Sep 21 07:38:47.057408: FIPS Product: YES Sep 21 07:38:47.057452: FIPS Kernel: NO Sep 21 07:38:47.057455: FIPS Mode: NO Sep 21 07:38:47.057458: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:38:47.057643: Initializing NSS Sep 21 07:38:47.057647: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:38:47.201014: NSS initialized Sep 21 07:38:47.201027: NSS crypto library initialized Sep 21 07:38:47.201030: FIPS HMAC integrity support [enabled] Sep 21 07:38:47.201032: FIPS mode disabled for pluto daemon Sep 21 07:38:47.296433: FIPS HMAC integrity verification self-test FAILED Sep 21 07:38:47.296538: libcap-ng support [enabled] Sep 21 07:38:47.296547: Linux audit support [enabled] Sep 21 07:38:47.296574: Linux audit activated Sep 21 07:38:47.296585: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:28325 Sep 21 07:38:47.296589: core dump dir: /tmp Sep 21 07:38:47.296591: secrets file: /etc/ipsec.secrets Sep 21 07:38:47.296593: leak-detective disabled Sep 21 07:38:47.296595: NSS crypto [enabled] Sep 21 07:38:47.296597: XAUTH PAM support [enabled] Sep 21 07:38:47.296674: | libevent is using pluto's memory allocator Sep 21 07:38:47.296681: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:38:47.296697: | libevent_malloc: new ptr-libevent@0x55fe4361d4f0 size 40 Sep 21 07:38:47.296704: | libevent_malloc: new ptr-libevent@0x55fe4361e7a0 size 40 Sep 21 07:38:47.296707: | libevent_malloc: new ptr-libevent@0x55fe4361e7d0 size 40 Sep 21 07:38:47.296710: | creating event base Sep 21 07:38:47.296712: | libevent_malloc: new ptr-libevent@0x55fe4361e760 size 56 Sep 21 07:38:47.296715: | libevent_malloc: new ptr-libevent@0x55fe4361e800 size 664 Sep 21 07:38:47.296728: | libevent_malloc: new ptr-libevent@0x55fe4361eaa0 size 24 Sep 21 07:38:47.296732: | libevent_malloc: new ptr-libevent@0x55fe43610260 size 384 Sep 21 07:38:47.296742: | libevent_malloc: new ptr-libevent@0x55fe4361eac0 size 16 Sep 21 07:38:47.296745: | libevent_malloc: new ptr-libevent@0x55fe4361eae0 size 40 Sep 21 07:38:47.296748: | libevent_malloc: new ptr-libevent@0x55fe4361eb10 size 48 Sep 21 07:38:47.296755: | libevent_realloc: new ptr-libevent@0x55fe435a2370 size 256 Sep 21 07:38:47.296758: | libevent_malloc: new ptr-libevent@0x55fe4361eb50 size 16 Sep 21 07:38:47.296763: | libevent_free: release ptr-libevent@0x55fe4361e760 Sep 21 07:38:47.296767: | libevent initialized Sep 21 07:38:47.296771: | libevent_realloc: new ptr-libevent@0x55fe4361eb70 size 64 Sep 21 07:38:47.296778: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:38:47.296797: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:38:47.296803: NAT-Traversal support [enabled] Sep 21 07:38:47.296806: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:38:47.296812: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:38:47.296816: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:38:47.296854: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:38:47.296859: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:38:47.296862: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:38:47.296914: Encryption algorithms: Sep 21 07:38:47.296925: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:38:47.296930: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:38:47.296933: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:38:47.296937: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:38:47.296940: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:38:47.296950: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:38:47.296955: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:38:47.296959: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:38:47.296963: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:38:47.296967: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:38:47.296970: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:38:47.296974: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:38:47.296978: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:38:47.296982: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:38:47.296985: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:38:47.296988: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:38:47.296992: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:38:47.296999: Hash algorithms: Sep 21 07:38:47.297002: MD5 IKEv1: IKE IKEv2: Sep 21 07:38:47.297005: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:38:47.297008: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:38:47.297010: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:38:47.297013: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:38:47.297025: PRF algorithms: Sep 21 07:38:47.297028: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:38:47.297031: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:38:47.297035: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:38:47.297038: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:38:47.297041: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:38:47.297043: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:38:47.297062: Integrity algorithms: Sep 21 07:38:47.297065: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:38:47.297068: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:38:47.297071: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:38:47.297074: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:38:47.297077: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:38:47.297079: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:38:47.297082: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:38:47.297085: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:38:47.297087: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:38:47.297097: DH algorithms: Sep 21 07:38:47.297100: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:38:47.297102: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:38:47.297104: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:38:47.297109: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:38:47.297112: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:38:47.297114: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:38:47.297116: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:38:47.297119: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:38:47.297121: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:38:47.297123: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:38:47.297126: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:38:47.297128: testing CAMELLIA_CBC: Sep 21 07:38:47.297130: Camellia: 16 bytes with 128-bit key Sep 21 07:38:47.297249: Camellia: 16 bytes with 