903: | flags: none (0x0) Sep 21 07:25:44.857905: | length: 28 (0x1c) Sep 21 07:25:44.857908: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.857910: | SPI size: 0 (0x0) Sep 21 07:25:44.857912: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:44.857915: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:44.857917: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:25:44.857919: | ***parse IKEv2 Notify Payload: Sep 21 07:25:44.857922: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.857924: | flags: none (0x0) Sep 21 07:25:44.857926: | length: 28 (0x1c) Sep 21 07:25:44.857928: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.857931: | SPI size: 0 (0x0) Sep 21 07:25:44.857933: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:44.857936: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:25:44.857938: | DDOS disabled and no cookie sent, continuing Sep 21 07:25:44.857944: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:44.857949: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:44.857952: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:44.857956: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Sep 21 07:25:44.857959: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Sep 21 07:25:44.857961: | find_next_host_connection returns empty Sep 21 07:25:44.857965: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:25:44.857969: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:25:44.857971: | find_next_host_connection returns empty Sep 21 07:25:44.857974: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:25:44.857979: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:44.857983: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:44.857986: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:44.857989: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Sep 21 07:25:44.857992: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Sep 21 07:25:44.857995: | find_next_host_connection returns empty Sep 21 07:25:44.857999: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:25:44.858001: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:25:44.858004: | find_next_host_connection returns empty Sep 21 07:25:44.858007: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:25:44.858012: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:25:44.858017: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:44.858019: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:44.858022: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Sep 21 07:25:44.858025: | find_next_host_connection returns northnet-eastnet/0x2 Sep 21 07:25:44.858029: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:44.858032: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Sep 21 07:25:44.858035: | find_next_host_connection returns northnet-eastnet/0x1 Sep 21 07:25:44.858037: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:25:44.858040: | find_next_host_connection returns empty Sep 21 07:25:44.858042: | found connection: northnet-eastnet/0x2 with policy PSK+IKEV2_ALLOW Sep 21 07:25:44.858068: | creating state object #1 at 0x55820106f7b0 Sep 21 07:25:44.858072: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:25:44.858080: | pstats #1 ikev2.ike started Sep 21 07:25:44.858083: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:25:44.858086: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:25:44.858091: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:44.858099: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:44.858102: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:44.858107: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:44.858110: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:25:44.858114: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:25:44.858119: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:25:44.858121: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:25:44.858125: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:25:44.858127: | Now let's proceed with state specific processing Sep 21 07:25:44.858129: | calling processor Respond to IKE_SA_INIT Sep 21 07:25:44.858135: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:44.858138: | constructing local IKE proposals for northnet-eastnet/0x2 (IKE SA responder matching remote proposals) Sep 21 07:25:44.858146: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:44.858153: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:44.858157: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:44.858162: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:44.858166: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:44.858172: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:44.858175: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:25:44.858181: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:44.858191: "northnet-eastnet/0x2": constructed local IKE proposals for northnet-eastnet/0x2 (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:25:44.858197: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:25:44.858200: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:44.858203: | local proposal 1 type PRF has 2 transforms Sep 21 07:25:44.858205: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:44.858207: | local proposal 1 type DH has 8 transforms Sep 21 07:25:44.858210: | local proposal 1 type ESN has 0 transforms Sep 21 07:25:44.858213: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:44.858215: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:44.858218: | local proposal 2 type PRF has 2 transforms Sep 21 07:25:44.858220: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:44.858222: | local proposal 2 type DH has 8 transforms Sep 21 07:25:44.858225: | local proposal 2 type ESN has 0 transforms Sep 21 07:25:44.858228: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:25:44.858230: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:44.858232: | local proposal 3 type PRF has 2 transforms Sep 21 07:25:44.858235: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:44.858237: | local proposal 3 type DH has 8 transforms Sep 21 07:25:44.858239: | local proposal 3 type ESN has 0 transforms Sep 21 07:25:44.858242: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:44.858245: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:44.858247: | local proposal 4 type PRF has 2 transforms Sep 21 07:25:44.858249: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:44.858252: | local proposal 4 type DH has 8 transforms Sep 21 07:25:44.858254: | local proposal 4 type ESN has 0 transforms Sep 21 07:25:44.858257: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:25:44.858260: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.858262: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.858265: | length: 100 (0x64) Sep 21 07:25:44.858267: | prop #: 1 (0x1) Sep 21 07:25:44.858269: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:44.858272: | spi size: 0 (0x0) Sep 21 07:25:44.858274: | # transforms: 11 (0xb) Sep 21 07:25:44.858278: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:44.858281: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858283: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858285: | length: 12 (0xc) Sep 21 07:25:44.858288: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.858290: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.858293: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.858295: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.858298: | length/value: 256 (0x100) Sep 21 07:25:44.858302: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:44.858304: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858307: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858309: | length: 8 (0x8) Sep 21 07:25:44.858311: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858314: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:44.858317: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:25:44.858322: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:25:44.858325: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:25:44.858328: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:25:44.858330: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858333: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858335: | length: 8 (0x8) Sep 21 07:25:44.858337: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858340: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:44.858342: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858345: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858347: | length: 8 (0x8) Sep 21 07:25:44.858349: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858352: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.858355: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:44.858358: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:44.858361: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:44.858364: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:44.858366: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858369: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858371: | length: 8 (0x8) Sep 21 07:25:44.858373: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858376: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:44.858378: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858381: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858383: | length: 8 (0x8) Sep 21 07:25:44.858385: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858387: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:44.858390: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858393: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858395: | length: 8 (0x8) Sep 21 07:25:44.858397: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858399: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:44.858402: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858407: | length: 8 (0x8) Sep 21 07:25:44.858409: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858411: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:44.858414: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858416: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858418: | length: 8 (0x8) Sep 21 07:25:44.858421: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858423: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:44.858426: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858428: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858430: | length: 8 (0x8) Sep 21 07:25:44.858433: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858435: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:44.858438: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858440: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.858442: | length: 8 (0x8) Sep 21 07:25:44.858444: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858447: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:44.858451: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:25:44.858455: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:25:44.858461: | remote proposal 1 matches local proposal 1 Sep 21 07:25:44.858463: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.858466: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.858468: | length: 100 (0x64) Sep 21 07:25:44.858470: | prop #: 2 (0x2) Sep 21 07:25:44.858472: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:44.858475: | spi size: 0 (0x0) Sep 21 07:25:44.858477: | # transforms: 11 (0xb) Sep 21 07:25:44.858480: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.858483: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858485: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858487: | length: 12 (0xc) Sep 21 07:25:44.858490: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.858492: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.858494: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.858497: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.858499: | length/value: 128 (0x80) Sep 21 07:25:44.858502: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858504: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858506: | length: 8 (0x8) Sep 21 07:25:44.858509: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858511: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:44.858514: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858516: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858518: | length: 8 (0x8) Sep 21 07:25:44.858520: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858523: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:44.858525: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858528: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858530: | length: 8 (0x8) Sep 21 07:25:44.858532: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858534: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.858537: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858539: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858541: | length: 8 (0x8) Sep 21 07:25:44.858543: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858546: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:44.858548: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858551: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858553: | length: 8 (0x8) Sep 21 07:25:44.858555: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858557: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:44.858560: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858562: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858565: | length: 8 (0x8) Sep 21 07:25:44.858567: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858569: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:44.858572: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858574: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858577: | length: 8 (0x8) Sep 21 07:25:44.858579: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858581: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:44.858584: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858586: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858588: | length: 8 (0x8) Sep 21 07:25:44.858590: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858593: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:44.858595: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858602: | length: 8 (0x8) Sep 21 07:25:44.858604: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858606: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:44.858609: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858611: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.858614: | length: 8 (0x8) Sep 21 07:25:44.858616: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858618: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:44.858622: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:25:44.858625: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:25:44.858627: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.858630: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.858632: | length: 116 (0x74) Sep 21 07:25:44.858634: | prop #: 3 (0x3) Sep 21 07:25:44.858636: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:44.858639: | spi size: 0 (0x0) Sep 21 07:25:44.858641: | # transforms: 13 (0xd) Sep 21 07:25:44.858644: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.858647: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858651: | length: 12 (0xc) Sep 21 07:25:44.858654: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.858656: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.858658: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.858661: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.858663: | length/value: 256 (0x100) Sep 21 07:25:44.858666: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858668: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858670: | length: 8 (0x8) Sep 21 07:25:44.858673: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858675: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:44.858678: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858680: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858682: | length: 8 (0x8) Sep 21 07:25:44.858684: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858687: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:44.858689: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858692: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858694: | length: 8 (0x8) Sep 21 07:25:44.858696: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.858699: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.858702: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858704: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858706: | length: 8 (0x8) Sep 21 07:25:44.858709: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.858711: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.858714: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858716: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858718: | length: 8 (0x8) Sep 21 07:25:44.858720: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858723: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.858726: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858728: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858730: | length: 8 (0x8) Sep 21 07:25:44.858732: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858735: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:44.858737: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858742: | length: 8 (0x8) Sep 21 07:25:44.858745: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858748: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:44.858750: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858753: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858755: | length: 8 (0x8) Sep 21 07:25:44.858757: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858760: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:44.858762: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858765: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858767: | length: 8 (0x8) Sep 21 07:25:44.858769: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858772: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:44.858774: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858776: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858779: | length: 8 (0x8) Sep 21 07:25:44.858781: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858787: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:44.858791: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858793: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858796: | length: 8 (0x8) Sep 21 07:25:44.858798: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858801: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:44.858803: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858806: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.858808: | length: 8 (0x8) Sep 21 07:25:44.858810: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858813: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:44.858816: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:44.858819: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:44.858822: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.858824: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.858826: | length: 116 (0x74) Sep 21 07:25:44.858829: | prop #: 4 (0x4) Sep 21 07:25:44.858831: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:44.858833: | spi size: 0 (0x0) Sep 21 07:25:44.858835: | # transforms: 13 (0xd) Sep 21 07:25:44.858838: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.858841: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858843: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858846: | length: 12 (0xc) Sep 21 07:25:44.858848: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.858850: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.858853: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.858855: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.858857: | length/value: 128 (0x80) Sep 21 07:25:44.858860: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858862: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858865: | length: 8 (0x8) Sep 21 07:25:44.858867: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858869: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:44.858872: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858874: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858877: | length: 8 (0x8) Sep 21 07:25:44.858879: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.858881: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:25:44.858884: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858886: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858888: | length: 8 (0x8) Sep 21 07:25:44.858891: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.858896: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.858899: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858901: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858903: | length: 8 (0x8) Sep 21 07:25:44.858906: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.858908: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.858911: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858913: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858915: | length: 8 (0x8) Sep 21 07:25:44.858918: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858920: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.858923: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858925: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858927: | length: 8 (0x8) Sep 21 07:25:44.858929: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858932: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:25:44.858934: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858939: | length: 8 (0x8) Sep 21 07:25:44.858941: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858944: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:25:44.858946: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858949: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858951: | length: 8 (0x8) Sep 21 07:25:44.858953: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858956: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:25:44.858958: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858961: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858963: | length: 8 (0x8) Sep 21 07:25:44.858965: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858968: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:25:44.858970: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858973: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858975: | length: 8 (0x8) Sep 21 07:25:44.858977: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858980: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:25:44.858982: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858985: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.858987: | length: 8 (0x8) Sep 21 07:25:44.858989: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.858992: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:25:44.858994: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.858997: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.858999: | length: 8 (0x8) Sep 21 07:25:44.859001: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.859004: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:25:44.859007: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:25:44.859010: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:25:44.859015: "northnet-eastnet/0x2" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:25:44.859020: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:25:44.859023: | converting proposal to internal trans attrs Sep 21 07:25:44.859027: | natd_hash: rcookie is zero Sep 21 07:25:44.859053: | natd_hash: hasher=0x5581ff36f7a0(20) Sep 21 07:25:44.859055: | natd_hash: icookie= ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.859058: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:44.859060: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:44.859062: | natd_hash: port= 01 f4 Sep 21 07:25:44.859064: | natd_hash: hash= 13 77 5f ee b4 c4 a6 87 0e 5e 69 d9 d5 bc 45 cc Sep 21 07:25:44.859067: | natd_hash: hash= df 0f 70 1f Sep 21 07:25:44.859069: | natd_hash: rcookie is zero Sep 21 07:25:44.859075: | natd_hash: hasher=0x5581ff36f7a0(20) Sep 21 07:25:44.859077: | natd_hash: icookie= ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.859079: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:25:44.859081: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:44.859083: | natd_hash: port= 01 f4 Sep 21 07:25:44.859085: | natd_hash: hash= bb 86 91 11 a8 34 53 f1 58 bf f6 b8 c4 87 05 61 Sep 21 07:25:44.859087: | natd_hash: hash= b2 b8 b2 3b Sep 21 07:25:44.859090: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:25:44.859092: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:25:44.859094: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:25:44.859097: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:25:44.859102: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:25:44.859106: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55820106f6e0 Sep 21 07:25:44.859110: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:44.859113: | libevent_malloc: new ptr-libevent@0x558201071920 size 128 Sep 21 07:25:44.859124: | #1 spent 0.988 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:25:44.859146: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.859150: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:44.859150: | crypto helper 0 resuming Sep 21 07:25:44.859152: | suspending state #1 and saving MD Sep 21 07:25:44.859161: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:25:44.859166: | #1 is busy; has a suspended MD Sep 21 07:25:44.859171: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:25:44.859176: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:44.859184: | "northnet-eastnet/0x2" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:44.859189: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:44.859193: | #1 spent 1.55 milliseconds in ikev2_process_packet() Sep 21 07:25:44.859197: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:44.859200: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:44.859203: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:44.859206: | spent 1.56 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:44.859772: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.000601 seconds Sep 21 07:25:44.859779: | (#1) spent 0.606 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:25:44.859781: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:25:44.859788: | scheduling resume sending helper answer for #1 Sep 21 07:25:44.859794: | libevent_malloc: new ptr-libevent@0x7ff0f4006900 size 128 Sep 21 07:25:44.859801: | crypto helper 0 waiting (nothing to do) Sep 21 07:25:44.859808: | processing resume sending helper answer for #1 Sep 21 07:25:44.859815: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:44.859819: | crypto helper 0 replies to request ID 1 Sep 21 07:25:44.859834: | calling continuation function 0x5581ff299630 Sep 21 07:25:44.859836: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:25:44.859866: | **emit ISAKMP Message: Sep 21 07:25:44.859869: | initiator cookie: Sep 21 07:25:44.859871: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.859873: | responder cookie: Sep 21 07:25:44.859875: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.859878: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:44.859881: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.859883: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:25:44.859886: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:44.859888: | Message ID: 0 (0x0) Sep 21 07:25:44.859891: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:44.859894: | Emitting ikev2_proposal ... Sep 21 07:25:44.859896: | ***emit IKEv2 Security Association Payload: Sep 21 07:25:44.859898: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.859901: | flags: none (0x0) Sep 21 07:25:44.859904: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:44.859907: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.859910: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.859912: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.859914: | prop #: 1 (0x1) Sep 21 07:25:44.859917: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:25:44.859919: | spi size: 0 (0x0) Sep 21 07:25:44.859921: | # transforms: 3 (0x3) Sep 21 07:25:44.859924: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:44.859927: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.859929: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.859931: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.859934: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.859936: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.859939: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.859942: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.859944: | length/value: 256 (0x100) Sep 21 07:25:44.859947: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:44.859949: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.859951: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.859954: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:25:44.859956: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:25:44.859959: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.859962: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.859964: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:44.859967: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.859969: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.859971: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.859974: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.859977: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.859981: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.859984: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:44.859986: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:25:44.859989: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:44.859991: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:25:44.859994: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:44.859997: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:25:44.859999: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.860002: | flags: none (0x0) Sep 21 07:25:44.860004: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.860007: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:44.860010: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.860013: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:44.860015: | ikev2 g^x 85 d0 4e 81 0c c3 bd d3 20 72 ec f0 76 d7 4b 00 Sep 21 07:25:44.860017: | ikev2 g^x 5e 43 b7 87 60 ff 66 93 ee ce 90 df ed 0c cf 36 Sep 21 07:25:44.860020: | ikev2 g^x cd 99 bb 98 7c be 05 bf 81 ce a7 bf 6e 6c db 5c Sep 21 07:25:44.860022: | ikev2 g^x 71 5d 8a e8 85 d9 c9 bf 6a 1c d9 ac 51 10 62 82 Sep 21 07:25:44.860024: | ikev2 g^x 49 72 c7 08 83 e6 e9 9c b2 be 08 8d dd e2 3b aa Sep 21 07:25:44.860026: | ikev2 g^x 18 36 90 53 f1 5b f0 7a cb 7f af 13 84 d6 76 32 Sep 21 07:25:44.860029: | ikev2 g^x ee 12 93 69 7c c4 98 8e c0 97 3f b1 30 6d a1 49 Sep 21 07:25:44.860031: | ikev2 g^x db 7f 75 0d c2 cb 05 ff 0d 15 a6 a1 68 69 37 44 Sep 21 07:25:44.860033: | ikev2 g^x fc 16 de 7b 4b cd c6 72 94 c0 bd 4b d0 05 1f 65 Sep 21 07:25:44.860036: | ikev2 g^x 5d 01 13 68 c1 9f d4 76 35 92 80 be 0b 48 71 7f Sep 21 07:25:44.860038: | ikev2 g^x 55 fe 86 35 a5 f3 45 57 43 8b 5c ae 90 c5 6e 58 Sep 21 07:25:44.860040: | ikev2 g^x 44 2c 6c fc 49 cf 80 6f 09 8d f2 47 5c 06 b0 84 Sep 21 07:25:44.860042: | ikev2 g^x 18 f5 a9 d2 6e 99 0a 2e d1 e4 fb cf 03 4f 8f 6b Sep 21 07:25:44.860045: | ikev2 g^x 9b 0e 92 c8 86 24 6a 79 98 c0 b8 a3 c7 80 a2 70 Sep 21 07:25:44.860047: | ikev2 g^x 94 9a 26 7d d2 47 3b f3 4c eb 37 43 bc 8c 15 3a Sep 21 07:25:44.860049: | ikev2 g^x 43 6c f8 3d 2e 90 91 2b b2 11 f0 a1 1c 4e 5f 67 Sep 21 07:25:44.860051: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:44.860054: | ***emit IKEv2 Nonce Payload: Sep 21 07:25:44.860056: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:25:44.860058: | flags: none (0x0) Sep 21 07:25:44.860061: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:25:44.860064: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:44.860067: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.860069: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:44.860072: | IKEv2 nonce af 62 7c 37 31 7f 97 83 f9 3f b6 b5 15 d1 12 47 Sep 21 07:25:44.860074: | IKEv2 nonce ca 8f 02 cb 41 b8 18 74 ff 67 56 fa 55 ae dc 62 Sep 21 07:25:44.860076: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:44.860079: | Adding a v2N Payload Sep 21 07:25:44.860081: | ***emit IKEv2 Notify Payload: Sep 21 07:25:44.860083: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.860087: | flags: none (0x0) Sep 21 07:25:44.860089: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.860091: | SPI size: 0 (0x0) Sep 21 07:25:44.860094: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:25:44.860097: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:44.860099: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.860102: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:25:44.860105: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:25:44.860113: | natd_hash: hasher=0x5581ff36f7a0(20) Sep 21 07:25:44.860115: | natd_hash: icookie= ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.860117: | natd_hash: rcookie= a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.860120: | natd_hash: ip= c0 01 02 17 Sep 21 07:25:44.860122: | natd_hash: port= 01 f4 Sep 21 07:25:44.860124: | natd_hash: hash= 1b 42 55 c1 aa 67 a2 ed 49 8c c9 88 7a 9e 91 8a Sep 21 07:25:44.860126: | natd_hash: hash= 2f 3c c9 5d Sep 21 07:25:44.860128: | Adding a v2N Payload Sep 21 07:25:44.860131: | ***emit IKEv2 Notify Payload: Sep 21 07:25:44.860133: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.860135: | flags: none (0x0) Sep 21 07:25:44.860137: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.860140: | SPI size: 0 (0x0) Sep 21 07:25:44.860142: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:25:44.860145: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:44.860147: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.860150: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:44.860152: | Notify data 1b 42 55 c1 aa 67 a2 ed 49 8c c9 88 7a 9e 91 8a Sep 21 07:25:44.860155: | Notify data 2f 3c c9 5d Sep 21 07:25:44.860157: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:44.860163: | natd_hash: hasher=0x5581ff36f7a0(20) Sep 21 07:25:44.860165: | natd_hash: icookie= ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.860167: | natd_hash: rcookie= a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.860169: | natd_hash: ip= c0 01 03 21 Sep 21 07:25:44.860172: | natd_hash: port= 01 f4 Sep 21 07:25:44.860174: | natd_hash: hash= 91 b6 e8 61 d9 af bc 72 ef 1e f2 31 33 19 6f a1 Sep 21 07:25:44.860176: | natd_hash: hash= 95 cd 04 b6 Sep 21 07:25:44.860178: | Adding a v2N Payload Sep 21 07:25:44.860180: | ***emit IKEv2 Notify Payload: Sep 21 07:25:44.860182: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.860185: | flags: none (0x0) Sep 21 07:25:44.860187: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:25:44.860189: | SPI size: 0 (0x0) Sep 21 07:25:44.860192: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:25:44.860194: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:25:44.860197: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.860199: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:25:44.860202: | Notify data 91 b6 e8 61 d9 af bc 72 ef 1e f2 31 33 19 6f a1 Sep 21 07:25:44.860204: | Notify data 95 cd 04 b6 Sep 21 07:25:44.860206: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:25:44.860208: | emitting length of ISAKMP Message: 432 Sep 21 07:25:44.860214: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.860218: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:25:44.860220: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:25:44.860223: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:25:44.860227: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:25:44.860232: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:25:44.860236: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:25:44.860241: "northnet-eastnet/0x2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:25:44.860245: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:44.860253: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:44.860256: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.860258: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:25:44.860260: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:25:44.860262: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:25:44.860265: | 04 00 00 0e 28 00 01 08 00 0e 00 00 85 d0 4e 81 Sep 21 07:25:44.860267: | 0c c3 bd d3 20 72 ec f0 76 d7 4b 00 5e 43 b7 87 Sep 21 07:25:44.860269: | 60 ff 66 93 ee ce 90 df ed 0c cf 36 cd 99 bb 98 Sep 21 07:25:44.860271: | 7c be 05 bf 81 ce a7 bf 6e 6c db 5c 71 5d 8a e8 Sep 21 07:25:44.860273: | 85 d9 c9 bf 6a 1c d9 ac 51 10 62 82 49 72 c7 08 Sep 21 07:25:44.860276: | 83 e6 e9 9c b2 be 08 8d dd e2 3b aa 18 36 90 53 Sep 21 07:25:44.860278: | f1 5b f0 7a cb 7f af 13 84 d6 76 32 ee 12 93 69 Sep 21 07:25:44.860280: | 7c c4 98 8e c0 97 3f b1 30 6d a1 49 db 7f 75 0d Sep 21 07:25:44.860282: | c2 cb 05 ff 0d 15 a6 a1 68 69 37 44 fc 16 de 7b Sep 21 07:25:44.860285: | 4b cd c6 72 94 c0 bd 4b d0 05 1f 65 5d 01 13 68 Sep 21 07:25:44.860287: | c1 9f d4 76 35 92 80 be 0b 48 71 7f 55 fe 86 35 Sep 21 07:25:44.860289: | a5 f3 45 57 43 8b 5c ae 90 c5 6e 58 44 2c 6c fc Sep 21 07:25:44.860291: | 49 cf 80 6f 09 8d f2 47 5c 06 b0 84 18 f5 a9 d2 Sep 21 07:25:44.860293: | 6e 99 0a 2e d1 e4 fb cf 03 4f 8f 6b 9b 0e 92 c8 Sep 21 07:25:44.860296: | 86 24 6a 79 98 c0 b8 a3 c7 80 a2 70 94 9a 26 7d Sep 21 07:25:44.860298: | d2 47 3b f3 4c eb 37 43 bc 8c 15 3a 43 6c f8 3d Sep 21 07:25:44.860300: | 2e 90 91 2b b2 11 f0 a1 1c 4e 5f 67 29 00 00 24 Sep 21 07:25:44.860302: | af 62 7c 37 31 7f 97 83 f9 3f b6 b5 15 d1 12 47 Sep 21 07:25:44.860304: | ca 8f 02 cb 41 b8 18 74 ff 67 56 fa 55 ae dc 62 Sep 21 07:25:44.860306: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:25:44.860309: | 1b 42 55 c1 aa 67 a2 ed 49 8c c9 88 7a 9e 91 8a Sep 21 07:25:44.860311: | 2f 3c c9 5d 00 00 00 1c 00 00 40 05 91 b6 e8 61 Sep 21 07:25:44.860313: | d9 af bc 72 ef 1e f2 31 33 19 6f a1 95 cd 04 b6 Sep 21 07:25:44.860359: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:44.860378: | libevent_free: release ptr-libevent@0x558201071920 Sep 21 07:25:44.860381: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55820106f6e0 Sep 21 07:25:44.860384: | event_schedule: new EVENT_SO_DISCARD-pe@0x55820106f6e0 Sep 21 07:25:44.860387: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:25:44.860390: | libevent_malloc: new ptr-libevent@0x558201071920 size 128 Sep 21 07:25:44.860394: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:44.860399: | #1 spent 0.553 milliseconds in resume sending helper answer Sep 21 07:25:44.860404: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:44.860406: | libevent_free: release ptr-libevent@0x7ff0f4006900 Sep 21 07:25:44.862729: | spent 0.00211 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:44.862747: | *received 366 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:44.862752: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.862755: | 2e 20 23 08 00 00 00 01 00 00 01 6e 23 00 01 52 Sep 21 07:25:44.862757: | 50 7e de 1a 84 77 f1 28 3d 38 dd b8 cb c0 65 4c Sep 21 07:25:44.862759: | fd 5d 84 9d 03 4b 1d f9 4b f5 24 b5 e9 2a 7a 19 Sep 21 07:25:44.862761: | b6 6e e4 35 58 17 23 0e c2 ef 78 3d eb 70 48 47 Sep 21 07:25:44.862763: | 40 df 6e 1d 4a 1a 8e f8 3d 6a 08 6e ce 58 d0 fc Sep 21 07:25:44.862765: | 9c 56 3d 1a 36 af 43 9a e2 c9 00 c9 be 42 26 43 Sep 21 07:25:44.862768: | a6 49 84 da a5 5d 9a 88 3e ed 5f 5f 5e ce 4d 36 Sep 21 07:25:44.862770: | 1e 6b 7f b8 87 68 f0 77 7c c0 19 85 8b 2e 90 f2 Sep 21 07:25:44.862772: | 20 09 c1 36 89 b9 35 8c a0 56 13 d5 c4 44 f5 4b Sep 21 07:25:44.862774: | d1 91 6e ba 55 78 94 55 77 7f a1 9d ec 45 0e 0e Sep 21 07:25:44.862776: | 09 98 c2 a4 3c c1 87 c0 59 9e f0 c2 0a 16 19 8a Sep 21 07:25:44.862779: | f3 3b 9e 4e bd 58 f4 9b f9 80 0f e1 77 25 7a a3 Sep 21 07:25:44.862781: | b8 7b 22 27 63 62 1c 12 cd 87 48 13 dd 18 67 8a Sep 21 07:25:44.862789: | 1d bb f7 69 96 d4 bf 88 5f 2d 69 22 2c eb 0a 77 Sep 21 07:25:44.862793: | a7 37 b1 a3 d4 32 12 29 57 0c c5 ae e4 d1 ff 9f Sep 21 07:25:44.862796: | 3a da 10 80 f6 b1 3d f4 ba cb d5 8f 24 b7 55 cf Sep 21 07:25:44.862798: | b5 0c cc ce 15 88 83 9a e8 54 ef f0 82 98 60 f3 Sep 21 07:25:44.862800: | 7a e9 12 3c 4b d7 2b 04 a3 73 be b7 67 74 41 4b Sep 21 07:25:44.862802: | 38 f6 d6 fc 0a 17 96 73 ec f8 90 cc 6c 9d 06 66 Sep 21 07:25:44.862805: | 02 e6 9c de 10 59 91 85 87 48 b1 58 25 54 82 8c Sep 21 07:25:44.862807: | 21 ae 56 8f 15 f0 9a b1 f7 e5 70 ff df b9 4c 92 Sep 21 07:25:44.862809: | d0 b2 9e a7 0a e2 ed e6 f9 1a ad 62 c0 4d Sep 21 07:25:44.862814: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:44.862818: | **parse ISAKMP Message: Sep 21 07:25:44.862820: | initiator cookie: Sep 21 07:25:44.862822: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.862825: | responder cookie: Sep 21 