128-bit key Sep 21 07:38:47.297279: Camellia: 16 bytes with 256-bit key Sep 21 07:38:47.297311: Camellia: 16 bytes with 256-bit key Sep 21 07:38:47.297339: testing AES_GCM_16: Sep 21 07:38:47.297343: empty string Sep 21 07:38:47.297371: one block Sep 21 07:38:47.297397: two blocks Sep 21 07:38:47.297422: two blocks with associated data Sep 21 07:38:47.297448: testing AES_CTR: Sep 21 07:38:47.297451: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:38:47.297478: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:38:47.297507: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:38:47.297536: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:38:47.297563: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:38:47.297593: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:38:47.297621: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:38:47.297648: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:38:47.297676: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:38:47.297705: testing AES_CBC: Sep 21 07:38:47.297708: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:38:47.297735: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.297765: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.297799: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.297837: testing AES_XCBC: Sep 21 07:38:47.297841: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:38:47.297962: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:38:47.298093: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:38:47.298219: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:38:47.298349: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:38:47.298470: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:38:47.298589: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:38:47.298900: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:38:47.299053: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:38:47.299197: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:38:47.299438: testing HMAC_MD5: Sep 21 07:38:47.299443: RFC 2104: MD5_HMAC test 1 Sep 21 07:38:47.299628: RFC 2104: MD5_HMAC test 2 Sep 21 07:38:47.300013: RFC 2104: MD5_HMAC test 3 Sep 21 07:38:47.300212: 8 CPU cores online Sep 21 07:38:47.300217: starting up 7 crypto helpers Sep 21 07:38:47.300255: started thread for crypto helper 0 Sep 21 07:38:47.300278: started thread for crypto helper 1 Sep 21 07:38:47.300298: started thread for crypto helper 2 Sep 21 07:38:47.300320: started thread for crypto helper 3 Sep 21 07:38:47.300345: started thread for crypto helper 4 Sep 21 07:38:47.300370: started thread for crypto helper 5 Sep 21 07:38:47.300399: started thread for crypto helper 6 Sep 21 07:38:47.300409: | checking IKEv1 state table Sep 21 07:38:47.300417: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300420: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:38:47.300423: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300426: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:38:47.300429: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:38:47.300431: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:38:47.300434: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.300436: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.300439: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:38:47.300441: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:38:47.300444: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.300446: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.300449: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:38:47.300452: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.300454: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.300456: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:47.300459: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:38:47.300462: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.300464: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.300466: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:47.300469: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:38:47.300471: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300474: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:38:47.300477: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300480: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300482: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:38:47.300485: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300487: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:47.300489: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:47.300492: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:38:47.300495: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:47.300497: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:47.300500: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:38:47.300502: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300505: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.300508: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300511: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:38:47.300513: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:38:47.300516: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:38:47.300518: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:38:47.300521: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:38:47.300524: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:38:47.300526: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:38:47.300529: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300531: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:38:47.300534: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300537: | INFO: category: informational flags: 0: Sep 21 07:38:47.300539: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300542: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:38:47.300545: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300547: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:38:47.300550: | -> XAUTH_R1 EVENT_NULL Sep 21 07:38:47.300552: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:38:47.300555: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.300558: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:38:47.300560: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:38:47.300563: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:38:47.300566: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:38:47.300568: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.300571: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.300574: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:38:47.300582: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.300585: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.300588: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:38:47.300591: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:38:47.300593: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:38:47.300599: | checking IKEv2 state table Sep 21 07:38:47.300605: | PARENT_I0: category: ignore flags: 0: Sep 21 07:38:47.300608: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:38:47.300611: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300614: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:38:47.300616: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:38:47.300619: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:38:47.300622: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:38:47.300625: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:38:47.300627: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:38:47.300630: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:38:47.300633: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:38:47.300635: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:38:47.300638: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:38:47.300640: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:38:47.300643: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:38:47.300645: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:38:47.300648: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300651: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:38:47.300653: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.300656: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:38:47.300659: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:38:47.300662: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.300664: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:38:47.300667: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:38:47.300669: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:38:47.300672: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:38:47.300675: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.300677: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:38:47.300680: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:38:47.300683: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:38:47.300686: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.300689: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:47.300692: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:38:47.300695: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:38:47.300697: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.300700: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:38:47.300703: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:38:47.300706: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:38:47.300708: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:38:47.300714: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:38:47.300717: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:47.300720: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:38:47.300723: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:38:47.300726: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:38:47.300729: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:38:47.300732: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:38:47.300735: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:38:47.300794: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:38:47.300854: | Hard-wiring algorithms Sep 21 07:38:47.300858: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:38:47.300862: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:38:47.300865: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:38:47.300867: | adding 3DES_CBC to kernel algorithm db Sep 21 07:38:47.300870: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:38:47.300872: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:38:47.300875: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:38:47.300877: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:38:47.300879: | adding AES_CTR to kernel algorithm db Sep 21 07:38:47.300882: | adding AES_CBC to kernel algorithm db Sep 21 07:38:47.300884: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:38:47.300886: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:38:47.300889: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:38:47.300892: | adding NULL to kernel algorithm db Sep 21 07:38:47.300894: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:38:47.300897: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:38:47.300900: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:38:47.300902: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:38:47.300905: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:38:47.300908: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:38:47.300911: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:38:47.300913: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:38:47.300916: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:38:47.300918: | adding NONE to kernel algorithm db Sep 21 07:38:47.300942: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:38:47.300949: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:38:47.300952: | setup kernel fd callback Sep 21 07:38:47.300955: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55fe43628f20 Sep 21 07:38:47.300958: | libevent_malloc: new ptr-libevent@0x55fe436303f0 size 128 Sep 21 07:38:47.300962: | libevent_malloc: new ptr-libevent@0x55fe4361ecb0 size 16 Sep 21 07:38:47.300969: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55fe436237c0 Sep 21 07:38:47.300972: | libevent_malloc: new ptr-libevent@0x55fe43630480 size 128 Sep 21 07:38:47.300975: | libevent_malloc: new ptr-libevent@0x55fe43623710 size 16 Sep 21 07:38:47.300979: | starting up helper thread 0 Sep 21 07:38:47.300989: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:38:47.300991: | crypto helper 0 waiting (nothing to do) Sep 21 07:38:47.300998: | starting up helper thread 1 Sep 21 07:38:47.301003: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:38:47.301006: | crypto helper 1 waiting (nothing to do) Sep 21 07:38:47.301011: | starting up helper thread 2 Sep 21 07:38:47.301016: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:38:47.301018: | crypto helper 2 waiting (nothing to do) Sep 21 07:38:47.301341: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:38:47.301350: selinux support is enabled. Sep 21 07:38:47.301429: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:38:47.301605: | unbound context created - setting debug level to 5 Sep 21 07:38:47.301637: | /etc/hosts lookups activated Sep 21 07:38:47.301654: | /etc/resolv.conf usage activated Sep 21 07:38:47.301717: | outgoing-port-avoid set 0-65535 Sep 21 07:38:47.301747: | outgoing-port-permit set 32768-60999 Sep 21 07:38:47.301750: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:38:47.301753: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:38:47.301756: | Setting up events, loop start Sep 21 07:38:47.301759: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55fe43623510 Sep 21 07:38:47.301762: | libevent_malloc: new ptr-libevent@0x55fe4363a9f0 size 128 Sep 21 07:38:47.301765: | libevent_malloc: new ptr-libevent@0x55fe4363aa80 size 16 Sep 21 07:38:47.301771: | libevent_realloc: new ptr-libevent@0x55fe435a05b0 size 256 Sep 21 07:38:47.301774: | libevent_malloc: new ptr-libevent@0x55fe4363aaa0 size 8 Sep 21 07:38:47.301777: | libevent_realloc: new ptr-libevent@0x55fe4362f6f0 size 144 Sep 21 07:38:47.301780: | libevent_malloc: new ptr-libevent@0x55fe4363aac0 size 152 Sep 21 07:38:47.301787: | libevent_malloc: new ptr-libevent@0x55fe4363ab60 size 16 Sep 21 07:38:47.301793: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:38:47.301796: | libevent_malloc: new ptr-libevent@0x55fe4363ab80 size 8 Sep 21 07:38:47.301799: | libevent_malloc: new ptr-libevent@0x55fe4363aba0 size 152 Sep 21 07:38:47.301802: | signal event handler PLUTO_SIGTERM installed Sep 21 07:38:47.301804: | libevent_malloc: new ptr-libevent@0x55fe4363ac40 size 8 Sep 21 07:38:47.301807: | libevent_malloc: new ptr-libevent@0x55fe4363ac60 size 152 Sep 21 07:38:47.301810: | signal event handler PLUTO_SIGHUP installed Sep 21 07:38:47.301812: | libevent_malloc: new ptr-libevent@0x55fe4363ad00 size 8 Sep 21 07:38:47.301815: | libevent_realloc: release ptr-libevent@0x55fe4362f6f0 Sep 21 07:38:47.301818: | libevent_realloc: new ptr-libevent@0x55fe4363ad20 size 256 Sep 21 07:38:47.301820: | libevent_malloc: new ptr-libevent@0x55fe4362f6f0 size 152 Sep 21 07:38:47.301823: | signal event handler PLUTO_SIGSYS installed Sep 21 07:38:47.302171: | created addconn helper (pid:28561) using fork+execve Sep 21 07:38:47.302186: | forked child 28561 Sep 21 07:38:47.302223: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.302238: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:47.302245: listening for IKE messages Sep 21 07:38:47.302296: | Inspecting interface lo Sep 21 07:38:47.302303: | found lo with address 127.0.0.1 Sep 21 07:38:47.302305: | Inspecting interface eth0 Sep 21 07:38:47.302309: | found eth0 with address 192.0.2.254 Sep 21 07:38:47.302312: | Inspecting interface eth1 Sep 21 07:38:47.302315: | found eth1 with address 192.1.2.23 Sep 21 07:38:47.302362: Kernel supports NIC esp-hw-offload Sep 21 07:38:47.302378: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:38:47.302405: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.302409: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.302413: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:38:47.302443: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:38:47.302471: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.302475: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.302479: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:38:47.302507: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:38:47.302531: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.302535: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.302539: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:38:47.302607: | no interfaces to sort Sep 21 07:38:47.302615: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:38:47.302624: | add_fd_read_event_handler: new ethX-pe@0x55fe43624290 Sep 21 07:38:47.302627: | libevent_malloc: new ptr-libevent@0x55fe4363b090 size 128 Sep 21 07:38:47.302630: | libevent_malloc: new ptr-libevent@0x55fe4363b120 size 16 Sep 21 07:38:47.302639: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:47.302641: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b140 Sep 21 07:38:47.302644: | libevent_malloc: new ptr-libevent@0x55fe4363b180 size 128 Sep 21 07:38:47.302647: | libevent_malloc: new ptr-libevent@0x55fe4363b210 size 16 Sep 21 07:38:47.302651: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:47.302654: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b230 Sep 21 07:38:47.302656: | libevent_malloc: new ptr-libevent@0x55fe4363b270 size 128 Sep 21 07:38:47.302659: | libevent_malloc: new ptr-libevent@0x55fe4363b300 size 16 Sep 21 07:38:47.302663: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:47.302665: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b320 Sep 21 07:38:47.302668: | libevent_malloc: new ptr-libevent@0x55fe4363b360 size 128 Sep 21 07:38:47.302671: | libevent_malloc: new ptr-libevent@0x55fe4363b3f0 size 16 Sep 21 07:38:47.302675: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:47.302677: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b410 Sep 21 07:38:47.302680: | libevent_malloc: new ptr-libevent@0x55fe4363b450 size 128 Sep 21 07:38:47.302683: | libevent_malloc: new ptr-libevent@0x55fe4363b4e0 size 16 Sep 21 07:38:47.302687: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:47.302689: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b500 Sep 21 07:38:47.302692: | libevent_malloc: new ptr-libevent@0x55fe4363b540 size 128 Sep 21 07:38:47.302694: | libevent_malloc: new ptr-libevent@0x55fe4363b5d0 size 16 Sep 21 07:38:47.302699: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:47.302704: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:47.302707: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:47.302726: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:47.302744: | Processing PSK at line 1: passed Sep 21 07:38:47.302748: | certs and keys locked by 'process_secret' Sep 21 07:38:47.302752: | certs and keys unlocked by 'process_secret' Sep 21 07:38:47.302757: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:47.303418: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.303431: | spent 0.522 milliseconds in whack Sep 21 07:38:47.303446: | starting up helper thread 6 Sep 21 07:38:47.303452: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:38:47.303457: | crypto helper 6 waiting (nothing to do) Sep 21 07:38:47.303467: | starting up helper thread 5 Sep 21 07:38:47.303472: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:38:47.303474: | crypto helper 5 waiting (nothing to do) Sep 21 07:38:47.318035: | starting up helper thread 4 Sep 21 