07:25:44.862827: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.862829: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:25:44.862832: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.862834: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:44.862836: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:44.862839: | Message ID: 1 (0x1) Sep 21 07:25:44.862842: | length: 366 (0x16e) Sep 21 07:25:44.862845: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:25:44.862848: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:25:44.862852: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:25:44.862858: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:44.862861: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:44.862865: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:44.862868: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:25:44.862872: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:25:44.862874: | unpacking clear payload Sep 21 07:25:44.862877: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:25:44.862880: | ***parse IKEv2 Encryption Payload: Sep 21 07:25:44.862882: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:25:44.862885: | flags: none (0x0) Sep 21 07:25:44.862887: | length: 338 (0x152) Sep 21 07:25:44.862889: | processing payload: ISAKMP_NEXT_v2SK (len=334) Sep 21 07:25:44.862893: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:44.862898: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:44.862901: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:44.862903: | Now let's proceed with state specific processing Sep 21 07:25:44.862905: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:25:44.862908: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:25:44.862911: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:25:44.862914: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:25:44.862916: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:25:44.862919: | libevent_free: release ptr-libevent@0x558201071920 Sep 21 07:25:44.862921: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55820106f6e0 Sep 21 07:25:44.862924: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55820106f6e0 Sep 21 07:25:44.862927: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:25:44.862929: | libevent_malloc: new ptr-libevent@0x558201071920 size 128 Sep 21 07:25:44.862938: | #1 spent 0.0288 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:25:44.862943: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.862947: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:25:44.862949: | suspending state #1 and saving MD Sep 21 07:25:44.862951: | #1 is busy; has a suspended MD Sep 21 07:25:44.862955: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:44.862958: | "northnet-eastnet/0x2" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:44.862962: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:44.862966: | #1 spent 0.222 milliseconds in ikev2_process_packet() Sep 21 07:25:44.862970: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:44.862973: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:44.862976: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:44.862979: | spent 0.235 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:44.862990: | crypto helper 1 resuming Sep 21 07:25:44.862995: | crypto helper 1 starting work-order 2 for state #1 Sep 21 07:25:44.862999: | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:25:44.863718: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:25:44.864136: | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001136 seconds Sep 21 07:25:44.864147: | (#1) spent 1.13 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:25:44.864150: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Sep 21 07:25:44.864153: | scheduling resume sending helper answer for #1 Sep 21 07:25:44.864156: | libevent_malloc: new ptr-libevent@0x7ff0ec006b90 size 128 Sep 21 07:25:44.864163: | crypto helper 1 waiting (nothing to do) Sep 21 07:25:44.864173: | processing resume sending helper answer for #1 Sep 21 07:25:44.864179: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:44.864182: | crypto helper 1 replies to request ID 2 Sep 21 07:25:44.864184: | calling continuation function 0x5581ff299630 Sep 21 07:25:44.864187: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:25:44.864190: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:25:44.864203: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:25:44.864209: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:25:44.864213: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:25:44.864216: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Sep 21 07:25:44.864218: | flags: none (0x0) Sep 21 07:25:44.864221: | length: 13 (0xd) Sep 21 07:25:44.864223: | ID type: ID_FQDN (0x2) Sep 21 07:25:44.864226: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Sep 21 07:25:44.864228: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Sep 21 07:25:44.864230: | **parse IKEv2 Identification - Responder - Payload: Sep 21 07:25:44.864232: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:25:44.864234: | flags: none (0x0) Sep 21 07:25:44.864236: | length: 12 (0xc) Sep 21 07:25:44.864238: | ID type: ID_FQDN (0x2) Sep 21 07:25:44.864240: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Sep 21 07:25:44.864242: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:25:44.864245: | **parse IKEv2 Authentication Payload: Sep 21 07:25:44.864247: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:44.864249: | flags: none (0x0) Sep 21 07:25:44.864251: | length: 72 (0x48) Sep 21 07:25:44.864253: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:25:44.864255: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:25:44.864257: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:44.864259: | **parse IKEv2 Security Association Payload: Sep 21 07:25:44.864262: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:44.864264: | flags: none (0x0) Sep 21 07:25:44.864266: | length: 164 (0xa4) Sep 21 07:25:44.864268: | processing payload: ISAKMP_NEXT_v2SA (len=160) Sep 21 07:25:44.864270: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:44.864273: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:44.864275: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:44.864277: | flags: none (0x0) Sep 21 07:25:44.864278: | length: 24 (0x18) Sep 21 07:25:44.864280: | number of TS: 1 (0x1) Sep 21 07:25:44.864282: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:44.864284: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:44.864286: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:44.864288: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.864290: | flags: none (0x0) Sep 21 07:25:44.864292: | length: 24 (0x18) Sep 21 07:25:44.864294: | number of TS: 1 (0x1) Sep 21 07:25:44.864296: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:44.864298: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:25:44.864300: | Now let's proceed with state specific processing Sep 21 07:25:44.864302: | calling processor Responder: process IKE_AUTH request Sep 21 07:25:44.864306: "northnet-eastnet/0x2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Sep 21 07:25:44.864312: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:44.864315: | received IDr payload - extracting our alleged ID Sep 21 07:25:44.864318: | refine_host_connection for IKEv2: starting with "northnet-eastnet/0x2" Sep 21 07:25:44.864322: | match_id a=@north Sep 21 07:25:44.864324: | b=@north Sep 21 07:25:44.864326: | results matched Sep 21 07:25:44.864329: | refine_host_connection: checking "northnet-eastnet/0x2" against "northnet-eastnet/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:25:44.864331: | Warning: not switching back to template of current instance Sep 21 07:25:44.864334: | Peer expects us to be @east (ID_FQDN) according to its IDr payload Sep 21 07:25:44.864336: | This connection's local id is @east (ID_FQDN) Sep 21 07:25:44.864339: | refine_host_connection: checked northnet-eastnet/0x2 against northnet-eastnet/0x2, now for see if best Sep 21 07:25:44.864342: | started looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864345: | actually looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864350: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:44.864354: | 1: compared key @north to @east / @north -> 004 Sep 21 07:25:44.864357: | 2: compared key @east to @east / @north -> 014 Sep 21 07:25:44.864359: | line 1: match=014 Sep 21 07:25:44.864362: | match 014 beats previous best_match 000 match=0x5582010605c0 (line=1) Sep 21 07:25:44.864365: | concluding with best_match=014 best=0x5582010605c0 (lineno=1) Sep 21 07:25:44.864367: | returning because exact peer id match Sep 21 07:25:44.864369: | offered CA: '%none' Sep 21 07:25:44.864373: "northnet-eastnet/0x2" #1: IKEv2 mode peer ID is ID_FQDN: '@north' Sep 21 07:25:44.864392: | verifying AUTH payload Sep 21 07:25:44.864396: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:25:44.864400: | started looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864403: | actually looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864405: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:44.864409: | 1: compared key @north to @east / @north -> 004 Sep 21 07:25:44.864412: | 2: compared key @east to @east / @north -> 014 Sep 21 07:25:44.864414: | line 1: match=014 Sep 21 07:25:44.864417: | match 014 beats previous best_match 000 match=0x5582010605c0 (line=1) Sep 21 07:25:44.864419: | concluding with best_match=014 best=0x5582010605c0 (lineno=1) Sep 21 07:25:44.864479: "northnet-eastnet/0x2" #1: Authenticated using authby=secret Sep 21 07:25:44.864485: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:25:44.864491: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:44.864494: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:44.864497: | libevent_free: release ptr-libevent@0x558201071920 Sep 21 07:25:44.864500: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55820106f6e0 Sep 21 07:25:44.864502: | event_schedule: new EVENT_SA_REKEY-pe@0x55820106f6e0 Sep 21 07:25:44.864506: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:25:44.864509: | libevent_malloc: new ptr-libevent@0x558201071920 size 128 Sep 21 07:25:44.864757: | pstats #1 ikev2.ike established Sep 21 07:25:44.864766: | **emit ISAKMP Message: Sep 21 07:25:44.864769: | initiator cookie: Sep 21 07:25:44.864771: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.864773: | responder cookie: Sep 21 07:25:44.864775: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.864777: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:44.864780: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.864782: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:25:44.864795: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:44.864797: | Message ID: 1 (0x1) Sep 21 07:25:44.864799: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:44.864802: | IKEv2 CERT: send a certificate? Sep 21 07:25:44.864805: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:25:44.864807: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:44.864810: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.864812: | flags: none (0x0) Sep 21 07:25:44.864815: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:44.864817: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.864820: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:44.864828: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:44.864841: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:25:44.864844: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.864846: | flags: none (0x0) Sep 21 07:25:44.864848: | ID type: ID_FQDN (0x2) Sep 21 07:25:44.864853: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:25:44.864856: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.864859: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:25:44.864861: | my identity 65 61 73 74 Sep 21 07:25:44.864864: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:25:44.864872: | assembled IDr payload Sep 21 07:25:44.864875: | CHILD SA proposals received Sep 21 07:25:44.864877: | going to assemble AUTH payload Sep 21 07:25:44.864880: | ****emit IKEv2 Authentication Payload: Sep 21 07:25:44.864883: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:44.864885: | flags: none (0x0) Sep 21 07:25:44.864888: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:25:44.864891: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:25:44.864894: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:25:44.864896: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.864900: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:25:44.864903: | started looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864906: | actually looking for secret for @east->@north of kind PKK_PSK Sep 21 07:25:44.864909: | line 1: key type PKK_PSK(@east) to type PKK_PSK Sep 21 07:25:44.864912: | 1: compared key @north to @east / @north -> 004 Sep 21 07:25:44.864916: | 2: compared key @east to @east / @north -> 014 Sep 21 07:25:44.864918: | line 1: match=014 Sep 21 07:25:44.864920: | match 014 beats previous best_match 000 match=0x5582010605c0 (line=1) Sep 21 07:25:44.864923: | concluding with best_match=014 best=0x5582010605c0 (lineno=1) Sep 21 07:25:44.864983: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:25:44.864988: | PSK auth 36 0e c6 76 e2 9f ee f0 fb 03 39 7d 80 f3 63 f5 Sep 21 07:25:44.864990: | PSK auth 30 cc 08 ec 5c 5a 8e 77 b5 27 f4 38 1f 31 ff 71 Sep 21 07:25:44.864992: | PSK auth 94 ea 5c 60 c6 db 9a 91 3a 59 d8 c1 d4 3a d4 ca Sep 21 07:25:44.864994: | PSK auth dd ad ec b5 e0 95 e9 c7 9b b4 87 22 ff 41 c2 46 Sep 21 07:25:44.864997: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:25:44.865004: | creating state object #2 at 0x558201072d80 Sep 21 07:25:44.865007: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:25:44.865010: | pstats #2 ikev2.child started Sep 21 07:25:44.865013: | duplicating state object #1 "northnet-eastnet/0x2" as #2 for IPSEC SA Sep 21 07:25:44.865017: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:44.865023: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:44.865028: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:44.865033: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:25:44.865036: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:25:44.865039: | TSi: parsing 1 traffic selectors Sep 21 07:25:44.865041: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:44.865044: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.865047: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.865049: | length: 16 (0x10) Sep 21 07:25:44.865054: | start port: 0 (0x0) Sep 21 07:25:44.865056: | end port: 65535 (0xffff) Sep 21 07:25:44.865059: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:44.865061: | TS low c0 00 03 00 Sep 21 07:25:44.865063: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:44.865065: | TS high c0 00 03 ff Sep 21 07:25:44.865067: | TSi: parsed 1 traffic selectors Sep 21 07:25:44.865069: | TSr: parsing 1 traffic selectors Sep 21 07:25:44.865071: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:44.865073: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.865075: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.865077: | length: 16 (0x10) Sep 21 07:25:44.865079: | start port: 0 (0x0) Sep 21 07:25:44.865081: | end port: 65535 (0xffff) Sep 21 07:25:44.865083: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:44.865085: | TS low c0 00 02 00 Sep 21 07:25:44.865087: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:44.865089: | TS high c0 00 02 ff Sep 21 07:25:44.865091: | TSr: parsed 1 traffic selectors Sep 21 07:25:44.865093: | looking for best SPD in current connection Sep 21 07:25:44.865099: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.865103: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865109: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.865111: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.865114: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.865116: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.865118: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865122: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865126: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.865129: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.865131: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.865133: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.865135: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865137: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.865139: | found better spd route for TSi[0],TSr[0] Sep 21 07:25:44.865141: | looking for better host pair Sep 21 07:25:44.865146: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:44.865150: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:25:44.865152: | investigating connection "northnet-eastnet/0x2" as a better match Sep 21 07:25:44.865155: | match_id a=@north Sep 21 07:25:44.865157: | b=@north Sep 21 07:25:44.865159: | results matched Sep 21 07:25:44.865169: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.865173: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865179: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.865182: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.865184: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.865187: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.865190: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865193: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865199: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.865202: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.865205: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.865207: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.865212: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865214: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.865216: | investigating connection "northnet-eastnet/0x1" as a better match Sep 21 07:25:44.865219: | match_id a=@north Sep 21 07:25:44.865221: | b=@north Sep 21 07:25:44.865223: | results matched Sep 21 07:25:44.865228: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.865232: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865237: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.865239: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.865241: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.865243: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.865246: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865249: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.865254: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.865257: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.865259: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.865261: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.865263: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.865265: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.865267: | did not find a better connection using host pair Sep 21 07:25:44.865270: | printing contents struct traffic_selector Sep 21 07:25:44.865272: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:44.865274: | ipprotoid: 0 Sep 21 07:25:44.865276: | port range: 0-65535 Sep 21 07:25:44.865280: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:25:44.865282: | printing contents struct traffic_selector Sep 21 07:25:44.865285: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:44.865287: | ipprotoid: 0 Sep 21 07:25:44.865290: | port range: 0-65535 Sep 21 07:25:44.865294: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:25:44.865298: | constructing ESP/AH proposals with all DH removed for northnet-eastnet/0x2 (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:25:44.865305: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:44.865312: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:44.865315: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:44.865320: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:25:44.865324: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:44.865328: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:44.865331: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:44.865335: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:44.865341: "northnet-eastnet/0x2": constructed local ESP/AH proposals for northnet-eastnet/0x2 (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:25:44.865345: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:44.865348: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:44.865350: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:44.865352: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:44.865356: | local proposal 1 type DH has 1 transforms Sep 21 