07:38:47.318053: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:38:47.318056: | crypto helper 4 waiting (nothing to do) Sep 21 07:38:47.318066: | starting up helper thread 3 Sep 21 07:38:47.318071: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:38:47.318074: | crypto helper 3 waiting (nothing to do) Sep 21 07:38:47.350991: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.351026: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:47.351032: listening for IKE messages Sep 21 07:38:47.351069: | Inspecting interface lo Sep 21 07:38:47.351077: | found lo with address 127.0.0.1 Sep 21 07:38:47.351080: | Inspecting interface eth0 Sep 21 07:38:47.351085: | found eth0 with address 192.0.2.254 Sep 21 07:38:47.351093: | Inspecting interface eth1 Sep 21 07:38:47.351098: | found eth1 with address 192.1.2.23 Sep 21 07:38:47.351171: | no interfaces to sort Sep 21 07:38:47.351181: | libevent_free: release ptr-libevent@0x55fe4363b090 Sep 21 07:38:47.351184: | free_event_entry: release EVENT_NULL-pe@0x55fe43624290 Sep 21 07:38:47.351187: | add_fd_read_event_handler: new ethX-pe@0x55fe43624290 Sep 21 07:38:47.351191: | libevent_malloc: new ptr-libevent@0x55fe4363b090 size 128 Sep 21 07:38:47.351199: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:47.351202: | libevent_free: release ptr-libevent@0x55fe4363b180 Sep 21 07:38:47.351205: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b140 Sep 21 07:38:47.351208: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b140 Sep 21 07:38:47.351210: | libevent_malloc: new ptr-libevent@0x55fe4363b180 size 128 Sep 21 07:38:47.351215: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:47.351219: | libevent_free: release ptr-libevent@0x55fe4363b270 Sep 21 07:38:47.351222: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b230 Sep 21 07:38:47.351224: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b230 Sep 21 07:38:47.351227: | libevent_malloc: new ptr-libevent@0x55fe4363b270 size 128 Sep 21 07:38:47.351232: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:47.351236: | libevent_free: release ptr-libevent@0x55fe4363b360 Sep 21 07:38:47.351239: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b320 Sep 21 07:38:47.351241: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b320 Sep 21 07:38:47.351244: | libevent_malloc: new ptr-libevent@0x55fe4363b360 size 128 Sep 21 07:38:47.351249: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:47.351253: | libevent_free: release ptr-libevent@0x55fe4363b450 Sep 21 07:38:47.351256: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b410 Sep 21 07:38:47.351258: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b410 Sep 21 07:38:47.351261: | libevent_malloc: new ptr-libevent@0x55fe4363b450 size 128 Sep 21 07:38:47.351266: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:47.351269: | libevent_free: release ptr-libevent@0x55fe4363b540 Sep 21 07:38:47.351272: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b500 Sep 21 07:38:47.351274: | add_fd_read_event_handler: new ethX-pe@0x55fe4363b500 Sep 21 07:38:47.351277: | libevent_malloc: new ptr-libevent@0x55fe4363b540 size 128 Sep 21 07:38:47.351282: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:47.351286: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:47.351288: forgetting secrets Sep 21 07:38:47.351294: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:47.351308: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:47.351316: | Processing PSK at line 1: passed Sep 21 07:38:47.351320: | certs and keys locked by 'process_secret' Sep 21 07:38:47.351322: | certs and keys unlocked by 'process_secret' Sep 21 07:38:47.351327: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:47.351334: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.351341: | spent 0.352 milliseconds in whack Sep 21 07:38:47.351791: | processing signal PLUTO_SIGCHLD Sep 21 07:38:47.351804: | waitpid returned pid 28561 (exited with status 0) Sep 21 07:38:47.351808: | reaped addconn helper child (status 0) Sep 21 07:38:47.351812: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:47.351816: | spent 0.0144 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:47.436172: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.436195: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.436200: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:47.436203: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.436205: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:47.436210: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.436255: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:47.436312: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:38:47.436317: | from whack: got --esp=aes256-sha2 Sep 21 07:38:47.436331: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Sep 21 07:38:47.436335: | counting wild cards for (none) is 15 Sep 21 07:38:47.436341: | counting wild cards for 192.1.2.23 is 0 Sep 21 07:38:47.436348: | based upon policy, the connection is a template. Sep 21 07:38:47.436354: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:38:47.436358: | new hp@0x55fe43607a20 Sep 21 07:38:47.436364: added connection description "eastnet-northnet" Sep 21 07:38:47.436375: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:47.436385: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Sep 21 07:38:47.436393: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.436400: | spent 0.239 milliseconds in whack Sep 21 07:38:49.717994: | spent 0.00311 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:49.718026: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:49.718029: | 1b 4a a3 ae a4 7b 22 0d 00 00 00 00 00 00 00 00 Sep 21 