07:25:44.865359: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:44.865362: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:44.865364: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:44.865366: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:44.865368: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:44.865371: | local proposal 2 type DH has 1 transforms Sep 21 07:25:44.865373: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:44.865376: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:25:44.865378: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:44.865381: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:44.865383: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:44.865385: | local proposal 3 type DH has 1 transforms Sep 21 07:25:44.865388: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:44.865390: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:44.865393: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:44.865395: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:44.865397: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:44.865399: | local proposal 4 type DH has 1 transforms Sep 21 07:25:44.865401: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:44.865404: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:25:44.865406: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.865409: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.865411: | length: 32 (0x20) Sep 21 07:25:44.865414: | prop #: 1 (0x1) Sep 21 07:25:44.865416: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.865418: | spi size: 4 (0x4) Sep 21 07:25:44.865421: | # transforms: 2 (0x2) Sep 21 07:25:44.865424: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.865426: | remote SPI 7e 4f 04 b5 Sep 21 07:25:44.865429: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:44.865431: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865435: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865437: | length: 12 (0xc) Sep 21 07:25:44.865439: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.865442: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.865445: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.865447: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.865449: | length/value: 256 (0x100) Sep 21 07:25:44.865454: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:44.865457: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865459: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.865461: | length: 8 (0x8) Sep 21 07:25:44.865463: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.865465: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.865469: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:44.865472: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:44.865475: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:44.865477: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:44.865480: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:25:44.865484: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:25:44.865486: | remote proposal 1 matches local proposal 1 Sep 21 07:25:44.865490: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.865493: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.865495: | length: 32 (0x20) Sep 21 07:25:44.865496: | prop #: 2 (0x2) Sep 21 07:25:44.865498: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.865500: | spi size: 4 (0x4) Sep 21 07:25:44.865502: | # transforms: 2 (0x2) Sep 21 07:25:44.865505: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.865506: | remote SPI 7e 4f 04 b5 Sep 21 07:25:44.865509: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.865511: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865513: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865515: | length: 12 (0xc) Sep 21 07:25:44.865518: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.865519: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.865522: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.865524: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.865526: | length/value: 128 (0x80) Sep 21 07:25:44.865528: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865531: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.865533: | length: 8 (0x8) Sep 21 07:25:44.865535: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.865537: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.865540: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Sep 21 07:25:44.865542: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Sep 21 07:25:44.865545: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.865548: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.865550: | length: 48 (0x30) Sep 21 07:25:44.865552: | prop #: 3 (0x3) Sep 21 07:25:44.865554: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.865557: | spi size: 4 (0x4) Sep 21 07:25:44.865559: | # transforms: 4 (0x4) Sep 21 07:25:44.865561: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.865563: | remote SPI 7e 4f 04 b5 Sep 21 07:25:44.865566: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.865568: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865571: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865573: | length: 12 (0xc) Sep 21 07:25:44.865575: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.865577: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.865579: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.865581: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.865583: | length/value: 256 (0x100) Sep 21 07:25:44.865586: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865588: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865590: | length: 8 (0x8) Sep 21 07:25:44.865592: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.865594: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.865596: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865598: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865600: | length: 8 (0x8) Sep 21 07:25:44.865602: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.865604: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.865606: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865609: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.865611: | length: 8 (0x8) Sep 21 07:25:44.865613: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.865615: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.865619: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:44.865623: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:44.865626: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.865628: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.865630: | length: 48 (0x30) Sep 21 07:25:44.865632: | prop #: 4 (0x4) Sep 21 07:25:44.865634: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.865636: | spi size: 4 (0x4) Sep 21 07:25:44.865637: | # transforms: 4 (0x4) Sep 21 07:25:44.865640: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.865642: | remote SPI 7e 4f 04 b5 Sep 21 07:25:44.865644: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.865646: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865649: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865650: | length: 12 (0xc) Sep 21 07:25:44.865652: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.865654: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.865656: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.865659: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.865661: | length/value: 128 (0x80) Sep 21 07:25:44.865664: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865666: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865667: | length: 8 (0x8) Sep 21 07:25:44.865669: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.865671: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.865674: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865675: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865677: | length: 8 (0x8) Sep 21 07:25:44.865679: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.865681: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.865683: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865685: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.865687: | length: 8 (0x8) Sep 21 07:25:44.865689: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.865691: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.865693: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Sep 21 07:25:44.865696: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Sep 21 07:25:44.865700: "northnet-eastnet/0x2" #1: proposal 1:ESP:SPI=7e4f04b5;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:25:44.865704: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=7e4f04b5;ENCR=AES_GCM_C_256;ESN=DISABLED Sep 21 07:25:44.865706: | converting proposal to internal trans attrs Sep 21 07:25:44.865724: | netlink_get_spi: allocated 0x87712436 for esp.0@192.1.2.23 Sep 21 07:25:44.865727: | Emitting ikev2_proposal ... Sep 21 07:25:44.865729: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:44.865731: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.865733: | flags: none (0x0) Sep 21 07:25:44.865736: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:44.865739: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.865741: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.865743: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.865745: | prop #: 1 (0x1) Sep 21 07:25:44.865747: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.865749: | spi size: 4 (0x4) Sep 21 07:25:44.865753: | # transforms: 2 (0x2) Sep 21 07:25:44.865756: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:44.865759: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:44.865761: | our spi 87 71 24 36 Sep 21 07:25:44.865764: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865766: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865768: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.865771: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.865774: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.865777: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.865779: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.865781: | length/value: 256 (0x100) Sep 21 07:25:44.865791: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:44.865794: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.865796: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.865799: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.865801: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.865803: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.865806: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.865809: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:44.865812: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:25:44.865815: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:44.865817: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:25:44.865823: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:44.865827: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:44.865831: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.865834: | flags: none (0x0) Sep 21 07:25:44.865837: | number of TS: 1 (0x1) Sep 21 07:25:44.865842: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:44.865846: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.865849: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:44.865852: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.865854: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.865857: | start port: 0 (0x0) Sep 21 07:25:44.865860: | end port: 65535 (0xffff) Sep 21 07:25:44.865864: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:44.865866: | IP start c0 00 03 00 Sep 21 07:25:44.865870: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:44.865872: | IP end c0 00 03 ff Sep 21 07:25:44.865875: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:44.865879: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:44.865882: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:44.865885: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.865888: | flags: none (0x0) Sep 21 07:25:44.865891: | number of TS: 1 (0x1) Sep 21 07:25:44.865895: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:44.865899: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.865906: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:44.865910: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.865913: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.865915: | start port: 0 (0x0) Sep 21 07:25:44.865918: | end port: 65535 (0xffff) Sep 21 07:25:44.865922: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:44.865924: | IP start c0 00 02 00 Sep 21 07:25:44.865928: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:44.865930: | IP end c0 00 02 ff Sep 21 07:25:44.865933: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:44.865937: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:44.865940: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:44.865944: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:44.866110: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:25:44.866119: | #1 spent 1.66 milliseconds Sep 21 07:25:44.866123: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:25:44.866126: | could_route called for northnet-eastnet/0x2 (kind=CK_PERMANENT) Sep 21 07:25:44.866133: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:44.866137: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.866139: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:44.866142: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.866145: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:44.866151: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Sep 21 07:25:44.866155: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:44.866158: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:44.866161: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:44.866163: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:44.866167: | setting IPsec SA replay-window to 32 Sep 21 07:25:44.866170: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Sep 21 07:25:44.866173: | netlink: enabling tunnel mode Sep 21 07:25:44.866176: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:44.866179: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:44.866269: | netlink response for Add SA esp.7e4f04b5@192.1.3.33 included non-error error Sep 21 07:25:44.866274: | set up outgoing SA, ref=0/0 Sep 21 07:25:44.866278: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:44.866281: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:44.866284: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:44.866286: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:44.866290: | setting IPsec SA replay-window to 32 Sep 21 07:25:44.866293: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Sep 21 07:25:44.866295: | netlink: enabling tunnel mode Sep 21 07:25:44.866298: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:44.866367: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:44.866426: | netlink response for Add SA esp.87712436@192.1.2.23 included non-error error Sep 21 07:25:44.866432: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:44.866441: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:44.866444: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:44.866510: | raw_eroute result=success Sep 21 07:25:44.866515: | set up incoming SA, ref=0/0 Sep 21 07:25:44.866518: | sr for #2: unrouted Sep 21 07:25:44.866521: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:44.866524: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:44.866530: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.866533: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:44.866536: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.866538: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:44.866541: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Sep 21 07:25:44.866544: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:25:44.866548: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:44.866555: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:25:44.866558: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:44.866595: | raw_eroute result=success Sep 21 07:25:44.866600: | running updown command "ipsec _updown" for verb up Sep 21 07:25:44.866603: | command executing up-client Sep 21 07:25:44.866631: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_ Sep 21 07:25:44.866635: | popen cmd is 1047 chars long Sep 21 07:25:44.866638: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x: Sep 21 07:25:44.866641: | cmd( 80):2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUT: Sep 21 07:25:44.866643: | cmd( 160):O_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' P: Sep 21 07:25:44.866646: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: Sep 21 07:25:44.866648: | cmd( 320):O_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@n: Sep 21 07:25:44.866651: | cmd( 400):orth' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_P: Sep 21 07:25:44.866654: | cmd( 480):EER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUT: Sep 21 07:25:44.866656: | cmd( 560):O_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRY: Sep 21 07:25:44.866659: | cmd( 640):PT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: Sep 21 07:25:44.866661: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_: Sep 21 07:25:44.866664: | cmd( 800):CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' : Sep 21 07:25:44.866667: | cmd( 880):PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' V: Sep 21 07:25:44.866669: | cmd( 960):TI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7e4f04b5 SPI_OUT=0x87712436 ipsec _updo: Sep 21 07:25:44.866672: | cmd(1040):wn 2>&1: Sep 21 07:25:44.880030: | route_and_eroute: firewall_notified: true Sep 21 07:25:44.880044: | running updown command "ipsec _updown" for verb prepare Sep 21 07:25:44.880050: | command executing prepare-client Sep 21 07:25:44.880085: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED Sep 21 07:25:44.880093: | popen cmd is 1052 chars long Sep 21 07:25:44.880097: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Sep 21 07:25:44.880100: | cmd( 80):et/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23': Sep 21 07:25:44.880103: | cmd( 160): PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2: Sep 21 07:25:44.880106: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': Sep 21 07:25:44.880109: | cmd( 320): PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_I: Sep 21 07:25:44.880112: | cmd( 400):D='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Sep 21 07:25:44.880115: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:25:44.880118: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Sep 21 07:25:44.880120: | cmd( 640):ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: Sep 21 07:25:44.880123: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_: Sep 21 07:25:44.880126: | cmd( 800):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: Sep 21 07:25:44.880129: | cmd( 880):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE: Sep 21 07:25:44.880132: | cmd( 960):='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7e4f04b5 SPI_OUT=0x87712436 ipsec : Sep 21 07:25:44.880135: | cmd(1040):_updown 2>&1: Sep 21 07:25:44.890681: | running updown command "ipsec _updown" for verb route Sep 21 07:25:44.890700: | command executing route-client Sep 21 07:25:44.890730: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no Sep 21 07:25:44.890733: | popen cmd is 1050 chars long Sep 21 07:25:44.890736: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet: Sep 21 07:25:44.890739: | cmd( 80):/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' P: Sep 21 07:25:44.890742: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:25:44.890748: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:25:44.890750: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=: Sep 21 07:25:44.890753: | cmd( 400):'@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUT: Sep 21 07:25:44.890755: | cmd( 480):O_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: Sep 21 07:25:44.890758: | cmd( 560):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+EN: Sep 21 07:25:44.890760: | cmd( 640):CRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_: Sep 21 07:25:44.890763: | cmd( 720):CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PE: Sep 21 07:25:44.890765: | cmd( 800):ER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=: Sep 21 07:25:44.890767: | cmd( 880):'' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=': Sep 21 07:25:44.890770: | cmd( 960):' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7e4f04b5 SPI_OUT=0x87712436 ipsec _u: Sep 21 07:25:44.890772: | cmd(1040):pdown 2>&1: Sep 21 07:25:44.911835: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55820106cf20,sr=0x55820106cf20} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:25:44.911967: | #1 spent 0.95 milliseconds in install_ipsec_sa() Sep 21 07:25:44.911979: | ISAKMP_v2_IKE_AUTH: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:25:44.911985: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:44.911991: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:44.911995: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:44.911999: | emitting length of IKEv2 Encryption Payload: 197 Sep 21 07:25:44.912003: | emitting length of ISAKMP Message: 225 Sep 21 07:25:44.912033: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:25:44.912041: | #1 spent 2.69 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:25:44.912051: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.912058: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.912065: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:25:44.912069: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:25:44.912074: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:44.912078: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:25:44.912086: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:25:44.912093: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:44.912097: | pstats #2 ikev2.child established Sep 21 07:25:44.912109: "northnet-eastnet/0x2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:44.912114: | NAT-T: encaps is 'auto' Sep 21 07:25:44.912122: "northnet-eastnet/0x2" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x7e4f04b5 <0x87712436 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:25:44.912129: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:44.912137: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:44.912146: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.912149: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Sep 21 07:25:44.912152: | 87 50 9c 2c 50 fb b3 1b b3 0e c6 91 7f d3 b9 c5 Sep 21 07:25:44.912156: | 07 a5 0b 44 4e a0 14 a2 89 59 e4 56 54 d4 1d 2e Sep 21 07:25:44.912159: | da c1 b2 7a b4 30 4e 11 bf 7a c9 9d d2 ee a0 86 Sep 21 07:25:44.912162: | 0b 68 99 14 4f b3 80 c6 1f a2 fe 01 1a 97 70 ad Sep 21 07:25:44.912165: | 9e 4f 39 55 f2 db 7e 50 4e ef 80 89 ac 17 6f 23 Sep 21 07:25:44.912168: | e6 86 42 78 91 9e b2 f1 de 42 fa ca 0e 06 12 b4 Sep 21 07:25:44.912171: | eb 5e a9 93 2f c1 f7 14 b7 22 1e 51 ee cf d7 af Sep 21 07:25:44.912174: | b2 f5 ee e1 4a f5 cf 88 b3 36 da 99 c4 a1 c8 d0 Sep 21 07:25:44.912177: | 8f 40 fe 3f 23 ee 86 0e a0 54 39 cc 40 79 81 0c Sep 21 07:25:44.912181: | 68 cb f1 c3 95 56 9d 38 62 1b d9 12 54 e9 ca 75 Sep 21 07:25:44.912184: | 04 54 a5 de d8 fb bd 2b 72 d6 3f 4a 49 90 17 5b Sep 21 07:25:44.912187: | fa 06 29 f7 cc 5f 80 4b 1f 21 b9 61 47 6d d3 f8 Sep 21 07:25:44.912190: | cd Sep 21 07:25:44.912264: | releasing whack for #2 (sock=fd@-1) Sep 21 07:25:44.912269: | releasing whack and unpending for parent #1 Sep 21 07:25:44.912273: | unpending state #1 connection "northnet-eastnet/0x2" Sep 21 07:25:44.912279: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:44.912284: | event_schedule: new EVENT_SA_REKEY-pe@0x7ff0f4002b20 Sep 21 07:25:44.912289: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:25:44.912294: | libevent_malloc: new ptr-libevent@0x558201076770 size 128 Sep 21 07:25:44.912302: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:25:44.912309: | #1 spent 3.04 milliseconds in resume sending helper answer Sep 21 07:25:44.912317: | stop processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:44.912322: | libevent_free: release ptr-libevent@0x7ff0ec006b90 Sep 21 07:25:44.912337: | processing signal PLUTO_SIGCHLD Sep 21 07:25:44.912344: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:44.912350: | spent 0.00698 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:44.912353: | processing signal PLUTO_SIGCHLD Sep 21 07:25:44.912358: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:44.912363: | spent 0.00467 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:44.912366: | processing signal PLUTO_SIGCHLD Sep 21 07:25:44.912371: | waitpid returned ECHILD (no child processes left) Sep 21 07:25:44.912375: | spent 0.00457 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:25:44.958112: | spent 0.00359 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:25:44.958136: | *received 601 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:25:44.958140: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.958143: | 2e 20 24 08 00 00 00 02 00 00 02 59 21 00 02 3d Sep 21 07:25:44.958146: | 7e 0d 94 d0 ff bd b8 80 80 7b 0f be 03 64 62 37 Sep 21 07:25:44.958148: | f3 38 ed 5c 89 51 e1 42 ca fb 75 c9 16 98 85 53 Sep 21 07:25:44.958150: | 55 f7 14 b1 7c 04 23 6d 87 b3 44 18 02 a3 47 85 Sep 21 07:25:44.958152: | 2a e4 ff 64 9b a9 e7 d8 9a 5e 7b 5a ed d5 38 a4 Sep 21 07:25:44.958154: | 24 89 d7 44 c7 be f6 d1 b4 04 d2 72 a0 6e be 75 Sep 21 07:25:44.958157: | fe de 1c 7d 05 e0 fd 47 11 f0 4b be 64 40 54 fb Sep 21 07:25:44.958159: | d4 2a 4e 66 dc 5f af b1 60 3a 6d 8b a3 8a 1d 81 Sep 21 07:25:44.958161: | 87 d3 de 6c 5b 3a 2e 00 27 4a a8 55 fb 74 62 8f Sep 21 07:25:44.958164: | cd 38 3b 4d 65 61 b4 79 b8 e9 74 5b ed ad a8 1f Sep 21 07:25:44.958166: | 73 75 f0 1c fd 12 8d 39 b1 22 46 10 6c 34 29 3f Sep 21 07:25:44.958168: | d9 ef ad 55 cd e5 61 f7 de bd e2 0b bb 02 d6 eb Sep 21 07:25:44.958170: | 83 e9 6b 9b f9 25 b2 ec bd d5 2f 2a fa 0d 9c 4b Sep 21 07:25:44.958175: | 99 b4 57 f7 27 6a b3 83 0d 3f 5a fc 81 35 e6 e0 Sep 21 07:25:44.958178: | c4 bd 32 7c 6f 9b d3 3f b1 27 21 c2 ef d5 dd 41 Sep 21 07:25:44.958180: | f5 3f e7 ce df 80 41 7b b9 6e 8e ef 89 12 77 9d Sep 21 07:25:44.958182: | 00 f0 09 00 c2 a4 6b 0b b4 a8 a9 64 ec 67 4c 6b Sep 21 07:25:44.958185: | 1f 77 6f 74 0f 27 c0 57 7f e6 c4 10 98 5b 02 ea Sep 21 07:25:44.958187: | 0f 77 6e ac 2d 06 25 57 db 3f b6 1f d9 02 f9 7f Sep 21 07:25:44.958189: | 77 b6 cf 20 0c 42 a9 64 e1 bb d5 fc 01 1b 97 4b Sep 21 07:25:44.958192: | c8 b5 cf 39 28 67 a5 6d 92 ef 99 b4 31 63 dc b8 Sep 21 07:25:44.958194: | 14 64 de 0c 08 ae 77 5b c6 ff 60 23 c4 68 81 8c Sep 21 07:25:44.958196: | 79 0d a6 18 c1 74 d7 9a 0b 07 f6 4d 7b eb 92 c2 Sep 21 07:25:44.958198: | f1 15 ab 83 05 5e d0 54 dd 2e 73 be 92 6a 71 37 Sep 21 07:25:44.958201: | 83 d8 95 05 ec 4c d2 88 70 01 3c b9 f4 75 ad 9d Sep 21 07:25:44.958203: | b0 94 9d a4 0a 7e ee 7e 7e d9 e4 4e 7e d8 b9 e3 Sep 21 07:25:44.958206: | 26 6d a6 dd b1 44 4a 31 48 a0 7c 69 b7 bb 61 d5 Sep 21 07:25:44.958208: | e8 da 4c b5 f3 15 c1 b7 54 07 4b ed c7 74 fd d7 Sep 21 07:25:44.958210: | 13 c7 cf 14 b7 1c c7 7e 45 21 14 b5 79 56 fe c2 Sep 21 07:25:44.958213: | b2 b4 a7 8e 69 7f 39 0c 44 7d fe f2 6b 13 e0 af Sep 21 07:25:44.958215: | 3b 0f b3 f3 bc 88 dd b2 d9 b1 d6 87 27 c4 3a 9e Sep 21 07:25:44.958217: | d7 96 41 01 01 70 a6 ab 2a 3c 37 ff d8 5d 03 33 Sep 21 07:25:44.958219: | f8 a7 f0 88 ea ff cb 4b 18 18 73 76 6f a4 10 85 Sep 21 07:25:44.958222: | 0d bd f5 08 b6 84 ab 1d 6f b2 17 86 99 3b 47 dc Sep 21 07:25:44.958224: | 49 a5 f5 a6 ea 9c 0e c2 0c 1e 5a ce 1d df 66 0a Sep 21 07:25:44.958226: | 3f 84 da 45 4f 8e 9a d8 bd c6 1a 59 73 24 9e 7b Sep 21 07:25:44.958228: | ce 6c 9b 5c 62 80 41 20 21 Sep 21 07:25:44.958233: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:25:44.958238: | **parse ISAKMP Message: Sep 21 07:25:44.958241: | initiator cookie: Sep 21 07:25:44.958243: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.958245: | responder cookie: Sep 21 07:25:44.958248: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.958251: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:25:44.958253: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.958256: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:25:44.958259: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:25:44.958261: | Message ID: 2 (0x2) Sep 21 07:25:44.958264: | length: 601 (0x259) Sep 21 07:25:44.958267: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Sep 21 07:25:44.958270: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Sep 21 07:25:44.958275: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:25:44.958281: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:25:44.958285: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:25:44.958290: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:25:44.958293: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:25:44.958297: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:25:44.958307: | unpacking clear payload Sep 21 07:25:44.958312: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:25:44.958315: | ***parse IKEv2 Encryption Payload: Sep 21 07:25:44.958318: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:25:44.958321: | flags: none (0x0) Sep 21 07:25:44.958323: | length: 573 (0x23d) Sep 21 07:25:44.958326: | processing payload: ISAKMP_NEXT_v2SK (len=569) Sep 21 07:25:44.958330: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:25:44.958336: | #1 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:25:44.958352: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Sep 21 07:25:44.958355: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:25:44.958358: | **parse IKEv2 Security Association Payload: Sep 21 07:25:44.958361: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:25:44.958363: | flags: none (0x0) Sep 21 07:25:44.958365: | length: 196 (0xc4) Sep 21 07:25:44.958368: | processing payload: ISAKMP_NEXT_v2SA (len=192) Sep 21 07:25:44.958370: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:25:44.958372: | **parse IKEv2 Nonce Payload: Sep 21 07:25:44.958375: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:25:44.958377: | flags: none (0x0) Sep 21 07:25:44.958379: | length: 36 (0x24) Sep 21 07:25:44.958382: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:25:44.958384: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:25:44.958387: | **parse IKEv2 Key Exchange Payload: Sep 21 07:25:44.958389: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:25:44.958391: | flags: none (0x0) Sep 21 07:25:44.958393: | length: 264 (0x108) Sep 21 07:25:44.958396: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.958398: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:25:44.958401: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:25:44.958403: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:44.958406: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:25:44.958408: | flags: none (0x0) Sep 21 07:25:44.958410: | length: 24 (0x18) Sep 21 07:25:44.958412: | number of TS: 1 (0x1) Sep 21 07:25:44.958428: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:25:44.958430: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:25:44.958432: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:44.958434: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.958437: | flags: none (0x0) Sep 21 07:25:44.958439: | length: 24 (0x18) Sep 21 07:25:44.958441: | number of TS: 1 (0x1) Sep 21 07:25:44.958443: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:25:44.958446: | state #1 forced to match CREATE_CHILD_SA from V2_CREATE_R->V2_IPSEC_R by ignoring from state Sep 21 07:25:44.958449: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:25:44.958454: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:25:44.958458: | creating state object #3 at 0x558201078390 Sep 21 07:25:44.958461: | State DB: adding IKEv2 state #3 in UNDEFINED Sep 21 07:25:44.958467: | pstats #3 ikev2.child started Sep 21 07:25:44.958470: | duplicating state object #1 "northnet-eastnet/0x2" as #3 for IPSEC SA Sep 21 07:25:44.958475: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:25:44.958481: | Message ID: init_child #1.#3; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:25:44.958485: | child state #3: UNDEFINED(ignore) => V2_CREATE_R(established IKE SA) Sep 21 07:25:44.958490: | "northnet-eastnet/0x2" #1 received Child SA Request CREATE_CHILD_SA from 192.1.3.33:500 Child "northnet-eastnet/0x2" #3 in STATE_V2_CREATE_R will process it further Sep 21 07:25:44.958494: | Message ID: switch-from #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:25:44.958499: | Message ID: switch-to #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1->2 Sep 21 07:25:44.958501: | forcing ST #1 to CHILD #1.#3 in FSM processor Sep 21 07:25:44.958504: | Now let's proceed with state specific processing Sep 21 07:25:44.958506: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Sep 21 07:25:44.958513: | create child proposal's DH changed from no-PFS to MODP2048, flushing Sep 21 07:25:44.958517: | constructing ESP/AH proposals with default DH MODP2048 for northnet-eastnet/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Sep 21 07:25:44.958521: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Sep 21 07:25:44.958527: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.958530: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Sep 21 07:25:44.958534: | ... ikev2_proposal: 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.958537: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:44.958541: | ... ikev2_proposal: 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.958544: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:25:44.958548: | ... ikev2_proposal: 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.958556: "northnet-eastnet/0x2": constructed local ESP/AH proposals for northnet-eastnet/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=MODP2048;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.958560: | Comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Sep 21 07:25:44.958563: | local proposal 1 type ENCR has 1 transforms Sep 21 07:25:44.958566: | local proposal 1 type PRF has 0 transforms Sep 21 07:25:44.958568: | local proposal 1 type INTEG has 1 transforms Sep 21 07:25:44.958570: | local proposal 1 type DH has 1 transforms Sep 21 07:25:44.958573: | local proposal 1 type ESN has 1 transforms Sep 21 07:25:44.958576: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Sep 21 07:25:44.958578: | local proposal 2 type ENCR has 1 transforms Sep 21 07:25:44.958580: | local proposal 2 type PRF has 0 transforms Sep 21 07:25:44.958583: | local proposal 2 type INTEG has 1 transforms Sep 21 07:25:44.958585: | local proposal 2 type DH has 1 transforms Sep 21 07:25:44.958587: | local proposal 2 type ESN has 1 transforms Sep 21 07:25:44.958590: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Sep 21 07:25:44.958592: | local proposal 3 type ENCR has 1 transforms Sep 21 07:25:44.958595: | local proposal 3 type PRF has 0 transforms Sep 21 07:25:44.958597: | local proposal 3 type INTEG has 2 transforms Sep 21 07:25:44.958599: | local proposal 3 type DH has 1 transforms Sep 21 07:25:44.958601: | local proposal 3 type ESN has 1 transforms Sep 21 07:25:44.958604: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:25:44.958607: | local proposal 4 type ENCR has 1 transforms Sep 21 07:25:44.958609: | local proposal 4 type PRF has 0 transforms Sep 21 07:25:44.958611: | local proposal 4 type INTEG has 2 transforms Sep 21 07:25:44.958614: | local proposal 4 type DH has 1 transforms Sep 21 07:25:44.958616: | local proposal 4 type ESN has 1 transforms Sep 21 07:25:44.958619: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Sep 21 07:25:44.958621: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.958624: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.958627: | length: 40 (0x28) Sep 21 07:25:44.958629: | prop #: 1 (0x1) Sep 21 07:25:44.958631: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.958634: | spi size: 4 (0x4) Sep 21 07:25:44.958636: | # transforms: 3 (0x3) Sep 21 07:25:44.958639: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.958642: | remote SPI 1e b6 7f 38 Sep 21 07:25:44.958647: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:25:44.958650: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958652: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958655: | length: 12 (0xc) Sep 21 07:25:44.958657: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.958659: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.958662: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.958664: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.958667: | length/value: 256 (0x100) Sep 21 07:25:44.958671: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:25:44.958674: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958676: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958679: | length: 8 (0x8) Sep 21 07:25:44.958681: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.958683: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.958687: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:25:44.958690: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:25:44.958693: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:25:44.958696: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:25:44.958698: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958700: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.958703: | length: 8 (0x8) Sep 21 07:25:44.958705: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.958708: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.958711: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:25:44.958714: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Sep 21 07:25:44.958717: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Sep 21 07:25:44.958720: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Sep 21 07:25:44.958723: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Sep 21 07:25:44.958728: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Sep 21 07:25:44.958730: | remote proposal 1 matches local proposal 1 Sep 21 07:25:44.958733: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.958736: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.958738: | length: 40 (0x28) Sep 21 07:25:44.958740: | prop #: 2 (0x2) Sep 21 07:25:44.958742: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.958745: | spi size: 4 (0x4) Sep 21 07:25:44.958747: | # transforms: 3 (0x3) Sep 21 07:25:44.958750: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.958752: | remote SPI 1e b6 7f 38 Sep 21 07:25:44.958755: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.958758: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958760: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958762: | length: 12 (0xc) Sep 21 07:25:44.958765: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.958767: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.958769: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.958772: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.958774: | length/value: 128 (0x80) Sep 21 07:25:44.958777: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958781: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958867: | length: 8 (0x8) Sep 21 07:25:44.958870: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.958873: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.958876: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958879: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.958881: | length: 8 (0x8) Sep 21 07:25:44.958883: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.958885: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.958889: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Sep 21 07:25:44.958892: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Sep 21 07:25:44.958895: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.958897: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:25:44.958899: | length: 56 (0x38) Sep 21 07:25:44.958902: | prop #: 3 (0x3) Sep 21 07:25:44.958904: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.958906: | spi size: 4 (0x4) Sep 21 07:25:44.958908: | # transforms: 5 (0x5) Sep 21 07:25:44.958911: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.958914: | remote SPI 1e b6 7f 38 Sep 21 07:25:44.958916: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.958919: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958921: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958924: | length: 12 (0xc) Sep 21 07:25:44.958926: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.958928: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.958931: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.958934: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.958936: | length/value: 256 (0x100) Sep 21 07:25:44.958939: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958941: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958943: | length: 8 (0x8) Sep 21 07:25:44.958945: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.958948: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.958950: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958953: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958955: | length: 8 (0x8) Sep 21 07:25:44.958957: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.958959: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.958961: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.958966: | length: 8 (0x8) Sep 21 07:25:44.958968: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.958970: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.958973: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.958975: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.958977: | length: 8 (0x8) Sep 21 07:25:44.958979: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.958981: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.958984: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Sep 21 07:25:44.958987: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Sep 21 07:25:44.958989: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.958992: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.958994: | length: 56 (0x38) Sep 21 07:25:44.958996: | prop #: 4 (0x4) Sep 21 07:25:44.958998: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.959000: | spi size: 4 (0x4) Sep 21 07:25:44.959002: | # transforms: 5 (0x5) Sep 21 07:25:44.959005: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:25:44.959009: | remote SPI 1e b6 7f 38 Sep 21 07:25:44.959012: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:25:44.959014: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.959016: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.959018: | length: 12 (0xc) Sep 21 07:25:44.959021: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.959023: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:25:44.959025: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.959028: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.959030: | length/value: 128 (0x80) Sep 21 07:25:44.959032: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.959034: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.959036: | length: 8 (0x8) Sep 21 07:25:44.959038: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.959041: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:25:44.959043: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.959045: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.959048: | length: 8 (0x8) Sep 21 07:25:44.959050: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:25:44.959052: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:25:44.959055: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.959057: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.959059: | length: 8 (0x8) Sep 21 07:25:44.959061: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.959064: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.959067: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:25:44.959069: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.959071: | length: 8 (0x8) Sep 21 07:25:44.959073: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.959076: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.959079: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Sep 21 07:25:44.959082: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Sep 21 07:25:44.959087: "northnet-eastnet/0x2" #1: proposal 1:ESP:SPI=1eb67f38;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.959093: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=1eb67f38;ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED Sep 21 07:25:44.959096: | converting proposal to internal trans attrs Sep 21 07:25:44.959100: | updating #3's .st_oakley with preserved PRF, but why update? Sep 21 07:25:44.959103: | Child SA TS Request has child->sa == md->st; so using child connection Sep 21 07:25:44.959106: | TSi: parsing 1 traffic selectors Sep 21 07:25:44.959109: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:44.959111: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.959113: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.959115: | length: 16 (0x10) Sep 21 07:25:44.959117: | start port: 0 (0x0) Sep 21 07:25:44.959120: | end port: 65535 (0xffff) Sep 21 07:25:44.959122: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:44.959124: | TS low c0 00 03 00 Sep 21 07:25:44.959127: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:44.959129: | TS high c0 00 03 ff Sep 21 07:25:44.959131: | TSi: parsed 1 traffic selectors Sep 21 07:25:44.959134: | TSr: parsing 1 traffic selectors Sep 21 07:25:44.959136: | ***parse IKEv2 Traffic Selector: Sep 21 07:25:44.959138: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.959141: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.959145: | length: 16 (0x10) Sep 21 07:25:44.959147: | start port: 0 (0x0) Sep 21 07:25:44.959149: | end port: 65535 (0xffff) Sep 21 07:25:44.959152: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:25:44.959154: | TS low c0 00 02 00 Sep 21 07:25:44.959156: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:25:44.959158: | TS high c0 00 02 ff Sep 21 07:25:44.959160: | TSr: parsed 1 traffic selectors Sep 21 07:25:44.959162: | looking for best SPD in current connection Sep 21 07:25:44.959168: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.959173: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959180: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.959184: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.959186: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.959189: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.959193: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959197: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959203: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.959206: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.959209: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.959212: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.959215: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959217: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.959220: | found better spd route for TSi[0],TSr[0] Sep 21 07:25:44.959222: | looking for better host pair Sep 21 07:25:44.959227: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:25:44.959232: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:25:44.959235: | investigating connection "northnet-eastnet/0x2" as a better match Sep 21 07:25:44.959238: | match_id a=@north Sep 21 07:25:44.959241: | b=@north Sep 21 07:25:44.959243: | results matched Sep 21 07:25:44.959249: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.959254: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959259: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.959262: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.959264: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.959267: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.959270: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959274: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959280: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.959282: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.959284: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.959287: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.959289: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959292: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.959295: | investigating connection "northnet-eastnet/0x1" as a better match Sep 21 07:25:44.959297: | match_id a=@north Sep 21 07:25:44.959300: | b=@north Sep 21 07:25:44.959302: | results matched Sep 21 07:25:44.959307: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:25:44.959312: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959321: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:25:44.959324: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:25:44.959327: | TSi[0] port match: YES fitness 65536 Sep 21 07:25:44.959329: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:25:44.959332: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959336: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:25:44.959342: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:25:44.959345: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:25:44.959347: | TSr[0] port match: YES fitness 65536 Sep 21 07:25:44.959350: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:25:44.959353: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:25:44.959355: | best fit so far: TSi[0] TSr[0] Sep 21 07:25:44.959358: | did not find a better connection using host pair Sep 21 07:25:44.959360: | printing contents struct traffic_selector Sep 21 07:25:44.959363: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:44.959365: | ipprotoid: 0 Sep 21 07:25:44.959367: | port range: 0-65535 Sep 21 07:25:44.959371: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:25:44.959374: | printing contents struct traffic_selector Sep 21 07:25:44.959376: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:25:44.959378: | ipprotoid: 0 Sep 21 07:25:44.959380: | port range: 0-65535 Sep 21 07:25:44.959384: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:25:44.959391: | adding Child Responder KE and nonce nr work-order 3 for state #3 Sep 21 07:25:44.959394: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55820106b830 Sep 21 07:25:44.959398: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:25:44.959402: | libevent_malloc: new ptr-libevent@0x7ff0ec006b90 size 128 Sep 21 07:25:44.959413: | #3 spent 0.856 milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in ikev2_process_state_packet() Sep 21 07:25:44.959419: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.959424: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.959428: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:25:44.959431: | suspending state #3 and saving MD Sep 21 07:25:44.959433: | #3 is busy; has a suspended MD Sep 21 07:25:44.959438: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:44.959441: | "northnet-eastnet/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:44.959446: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:25:44.959445: | crypto helper 4 resuming Sep 21 07:25:44.959454: | #1 spent 1.28 milliseconds in ikev2_process_packet() Sep 21 07:25:44.959463: | crypto helper 4 starting work-order 3 for state #3 Sep 21 07:25:44.959471: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:25:44.959478: | crypto helper 4 doing build KE and nonce (Child Responder KE and nonce nr); request ID 3 Sep 21 07:25:44.959481: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:25:44.959484: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:25:44.959489: | spent 1.31 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:25:44.960058: | crypto helper 4 finished build KE and nonce (Child Responder KE and nonce nr); request ID 3 time elapsed 0.00058 seconds Sep 21 07:25:44.960067: | (#3) spent 0.585 milliseconds in crypto helper computing work-order 3: Child Responder KE and nonce nr (pcr) Sep 21 07:25:44.960071: | crypto helper 4 sending results from work-order 3 for state #3 to event queue Sep 21 07:25:44.960074: | scheduling resume sending helper answer for #3 Sep 21 07:25:44.960076: | libevent_malloc: new ptr-libevent@0x7ff0f0006900 size 128 Sep 21 07:25:44.960078: | libevent_realloc: release ptr-libevent@0x55820104eb60 Sep 21 07:25:44.960080: | libevent_realloc: new ptr-libevent@0x5582010721e0 size 128 Sep 21 07:25:44.960085: | crypto helper 4 waiting (nothing to do) Sep 21 07:25:44.960095: | processing resume sending helper answer for #3 Sep 21 07:25:44.960104: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:44.960109: | crypto helper 4 replies to request ID 3 Sep 21 07:25:44.960111: | calling continuation function 0x5581ff299630 Sep 21 07:25:44.960114: | ikev2_child_inIoutR_continue for #3 STATE_V2_CREATE_R Sep 21 07:25:44.960120: | adding DHv2 for child sa work-order 4 for state #3 Sep 21 07:25:44.960123: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:44.960127: | libevent_free: release ptr-libevent@0x7ff0ec006b90 Sep 21 07:25:44.960130: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55820106b830 Sep 21 07:25:44.960133: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55820106b8d0 Sep 21 07:25:44.960137: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Sep 21 07:25:44.960139: | libevent_malloc: new ptr-libevent@0x7ff0ec006b90 size 128 Sep 21 07:25:44.960149: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.960152: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_SUSPEND Sep 21 07:25:44.960155: | suspending state #3 and saving MD Sep 21 07:25:44.960157: | #3 is busy; has a suspended MD Sep 21 07:25:44.960162: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:25:44.960165: | "northnet-eastnet/0x2" #3 complete v2 state STATE_V2_CREATE_R transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:25:44.960169: | resume sending helper answer for #3 suppresed complete_v2_state_transition() and stole MD Sep 21 07:25:44.960174: | #3 spent 0.0637 milliseconds in resume sending helper answer Sep 21 07:25:44.960178: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:44.960181: | libevent_free: release ptr-libevent@0x7ff0f0006900 Sep 21 07:25:44.960181: | crypto helper 5 resuming Sep 21 07:25:44.960194: | crypto helper 5 starting work-order 4 for state #3 Sep 21 07:25:44.960197: | crypto helper 5 doing crypto (DHv2 for child sa); request ID 4 Sep 21 07:25:44.960714: | crypto helper 5 finished crypto (DHv2 for child sa); request ID 4 time elapsed 0.000517 seconds Sep 21 07:25:44.960719: | (#3) spent 0.521 milliseconds in crypto helper computing work-order 4: DHv2 for child sa (dh) Sep 21 07:25:44.960721: | crypto helper 5 sending results from work-order 4 for state #3 to event queue Sep 21 07:25:44.960723: | scheduling resume sending helper answer for #3 Sep 21 07:25:44.960725: | libevent_malloc: new ptr-libevent@0x7ff0e4001ef0 size 128 Sep 21 07:25:44.960730: | crypto helper 5 waiting (nothing to do) Sep 21 07:25:44.960738: | processing resume sending helper answer for #3 Sep 21 07:25:44.960748: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:25:44.960752: | crypto helper 5 replies to request ID 4 Sep 21 07:25:44.960755: | calling continuation function 0x5581ff29a4f0 Sep 21 07:25:44.960758: | ikev2_child_inIoutR_continue_continue for #3 STATE_V2_CREATE_R Sep 21 07:25:44.960764: | **emit ISAKMP Message: Sep 21 07:25:44.960767: | initiator cookie: Sep 21 07:25:44.960769: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:44.960777: | responder cookie: Sep 21 07:25:44.960779: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.960782: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:44.960810: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:44.960813: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Sep 21 07:25:44.960829: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:25:44.960831: | Message ID: 2 (0x2) Sep 21 07:25:44.960834: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:44.960837: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:44.960840: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.960843: | flags: none (0x0) Sep 21 07:25:44.960846: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:44.960849: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.960852: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:44.960891: | netlink_get_spi: allocated 0x812aa0f1 for esp.0@192.1.2.23 Sep 21 07:25:44.960896: | Emitting ikev2_proposal ... Sep 21 07:25:44.960899: | ****emit IKEv2 Security Association Payload: Sep 21 07:25:44.960901: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.960904: | flags: none (0x0) Sep 21 07:25:44.960907: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:25:44.960910: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.960913: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:25:44.960916: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:25:44.960918: | prop #: 1 (0x1) Sep 21 07:25:44.960921: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:25:44.960923: | spi size: 4 (0x4) Sep 21 07:25:44.960926: | # transforms: 3 (0x3) Sep 21 07:25:44.960929: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:25:44.960932: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:25:44.960935: | our spi 81 2a a0 f1 Sep 21 07:25:44.960937: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.960940: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.960942: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:25:44.960945: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:25:44.960948: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.960951: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:25:44.960954: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:25:44.960956: | length/value: 256 (0x100) Sep 21 07:25:44.960959: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:25:44.960962: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.960964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.960967: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:25:44.960970: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.960973: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.960976: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.960979: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:44.960982: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:25:44.960984: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:25:44.960987: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:25:44.960991: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:25:44.960995: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:25:44.960998: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:25:44.961000: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:25:44.961003: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:25:44.961006: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:25:44.961008: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:25:44.961011: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:25:44.961026: | ****emit IKEv2 Nonce Payload: Sep 21 07:25:44.961029: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.961031: | flags: none (0x0) Sep 21 07:25:44.961035: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:25:44.961037: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.961040: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:25:44.961043: | IKEv2 nonce df ec b3 56 63 b3 01 a8 e0 28 04 d7 a4 08 16 4c Sep 21 07:25:44.961045: | IKEv2 nonce 11 c7 30 25 2d de 6a dd c5 be 72 a0 8f f3 0f bf Sep 21 07:25:44.961048: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:25:44.961050: | ****emit IKEv2 Key Exchange Payload: Sep 21 07:25:44.961053: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.961055: | flags: none (0x0) Sep 21 07:25:44.961058: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:25:44.961061: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:25:44.961063: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.961081: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:25:44.961084: | ikev2 g^x 7c 8e 4c 3f 61 7b 24 a9 19 e7 de fa 45 a3 07 86 Sep 21 07:25:44.961086: | ikev2 g^x db 47 cc a5 c8 cb 30 05 49 87 ec d7 96 3e cf 05 Sep 21 07:25:44.961089: | ikev2 g^x e7 9c 3f 3a ab ac 79 99 01 4e 6a 08 af 2c 51 18 Sep 21 07:25:44.961091: | ikev2 g^x d2 e3 03 d5 93 5d 85 bd 4b 7d 75 bf d2 21 23 98 Sep 21 07:25:44.961093: | ikev2 g^x d3 c2 35 2b c8 7f cd 56 74 76 49 1b 6b e4 ff d8 Sep 21 07:25:44.961096: | ikev2 g^x 43 b0 f8 dd 4f ac 4e f9 b8 d8 1e 2d 4e fd 77 5a Sep 21 07:25:44.961098: | ikev2 g^x e7 3b c0 23 20 44 e2 59 60 93 66 a7 db fb e1 87 Sep 21 07:25:44.961100: | ikev2 g^x 3b bd 10 96 2a 19 88 f3 10 45 41 df 96 63 60 5d Sep 21 07:25:44.961103: | ikev2 g^x 80 a5 21 6d 6e 76 b8 82 56 ae 50 58 6e d0 ae ab Sep 21 07:25:44.961105: | ikev2 g^x 9c d2 03 78 b7 7f 1b 71 94 63 a4 07 25 1c 50 b3 Sep 21 07:25:44.961107: | ikev2 g^x de 7f ba f9 25 28 a9 0d 2b 6c e8 16 0b 56 72 44 Sep 21 07:25:44.961110: | ikev2 g^x 2e ce 87 8b e3 e0 0b 2f ba f9 d1 36 93 a9 17 9d Sep 21 07:25:44.961112: | ikev2 g^x 23 2d 59 66 27 a5 9d 13 61 da ba 13 aa 9e 91 c5 Sep 21 07:25:44.961115: | ikev2 g^x 4b 27 3e 36 01 27 48 0a 80 d8 ff 6b 98 77 b4 dc Sep 21 07:25:44.961117: | ikev2 g^x 9d d5 46 f8 31 e9 d8 97 3b 5d e5 b7 f9 63 d1 2f Sep 21 07:25:44.961132: | ikev2 g^x ac 68 11 c4 11 5a 75 85 6f 5a 99 46 04 37 e6 4e Sep 21 07:25:44.961135: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:25:44.961137: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:25:44.961140: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.961142: | flags: none (0x0) Sep 21 07:25:44.961146: | number of TS: 1 (0x1) Sep 21 07:25:44.961150: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:25:44.961152: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.961155: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:44.961158: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.961160: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.961163: | start port: 0 (0x0) Sep 21 07:25:44.961165: | end port: 65535 (0xffff) Sep 21 07:25:44.961168: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:44.961170: | IP start c0 00 03 00 Sep 21 07:25:44.961173: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:44.961175: | IP end c0 00 03 ff Sep 21 07:25:44.961178: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:44.961180: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:25:44.961183: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:25:44.961185: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:44.961188: | flags: none (0x0) Sep 21 07:25:44.961190: | number of TS: 1 (0x1) Sep 21 07:25:44.961193: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:25:44.961197: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:25:44.961199: | *****emit IKEv2 Traffic Selector: Sep 21 07:25:44.961202: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:25:44.961204: | IP Protocol ID: 0 (0x0) Sep 21 07:25:44.961207: | start port: 0 (0x0) Sep 21 07:25:44.961209: | end port: 65535 (0xffff) Sep 21 07:25:44.961212: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:25:44.961214: | IP start c0 00 02 00 Sep 21 07:25:44.961217: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:25:44.961219: | IP end c0 00 02 ff Sep 21 07:25:44.961222: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:25:44.961224: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:25:44.961227: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:25:44.961231: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 Sep 21 07:25:44.961405: | install_ipsec_sa() for #3: inbound and outbound Sep 21 07:25:44.961410: | could_route called for northnet-eastnet/0x2 (kind=CK_PERMANENT) Sep 21 07:25:44.961413: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:44.961417: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.961419: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:44.961422: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.961425: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:44.961429: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Sep 21 07:25:44.961433: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:44.961436: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:44.961439: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:44.961442: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:44.961446: | setting IPsec SA replay-window to 32 Sep 21 07:25:44.961453: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Sep 21 07:25:44.961456: | netlink: enabling tunnel mode Sep 21 07:25:44.961459: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:44.961462: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:44.961560: | netlink response for Add SA esp.1eb67f38@192.1.3.33 included non-error error Sep 21 07:25:44.961632: | set up outgoing SA, ref=0/0 Sep 21 07:25:44.961638: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Sep 21 07:25:44.961642: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Sep 21 07:25:44.961645: | AES_GCM_16 requires 4 salt bytes Sep 21 07:25:44.961647: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Sep 21 07:25:44.961651: | setting IPsec SA replay-window to 32 Sep 21 07:25:44.961654: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Sep 21 07:25:44.961657: | netlink: enabling tunnel mode Sep 21 07:25:44.961660: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:25:44.961663: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:25:44.961717: | netlink response for Add SA esp.812aa0f1@192.1.2.23 included non-error error Sep 21 07:25:44.961721: | set up incoming SA, ref=0/0 Sep 21 07:25:44.961724: | sr for #3: erouted Sep 21 07:25:44.961728: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:25:44.961731: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:44.961734: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.961737: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:44.961740: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:44.961743: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:44.961747: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Sep 21 07:25:44.961750: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:northnet-eastnet/0x2 esr:{(nil)} ro:northnet-eastnet/0x2 rosr:{(nil)} and state: #3 Sep 21 07:25:44.961754: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:44.961764: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 (raw_eroute) Sep 21 07:25:44.961767: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:44.961799: | raw_eroute result=success Sep 21 07:25:44.961806: | route_and_eroute: firewall_notified: true Sep 21 07:25:44.961810: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55820106cf20,sr=0x55820106cf20} to #3 (was #2) (newest_ipsec_sa=#2) Sep 21 07:25:44.961876: | #1 spent 0.381 milliseconds in install_ipsec_sa() Sep 21 07:25:44.961883: | ISAKMP_v2_CREATE_CHILD_SA: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Sep 21 07:25:44.961886: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:44.961889: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:44.961892: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:44.961895: | emitting length of IKEv2 Encryption Payload: 421 Sep 21 07:25:44.961898: | emitting length of ISAKMP Message: 449 Sep 21 07:25:44.961916: "northnet-eastnet/0x2" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:44.961924: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:25:44.961928: | #3 complete_v2_state_transition() V2_CREATE_R->V2_IPSEC_R with status STF_OK Sep 21 07:25:44.961931: | IKEv2: transition from state STATE_V2_CREATE_R to state STATE_V2_IPSEC_R Sep 21 07:25:44.961935: | child state #3: V2_CREATE_R(established IKE SA) => V2_IPSEC_R(established CHILD SA) Sep 21 07:25:44.961938: | Message ID: updating counters for #3 to 2 after switching state Sep 21 07:25:44.961944: | Message ID: recv #1.#3 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1->2; child: wip.initiator=-1 wip.responder=2->-1 Sep 21 07:25:44.961949: | Message ID: sent #1.#3 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=2; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:25:44.961954: | pstats #3 ikev2.child established Sep 21 07:25:44.961961: "northnet-eastnet/0x2" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:25:44.961965: | NAT-T: encaps is 'auto' Sep 21 07:25:44.961970: "northnet-eastnet/0x2" #3: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x1eb67f38 <0x812aa0f1 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Sep 21 07:25:44.961976: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:25:44.961982: | sending 449 bytes for STATE_V2_CREATE_R through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:44.961985: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:44.961987: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Sep 21 07:25:44.961990: | e6 cc 79 b3 6b de 9c ec 50 db 3b 49 43 b3 62 ce Sep 21 07:25:44.961992: | 91 19 07 4b d0 97 fd 61 d1 d4 67 c3 2d 5b cd c3 Sep 21 07:25:44.961995: | a4 0a d7 d8 b6 90 4e 07 96 c5 9e 40 49 83 d6 4d Sep 21 07:25:44.961997: | df 96 ee 0b 60 f4 d3 f8 3a fa 3e 13 76 a5 47 0e Sep 21 07:25:44.961999: | af 14 22 62 12 a8 e3 9a 79 6b ea 91 47 b4 27 fc Sep 21 07:25:44.962002: | a5 38 82 ad 3d 79 e9 98 72 30 a2 30 17 c0 20 e9 Sep 21 07:25:44.962004: | 27 19 2a 08 2a d6 b6 d3 1a be b1 c6 d1 dd f1 71 Sep 21 07:25:44.962007: | db cd 90 09 ee 6b 23 a8 63 6e 38 ec ba 6d 96 27 Sep 21 07:25:44.962009: | 0f 3d 1d 0e dc 66 8a 40 9a 6c 72 c1 db 8f 3d e6 Sep 21 07:25:44.962011: | d8 6f 8f 18 9e 63 23 8b e4 d1 54 d8 61 ca e4 b4 Sep 21 07:25:44.962014: | c2 5e 2f f4 38 57 4e 5b 8c a5 2d b3 e8 1f 62 ad Sep 21 07:25:44.962016: | 32 4e fa 31 21 64 41 60 cd 7e f8 33 6d cd a9 61 Sep 21 07:25:44.962019: | 59 93 62 f8 29 98 32 f0 05 70 fa f0 6a ca 0c be Sep 21 07:25:44.962021: | e7 7e d2 84 91 d5 19 a6 a3 f6 6a df 42 09 35 04 Sep 21 07:25:44.962023: | 4c 90 24 56 c2 58 4a 64 52 45 a6 e4 24 3b 62 45 Sep 21 07:25:44.962026: | c9 d0 ab f6 a7 73 84 d0 ac d3 b3 77 ad 46 e0 69 Sep 21 07:25:44.962028: | 93 22 3d 1b 6e b6 09 94 90 72 2c 99 e7 74 9d 5e Sep 21 07:25:44.962030: | 15 d3 6c f0 b4 7e f1 16 23 ba ef 8c a5 01 92 12 Sep 21 07:25:44.962033: | d2 88 83 12 5f 29 a2 33 18 a6 60 ec 6d b4 65 68 Sep 21 07:25:44.962035: | d4 f1 89 d7 28 83 2a 4d 79 a9 de 6c a2 48 26 55 Sep 21 07:25:44.962037: | 1d 46 fb 1a 67 31 10 92 d4 b5 e9 60 12 7c c1 c4 Sep 21 07:25:44.962040: | 83 06 50 d0 d7 68 e2 53 78 a1 ad 96 d1 c5 51 04 Sep 21 07:25:44.962042: | 3e a9 14 0d 5b 24 c9 78 22 1f fd 28 59 d8 61 11 Sep 21 07:25:44.962045: | aa 43 b1 ed c6 cd 54 ab 50 fc 8d f8 ae 1e eb 87 Sep 21 07:25:44.962047: | 5b ce 3b 3a b8 93 bb 5f 7b 49 ba 69 fc aa 68 c0 Sep 21 07:25:44.962049: | 9a 8a fd 90 0e 12 5e 68 ae 68 e2 ce 24 86 81 fe Sep 21 07:25:44.962052: | e6 Sep 21 07:25:44.962103: | releasing whack for #3 (sock=fd@-1) Sep 21 07:25:44.962107: | releasing whack and unpending for parent #1 Sep 21 07:25:44.962110: | unpending state #1 connection "northnet-eastnet/0x2" Sep 21 07:25:44.962115: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:25:44.962118: | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:25:44.962121: | libevent_free: release ptr-libevent@0x7ff0ec006b90 Sep 21 07:25:44.962124: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55820106b8d0 Sep 21 07:25:44.962128: | event_schedule: new EVENT_SA_REKEY-pe@0x7ff0f0002b20 Sep 21 07:25:44.962131: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Sep 21 07:25:44.962135: | libevent_malloc: new ptr-libevent@0x7ff0ec006b90 size 128 Sep 21 07:25:44.962141: | #3 spent 1.27 milliseconds in resume sending helper answer Sep 21 07:25:44.962147: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:25:44.962150: | libevent_free: release ptr-libevent@0x7ff0e4001ef0 Sep 21 07:25:47.400712: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:47.400738: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:25:47.400742: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:47.400750: | get_sa_info esp.87712436@192.1.2.23 Sep 21 07:25:47.400767: | get_sa_info esp.7e4f04b5@192.1.3.33 Sep 21 07:25:47.400787: | get_sa_info esp.812aa0f1@192.1.2.23 Sep 21 07:25:47.400798: | get_sa_info esp.1eb67f38@192.1.3.33 Sep 21 07:25:47.400811: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:47.400819: | spent 0.113 milliseconds in whack Sep 21 07:25:47.672992: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:47.673193: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:47.673199: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:25:47.673279: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:25:47.673282: | FOR_EACH_STATE_... in sort_states Sep 21 07:25:47.673292: | get_sa_info esp.87712436@192.1.2.23 Sep 21 07:25:47.673304: | get_sa_info esp.7e4f04b5@192.1.3.33 Sep 21 07:25:47.673315: | get_sa_info esp.812aa0f1@192.1.2.23 Sep 21 07:25:47.673320: | get_sa_info esp.1eb67f38@192.1.3.33 Sep 21 07:25:47.673335: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:25:47.673340: | spent 0.348 milliseconds in whack Sep 21 07:25:49.148130: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:25:49.148152: shutting down Sep 21 07:25:49.148160: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:25:49.148163: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:25:49.148167: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:25:49.148169: forgetting secrets Sep 21 07:25:49.148172: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:25:49.148175: | start processing: connection "northnet-eastnet/0x2" (in delete_connection() at connections.c:189) Sep 21 07:25:49.148177: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:49.148179: | pass 0 Sep 21 07:25:49.148181: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:49.148183: | state #3 Sep 21 07:25:49.148185: | suspend processing: connection "northnet-eastnet/0x2" (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:49.148189: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:49.148191: | pstats #3 ikev2.child deleted completed Sep 21 07:25:49.148195: | #3 spent 3.29 milliseconds in total Sep 21 07:25:49.148198: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:49.148202: "northnet-eastnet/0x2" #3: deleting state (STATE_V2_IPSEC_R) aged 4.189s and sending notification Sep 21 07:25:49.148204: | child state #3: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:49.148208: | get_sa_info esp.1eb67f38@192.1.3.33 Sep 21 07:25:49.148219: | get_sa_info esp.812aa0f1@192.1.2.23 Sep 21 07:25:49.148225: "northnet-eastnet/0x2" #3: ESP traffic information: in=336B out=336B Sep 21 07:25:49.148227: | #3 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:49.148229: | Opening output PBS informational exchange delete request Sep 21 07:25:49.148232: | **emit ISAKMP Message: Sep 21 07:25:49.148233: | initiator cookie: Sep 21 07:25:49.148235: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:49.148236: | responder cookie: Sep 21 07:25:49.148238: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.148240: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:49.148242: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:49.148244: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:49.148248: | flags: none (0x0) Sep 21 07:25:49.148250: | Message ID: 0 (0x0) Sep 21 07:25:49.148252: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:49.148254: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:49.148256: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.148257: | flags: none (0x0) Sep 21 07:25:49.148259: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:49.148261: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.148263: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:49.148271: | ****emit IKEv2 Delete Payload: Sep 21 07:25:49.148273: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.148274: | flags: none (0x0) Sep 21 07:25:49.148276: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:49.148278: | SPI size: 4 (0x4) Sep 21 07:25:49.148279: | number of SPIs: 1 (0x1) Sep 21 07:25:49.148281: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:49.148283: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.148285: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:49.148287: | local spis 81 2a a0 f1 Sep 21 07:25:49.148288: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:49.148290: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:49.148292: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:49.148294: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:49.148296: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:49.148297: | emitting length of ISAKMP Message: 69 Sep 21 07:25:49.148319: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #3) Sep 21 07:25:49.148321: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.148323: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:25:49.148324: | 48 13 e2 31 b0 69 be 3c c2 0b 98 fd 01 34 2a bc Sep 21 07:25:49.148325: | bf b7 8f 17 80 65 8f b9 fb 2a 95 91 1e 5e 49 31 Sep 21 07:25:49.148327: | 82 c5 32 ad 96 Sep 21 07:25:49.148691: | Message ID: IKE #1 sender #3 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:25:49.148696: | Message ID: IKE #1 sender #3 in send_delete hacking around record ' send Sep 21 07:25:49.148701: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:25:49.148704: | state #3 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:49.148708: | libevent_free: release ptr-libevent@0x7ff0ec006b90 Sep 21 07:25:49.148711: | free_event_entry: release EVENT_SA_REKEY-pe@0x7ff0f0002b20 Sep 21 07:25:49.148772: | running updown command "ipsec _updown" for verb down Sep 21 07:25:49.148776: | command executing down-client Sep 21 07:25:49.148815: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050744' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHA Sep 21 07:25:49.148824: | popen cmd is 1058 chars long Sep 21 07:25:49.148827: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/: Sep 21 07:25:49.148829: | cmd( 80):0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PL: Sep 21 07:25:49.148831: | cmd( 160):UTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0': Sep 21 07:25:49.148834: | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: Sep 21 07:25:49.148836: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID=': Sep 21 07:25:49.148838: | cmd( 400):@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO: Sep 21 07:25:49.148841: | cmd( 480):_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PL: Sep 21 07:25:49.148843: | cmd( 560):UTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569050744' PLUTO_CONN_POLICY: Sep 21 07:25:49.148845: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO: Sep 21 07:25:49.148848: | cmd( 720):' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLU: Sep 21 07:25:49.148850: | cmd( 800):TO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER: Sep 21 07:25:49.148852: | cmd( 880):_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI: Sep 21 07:25:49.148854: | cmd( 960):_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1eb67f38 SPI_OUT=0x812aa0f1 : Sep 21 07:25:49.148857: | cmd(1040):ipsec _updown 2>&1: Sep 21 07:25:49.160613: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:49.160627: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:49.160631: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:49.160634: | IPsec Sa SPD priority set to 1042407 Sep 21 07:25:49.160674: | delete esp.1eb67f38@192.1.3.33 Sep 21 07:25:49.160705: | netlink response for Del SA esp.1eb67f38@192.1.3.33 included non-error error Sep 21 07:25:49.160711: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:49.160719: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:49.160766: | raw_eroute result=success Sep 21 07:25:49.160772: | delete esp.812aa0f1@192.1.2.23 Sep 21 07:25:49.160802: | netlink response for Del SA esp.812aa0f1@192.1.2.23 included non-error error Sep 21 07:25:49.160813: | stop processing: connection "northnet-eastnet/0x2" (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:25:49.160817: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:25:49.160821: | in connection_discard for connection northnet-eastnet/0x2 Sep 21 07:25:49.160825: | State DB: deleting IKEv2 state #3 in V2_IPSEC_R Sep 21 07:25:49.160829: | child state #3: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:49.160851: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:49.160861: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:49.160865: | state #2 Sep 21 07:25:49.160871: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:49.160875: | pstats #2 ikev2.child deleted completed Sep 21 07:25:49.160881: | [RE]START processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:49.160888: "northnet-eastnet/0x2" #2: deleting state (STATE_V2_IPSEC_R) aged 4.295s and sending notification Sep 21 07:25:49.160892: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:25:49.160897: | get_sa_info esp.7e4f04b5@192.1.3.33 Sep 21 07:25:49.160907: | get_sa_info esp.87712436@192.1.2.23 Sep 21 07:25:49.160915: "northnet-eastnet/0x2" #2: ESP traffic information: in=0B out=0B Sep 21 07:25:49.160919: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:25:49.160922: | Opening output PBS informational exchange delete request Sep 21 07:25:49.160923: | **emit ISAKMP Message: Sep 21 07:25:49.160925: | initiator cookie: Sep 21 07:25:49.160927: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:49.160928: | responder cookie: Sep 21 07:25:49.160929: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.160931: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:49.160933: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:49.160935: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:49.160936: | flags: none (0x0) Sep 21 07:25:49.160938: | Message ID: 1 (0x1) Sep 21 07:25:49.160940: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:49.160942: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:49.160943: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.160945: | flags: none (0x0) Sep 21 07:25:49.160947: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:49.160949: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.160951: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:49.160955: | ****emit IKEv2 Delete Payload: Sep 21 07:25:49.160959: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.160964: | flags: none (0x0) Sep 21 07:25:49.160966: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:25:49.160969: | SPI size: 4 (0x4) Sep 21 07:25:49.160971: | number of SPIs: 1 (0x1) Sep 21 07:25:49.160975: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:49.160977: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.160980: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:25:49.160983: | local spis 87 71 24 36 Sep 21 07:25:49.160985: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:25:49.160988: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:49.160991: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:49.160994: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:49.160996: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:25:49.160999: | emitting length of ISAKMP Message: 69 Sep 21 07:25:49.161017: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #2) Sep 21 07:25:49.161021: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.161023: | 2e 20 25 00 00 00 00 01 00 00 00 45 2a 00 00 29 Sep 21 07:25:49.161025: | c9 51 b9 cc ba 57 2c d1 05 2c eb a5 3b 74 55 ff Sep 21 07:25:49.161026: | 56 86 8f 56 57 21 60 38 9a fb d6 0a ab 4e 30 5d Sep 21 07:25:49.161028: | 0c 88 4b 3a 56 Sep 21 07:25:49.161075: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:25:49.161080: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:25:49.161085: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:25:49.161093: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:25:49.161096: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:49.161101: | libevent_free: release ptr-libevent@0x558201076770 Sep 21 07:25:49.161104: | free_event_entry: release EVENT_SA_REKEY-pe@0x7ff0f4002b20 Sep 21 07:25:49.161168: | delete esp.7e4f04b5@192.1.3.33 Sep 21 07:25:49.161200: | netlink response for Del SA esp.7e4f04b5@192.1.3.33 included non-error error Sep 21 07:25:49.161205: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:49.161213: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:25:49.161224: | raw_eroute result=success Sep 21 07:25:49.161229: | delete esp.87712436@192.1.2.23 Sep 21 07:25:49.161253: | netlink response for Del SA esp.87712436@192.1.2.23 included non-error error Sep 21 07:25:49.161257: | in connection_discard for connection northnet-eastnet/0x2 Sep 21 07:25:49.161261: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:25:49.161265: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:25:49.161271: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:49.161277: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:49.161280: | state #1 Sep 21 07:25:49.161283: | pass 1 Sep 21 07:25:49.161285: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:49.161287: | state #1 Sep 21 07:25:49.161290: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:25:49.161293: | pstats #1 ikev2.ike deleted completed Sep 21 07:25:49.161296: | #1 spent 8.76 milliseconds in total Sep 21 07:25:49.161300: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:879) Sep 21 07:25:49.161303: "northnet-eastnet/0x2" #1: deleting state (STATE_PARENT_R2) aged 4.303s and sending notification Sep 21 07:25:49.161306: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:25:49.161357: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:25:49.161364: | Opening output PBS informational exchange delete request Sep 21 07:25:49.161367: | **emit ISAKMP Message: Sep 21 07:25:49.161370: | initiator cookie: Sep 21 07:25:49.161372: | ed 77 91 86 49 b9 d1 07 Sep 21 07:25:49.161375: | responder cookie: Sep 21 07:25:49.161377: | a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.161380: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:25:49.161383: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:25:49.161386: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:25:49.161389: | flags: none (0x0) Sep 21 07:25:49.161392: | Message ID: 2 (0x2) Sep 21 07:25:49.161395: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:25:49.161398: | ***emit IKEv2 Encryption Payload: Sep 21 07:25:49.161400: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.161403: | flags: none (0x0) Sep 21 07:25:49.161406: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:25:49.161409: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.161412: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:25:49.161417: | ****emit IKEv2 Delete Payload: Sep 21 07:25:49.161420: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:25:49.161422: | flags: none (0x0) Sep 21 07:25:49.161425: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:25:49.161427: | SPI size: 0 (0x0) Sep 21 07:25:49.161433: | number of SPIs: 0 (0x0) Sep 21 07:25:49.161436: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:25:49.161439: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:25:49.161441: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:25:49.161444: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:25:49.161447: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:25:49.161450: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:25:49.161453: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:25:49.161455: | emitting length of ISAKMP Message: 65 Sep 21 07:25:49.161469: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:25:49.161472: | ed 77 91 86 49 b9 d1 07 a8 aa 2f 49 4c d2 7f cc Sep 21 07:25:49.161474: | 2e 20 25 00 00 00 00 02 00 00 00 41 2a 00 00 25 Sep 21 07:25:49.161476: | 83 5d ed 13 9d 1f 9d 07 35 55 10 f2 2b aa b8 f8 Sep 21 07:25:49.161479: | 42 b8 b0 3f be 02 e1 77 5b 2b d6 0a ad 97 c1 96 Sep 21 07:25:49.161481: | e1 Sep 21 07:25:49.161508: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=2->3 and sender msgid=1->2 Sep 21 07:25:49.161512: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:25:49.161534: | Message ID: #1 XXX: expecting sender.wip.initiator 1 == -1 - suspect record'n'send out-of-order?); initiator.sent=2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=2 wip.responder=-1 Sep 21 07:25:49.161540: | Message ID: sent #1 request 2; ike: initiator.sent=1->2 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1->2 wip.responder=-1 Sep 21 07:25:49.161544: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:25:49.161548: | libevent_free: release ptr-libevent@0x558201071920 Sep 21 07:25:49.161551: | free_event_entry: release EVENT_SA_REKEY-pe@0x55820106f6e0 Sep 21 07:25:49.161554: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:25:49.161557: | in connection_discard for connection northnet-eastnet/0x2 Sep 21 07:25:49.161560: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:25:49.161563: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:25:49.161576: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1143) Sep 21 07:25:49.161590: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:25:49.161596: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:25:49.161600: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:25:49.161603: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:49.161632: | priority calculation of connection "northnet-eastnet/0x2" is 0xfe7e7 Sep 21 07:25:49.161642: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:25:49.161646: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:49.161648: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Sep 21 07:25:49.161651: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Sep 21 07:25:49.161658: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Sep 21 07:25:49.161661: | route owner of "northnet-eastnet/0x2" unrouted: NULL Sep 21 07:25:49.161664: | running updown command "ipsec _updown" for verb unroute Sep 21 07:25:49.161667: | command executing unroute-client Sep 21 07:25:49.161691: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Sep 21 07:25:49.161697: | popen cmd is 1039 chars long Sep 21 07:25:49.161700: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Sep 21 07:25:49.161702: | cmd( 80):et/0x2' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23': Sep 21 07:25:49.161704: | cmd( 160): PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2: Sep 21 07:25:49.161706: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': Sep 21 07:25:49.161708: | cmd( 320): PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Sep 21 07:25:49.161711: | cmd( 400):ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' P: Sep 21 07:25:49.161713: | cmd( 480):LUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: Sep 21 07:25:49.161715: | cmd( 560):' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK: Sep 21 07:25:49.161717: | cmd( 640):+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLU: Sep 21 07:25:49.161719: | cmd( 720):TO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Sep 21 07:25:49.161722: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Sep 21 07:25:49.161724: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Sep 21 07:25:49.161726: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Sep 21 07:25:49.170760: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170778: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170788: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170799: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170814: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170828: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170844: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170857: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170871: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170885: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170897: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170913: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170926: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170938: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170951: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170964: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170979: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.170992: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171009: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171022: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171035: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171049: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171062: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171075: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171356: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171368: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171384: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171397: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171409: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171422: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171435: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171449: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171462: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171474: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171487: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171500: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171513: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171526: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171539: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171552: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171565: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171580: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171593: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171606: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171618: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171631: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171645: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171658: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171670: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171683: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171696: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171710: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171723: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171736: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171748: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171761: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171776: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171806: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171813: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171822: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171835: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171850: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171863: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171875: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171888: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171901: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171916: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171929: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171942: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171954: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171967: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171982: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.171995: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172008: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172020: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172033: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172047: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172060: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172073: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172086: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172098: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172115: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172128: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172141: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172153: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172166: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172181: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172194: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172206: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172219: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172231: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172245: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172259: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172271: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172284: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172296: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172311: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172323: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172336: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172348: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172361: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172376: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172389: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.172402: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:25:49.177940: | flush revival: connection 'northnet-eastnet/0x2' wasn't on the list Sep 21 07:25:49.177954: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:25:49.177963: | start processing: connection "northnet-eastnet/0x1" (in delete_connection() at connections.c:189) Sep 21 07:25:49.177967: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:25:49.177970: | pass 0 Sep 21 07:25:49.177972: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:49.177975: | pass 1 Sep 21 07:25:49.177977: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:25:49.177980: | free hp@0x5582010379e0 Sep 21 07:25:49.177983: | flush revival: connection 'northnet-eastnet/0x1' wasn't on the list Sep 21 07:25:49.177991: | stop processing: connection "northnet-eastnet/0x1" (in discard_connection() at connections.c:249) Sep 21 07:25:49.177997: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:25:49.177999: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:25:49.178010: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:25:49.178013: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:25:49.178017: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:25:49.178020: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:25:49.178023: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:25:49.178026: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:25:49.178030: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:25:49.178036: | libevent_free: release ptr-libevent@0x55820106b080 Sep 21 07:25:49.178039: | free_event_entry: release EVENT_NULL-pe@0x558201054280 Sep 21 07:25:49.178048: | libevent_free: release ptr-libevent@0x55820106b170 Sep 21 07:25:49.178051: | free_event_entry: release EVENT_NULL-pe@0x55820106b130 Sep 21 07:25:49.178057: | libevent_free: release ptr-libevent@0x55820106b260 Sep 21 07:25:49.178059: | free_event_entry: release EVENT_NULL-pe@0x55820106b220 Sep 21 07:25:49.178065: | libevent_free: release ptr-libevent@0x55820106b350 Sep 21 07:25:49.178068: | free_event_entry: release EVENT_NULL-pe@0x55820106b310 Sep 21 07:25:49.178073: | libevent_free: release ptr-libevent@0x55820106b440 Sep 21 07:25:49.178076: | free_event_entry: release EVENT_NULL-pe@0x55820106b400 Sep 21 07:25:49.178082: | libevent_free: release ptr-libevent@0x55820106b530 Sep 21 07:25:49.178084: | free_event_entry: release EVENT_NULL-pe@0x55820106b4f0 Sep 21 07:25:49.178089: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:25:49.178502: | libevent_free: release ptr-libevent@0x55820106a9e0 Sep 21 07:25:49.178521: | free_event_entry: release EVENT_NULL-pe@0x558201053500 Sep 21 07:25:49.178525: | libevent_free: release ptr-libevent@0x558201060470 Sep 21 07:25:49.178528: | free_event_entry: release EVENT_NULL-pe@0x5582010537b0 Sep 21 07:25:49.178531: | libevent_free: release ptr-libevent@0x5582010603e0 Sep 21 07:25:49.178534: | free_event_entry: release EVENT_NULL-pe@0x558201058f10 Sep 21 07:25:49.178537: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:25:49.178539: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:25:49.178542: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:25:49.178544: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:25:49.178547: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:25:49.178549: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:25:49.178551: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:25:49.178554: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:25:49.178556: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:25:49.178561: | libevent_free: release ptr-libevent@0x55820106aab0 Sep 21 07:25:49.178563: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:25:49.178566: | libevent_free: release ptr-libevent@0x55820106ab90 Sep 21 07:25:49.178569: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:25:49.178571: | libevent_free: release ptr-libevent@0x55820106ac50 Sep 21 07:25:49.178574: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:25:49.178577: | libevent_free: release ptr-libevent@0x55820105f6e0 Sep 21 07:25:49.178579: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:25:49.178581: | releasing event base Sep 21 07:25:49.178593: | libevent_free: release ptr-libevent@0x55820106ad10 Sep 21 07:25:49.178596: | libevent_free: release ptr-libevent@0x5582010401f0 Sep 21 07:25:49.178599: | libevent_free: release ptr-libevent@0x55820104ea90 Sep 21 07:25:49.178602: | libevent_free: release ptr-libevent@0x5582010721e0 Sep 21 07:25:49.178604: | libevent_free: release ptr-libevent@0x55820104eab0 Sep 21 07:25:49.178607: | libevent_free: release ptr-libevent@0x55820106aa70 Sep 21 07:25:49.178612: | libevent_free: release ptr-libevent@0x55820106ab50 Sep 21 07:25:49.178615: | libevent_free: release ptr-libevent@0x55820104eb40 Sep 21 07:25:49.178617: | libevent_free: release ptr-libevent@0x55820104eca0 Sep 21 07:25:49.178619: | libevent_free: release ptr-libevent@0x558201053700 Sep 21 07:25:49.178622: | libevent_free: release ptr-libevent@0x55820106b5c0 Sep 21 07:25:49.178624: | libevent_free: release ptr-libevent@0x55820106b4d0 Sep 21 07:25:49.178626: | libevent_free: release ptr-libevent@0x55820106b3e0 Sep 21 07:25:49.178628: | libevent_free: release ptr-libevent@0x55820106b2f0 Sep 21 07:25:49.178631: | libevent_free: release ptr-libevent@0x55820106b200 Sep 21 07:25:49.178633: | libevent_free: release ptr-libevent@0x55820106b110 Sep 21 07:25:49.178635: | libevent_free: release ptr-libevent@0x558200fd2370 Sep 21 07:25:49.178638: | libevent_free: release ptr-libevent@0x55820106ac30 Sep 21 07:25:49.178640: | libevent_free: release ptr-libevent@0x55820106ab70 Sep 21 07:25:49.178642: | libevent_free: release ptr-libevent@0x55820106aa90 Sep 21 07:25:49.178645: | libevent_free: release ptr-libevent@0x55820106acf0 Sep 21 07:25:49.178647: | libevent_free: release ptr-libevent@0x558200fd05b0 Sep 21 07:25:49.178650: | libevent_free: release ptr-libevent@0x55820104ead0 Sep 21 07:25:49.178652: | libevent_free: release ptr-libevent@0x55820104eb00 Sep 21 07:25:49.178655: | libevent_free: release ptr-libevent@0x55820104e7f0 Sep 21 07:25:49.178657: | releasing global libevent data Sep 21 07:25:49.178659: | libevent_free: release ptr-libevent@0x55820104d4a0 Sep 21 07:25:49.178662: | libevent_free: release ptr-libevent@0x55820104d4d0 Sep 21 07:25:49.178665: | libevent_free: release ptr-libevent@0x55820104e7c0