07:38:49.718032: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:38:49.718034: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:38:49.718036: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:38:49.718038: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:38:49.718040: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:38:49.718043: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:38:49.718044: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:38:49.718046: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:38:49.718049: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:38:49.718051: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:38:49.718053: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:38:49.718055: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:38:49.718058: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:38:49.718060: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:38:49.718062: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:38:49.718065: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:38:49.718067: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:38:49.718069: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:38:49.718072: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:38:49.718074: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:38:49.718076: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:38:49.718079: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:38:49.718081: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:38:49.718084: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:38:49.718086: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:38:49.718088: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:38:49.718090: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:38:49.718092: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:38:49.718098: | 28 00 01 08 00 0e 00 00 ec 66 80 bd fb 52 46 b9 Sep 21 07:38:49.718100: | b1 82 87 cd 4b a5 24 e3 e7 17 00 11 bc 5b 44 58 Sep 21 07:38:49.718102: | 0c 8e 41 68 fe 85 f1 c3 a3 af 80 68 3e 93 2e e9 Sep 21 07:38:49.718104: | de 56 2f 74 18 7a b5 11 89 7a 09 1c 00 3a 73 54 Sep 21 07:38:49.718106: | 17 13 bc 96 3f 57 dd 80 78 cb 0b 86 e5 4e 06 d7 Sep 21 07:38:49.718109: | e6 3d 5d d6 54 d7 af 24 30 3b 6d c6 9f ae 1a b0 Sep 21 07:38:49.718111: | a4 01 20 5d 2f 7e b0 c9 2d 85 b4 c2 e8 56 a9 90 Sep 21 07:38:49.718113: | b1 da e8 68 19 f3 3f da ef 4f 70 3c a9 8c 5e 08 Sep 21 07:38:49.718115: | 26 3a 81 e1 42 bb 88 6b 3e 33 da 88 81 29 71 42 Sep 21 07:38:49.718117: | 25 cb 9a ea db 2b 4c 35 29 92 68 73 9b 2a 3f d6 Sep 21 07:38:49.718119: | 4b e7 5b 0e 6c fb a8 08 56 89 cc 1f 0f 93 4a 13 Sep 21 07:38:49.718121: | b0 1a a7 f7 9e 85 4e 49 6f d7 f6 fb 48 c1 2f 8c Sep 21 07:38:49.718124: | 85 d9 c2 8c fe b8 4c 21 d1 8a 88 c3 8a ec 7c b4 Sep 21 07:38:49.718126: | f2 fc 01 bf b4 ef 2b 55 47 81 f6 ea 9a e4 83 e1 Sep 21 07:38:49.718128: | 3f f4 48 72 53 06 90 b9 12 61 24 1c a4 e7 64 dd Sep 21 07:38:49.718130: | 0e c4 d6 c3 02 5b e5 68 fb 93 35 de bc 9e 6d b3 Sep 21 07:38:49.718132: | 02 24 43 f3 ce 11 8a 3b 29 00 00 24 3d d4 8d 79 Sep 21 07:38:49.718135: | b7 f1 57 d1 e3 de 86 49 5c b7 97 31 24 53 32 a0 Sep 21 07:38:49.718137: | 7f ba 50 ba 0a 56 d2 23 6c 46 66 07 29 00 00 08 Sep 21 07:38:49.718139: | 00 00 40 2e 29 00 00 1c 00 00 40 04 43 45 b1 46 Sep 21 07:38:49.718141: | b7 18 26 19 a8 29 5d c9 76 ae da 46 82 c9 2b 4c Sep 21 07:38:49.718143: | 00 00 00 1c 00 00 40 05 df af 3c f6 79 4f 24 c0 Sep 21 07:38:49.718145: | d8 96 8e fe 11 27 e6 61 41 a3 35 ff Sep 21 07:38:49.718153: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:49.718157: | **parse ISAKMP Message: Sep 21 07:38:49.718160: | initiator cookie: Sep 21 07:38:49.718162: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.718164: | responder cookie: Sep 21 07:38:49.718166: | 00 00 00 00 00 00 00 00 Sep 21 07:38:49.718169: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.718172: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.718174: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:49.718177: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:49.718179: | Message ID: 0 (0x0) Sep 21 07:38:49.718182: | length: 828 (0x33c) Sep 21 07:38:49.718185: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:38:49.718189: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:38:49.718192: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:38:49.718195: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:49.718199: | ***parse IKEv2 Security Association Payload: Sep 21 07:38:49.718201: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:38:49.718203: | flags: none (0x0) Sep 21 07:38:49.718206: | length: 436 (0x1b4) Sep 21 07:38:49.718209: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:38:49.718211: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:38:49.718214: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:38:49.718216: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:38:49.718219: | flags: none (0x0) Sep 21 07:38:49.718221: | length: 264 (0x108) Sep 21 07:38:49.718224: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.718226: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:38:49.718228: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:38:49.718231: | ***parse IKEv2 Nonce Payload: Sep 21 07:38:49.718233: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.718235: | flags: none (0x0) Sep 21 07:38:49.718237: | length: 36 (0x24) Sep 21 07:38:49.718240: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:38:49.718248: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.718251: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.718253: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.718256: | flags: none (0x0) Sep 21 07:38:49.718258: | length: 8 (0x8) Sep 21 07:38:49.718260: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.718263: | SPI size: 0 (0x0) Sep 21 07:38:49.718266: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:49.718268: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:49.718271: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.718273: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.718276: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.718278: | flags: none (0x0) Sep 21 07:38:49.718281: | length: 28 (0x1c) Sep 21 07:38:49.718283: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.718285: | SPI size: 0 (0x0) Sep 21 07:38:49.718288: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:49.718291: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:49.718293: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.718295: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.718298: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.718300: | flags: none (0x0) Sep 21 07:38:49.718303: | length: 28 (0x1c) Sep 21 07:38:49.718305: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.718307: | SPI size: 0 (0x0) Sep 21 07:38:49.718310: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:49.718312: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:49.718315: | DDOS disabled and no cookie sent, continuing Sep 21 07:38:49.718321: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718325: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:49.718327: | find_next_host_connection returns empty Sep 21 07:38:49.718332: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718338: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.718341: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:49.718346: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.718348: | find_next_host_connection returns empty Sep 21 07:38:49.718353: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:38:49.718358: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718361: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:49.718363: | find_next_host_connection returns empty Sep 21 07:38:49.718368: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718373: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.718376: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:49.718379: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.718381: | find_next_host_connection returns empty Sep 21 07:38:49.718386: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:38:49.718391: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718394: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.718396: | find_next_host_connection returns empty Sep 21 07:38:49.718400: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.718405: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.718410: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.718414: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.718417: | find_next_host_connection returns eastnet-northnet Sep 21 07:38:49.718419: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.718421: | find_next_host_connection returns empty Sep 21 07:38:49.718423: | rw_instantiate Sep 21 07:38:49.718432: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:38:49.718436: | new hp@0x55fe435cde80 Sep 21 07:38:49.718443: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Sep 21 07:38:49.718447: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Sep 21 07:38:49.718452: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.718479: | creating state object #1 at 0x55fe4363eb00 Sep 21 07:38:49.718483: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:38:49.718491: | pstats #1 ikev2.ike started Sep 21 07:38:49.718495: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:38:49.718499: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:38:49.718505: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:49.718514: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:49.718518: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:49.718523: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:49.718526: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:38:49.718531: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:38:49.718535: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:38:49.718539: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:38:49.718542: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:38:49.718544: | Now let's proceed with state specific processing Sep 21 07:38:49.718546: | calling processor Respond to IKE_SA_INIT Sep 21 07:38:49.718557: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:49.718561: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Sep 21 07:38:49.718569: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.718576: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.718580: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.718586: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.718590: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.718596: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.718600: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.718608: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.718620: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.718624: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:38:49.718628: | local proposal 1 type ENCR has 1 transforms Sep 21 07:38:49.718630: | local proposal 1 type PRF has 2 transforms Sep 21 07:38:49.718633: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:49.718635: | local proposal 1 type DH has 8 transforms Sep 21 07:38:49.718638: | local proposal 1 type ESN has 0 transforms Sep 21 07:38:49.718641: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:49.718643: | local proposal 2 type ENCR has 1 transforms Sep 21 07:38:49.718646: | local proposal 2 type PRF has 2 transforms Sep 21 07:38:49.718648: | local proposal 2 type INTEG has 1 transforms Sep 21 07:38:49.718650: | local proposal 2 type DH has 8 transforms Sep 21 07:38:49.718653: | local proposal 2 type ESN has 0 transforms Sep 21 07:38:49.718656: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:49.718658: | local proposal 3 type ENCR has 1 transforms Sep 21 07:38:49.718661: | local proposal 3 type PRF has 2 transforms Sep 21 07:38:49.718663: | local proposal 3 type INTEG has 2 transforms Sep 21 07:38:49.718666: | local proposal 3 type DH has 8 transforms Sep 21 07:38:49.718668: | local proposal 3 type ESN has 0 transforms Sep 21 07:38:49.718671: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:49.718673: | local proposal 4 type ENCR has 1 transforms Sep 21 07:38:49.718676: | local proposal 4 type PRF has 2 transforms Sep 21 07:38:49.718678: | local proposal 4 type INTEG has 2 transforms Sep 21 07:38:49.718681: | local proposal 4 type DH has 8 transforms Sep 21 07:38:49.718683: | local proposal 4 type ESN has 0 transforms Sep 21 07:38:49.718686: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:49.718689: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.718692: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.718695: | length: 100 (0x64) Sep 21 07:38:49.718697: | prop #: 1 (0x1) Sep 21 07:38:49.718699: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.718701: | spi size: 0 (0x0) Sep 21 07:38:49.718703: | # transforms: 11 (0xb) Sep 21 07:38:49.718707: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:38:49.718710: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718715: | length: 12 (0xc) Sep 21 07:38:49.718717: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.718720: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.718722: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.718725: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.718727: | length/value: 256 (0x100) Sep 21 07:38:49.718731: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:49.718736: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718739: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718741: | length: 8 (0x8) Sep 21 07:38:49.718744: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.718746: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.718749: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:38:49.718753: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:38:49.718755: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:38:49.718758: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:38:49.718760: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718763: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718765: | length: 8 (0x8) Sep 21 07:38:49.718767: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.718769: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.718772: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718774: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718777: | length: 8 (0x8) Sep 21 07:38:49.718779: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718781: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.718788: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:38:49.718794: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:38:49.718797: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:38:49.718800: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:38:49.718802: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718804: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718807: | length: 8 (0x8) Sep 21 07:38:49.718809: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718811: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.718813: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718815: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718817: | length: 8 (0x8) Sep 21 07:38:49.718820: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718822: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.718826: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718831: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718833: | length: 8 (0x8) Sep 21 07:38:49.718836: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718839: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.718842: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718845: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718847: | length: 8 (0x8) Sep 21 07:38:49.718850: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718852: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.718856: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718859: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718861: | length: 8 (0x8) Sep 21 07:38:49.718864: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718867: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.718870: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718873: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718875: | length: 8 (0x8) Sep 21 07:38:49.718878: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718881: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.718887: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718890: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.718892: | length: 8 (0x8) Sep 21 07:38:49.718895: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.718898: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.718903: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:38:49.718909: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:38:49.718912: | remote proposal 1 matches local proposal 1 Sep 21 07:38:49.718916: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.718919: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.718921: | length: 100 (0x64) Sep 21 07:38:49.718924: | prop #: 2 (0x2) Sep 21 07:38:49.718926: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.718929: | spi size: 0 (0x0) Sep 21 07:38:49.718931: | # transforms: 11 (0xb) Sep 21 07:38:49.718935: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.718938: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718944: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718947: | length: 12 (0xc) Sep 21 07:38:49.718950: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.718953: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.718956: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.718959: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.718961: | length/value: 128 (0x80) Sep 21 07:38:49.718965: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718967: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718970: | length: 8 (0x8) Sep 21 07:38:49.718972: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.718975: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.718979: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718982: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.718984: | length: 8 (0x8) Sep 21 07:38:49.718989: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.718993: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.718996: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.718998: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719001: | length: 8 (0x8) Sep 21 07:38:49.719003: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719006: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.719008: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719011: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719013: | length: 8 (0x8) Sep 21 07:38:49.719015: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719018: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.719020: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719023: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719025: | length: 8 (0x8) Sep 21 07:38:49.719027: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719030: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.719033: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719035: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719038: | length: 8 (0x8) Sep 21 07:38:49.719040: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719043: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.719045: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719048: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719050: | length: 8 (0x8) Sep 21 07:38:49.719052: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719055: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.719063: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719065: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719068: | length: 8 (0x8) Sep 21 07:38:49.719070: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719073: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.719076: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719078: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719080: | length: 8 (0x8) Sep 21 07:38:49.719082: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719084: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.719087: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719090: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.719092: | length: 8 (0x8) Sep 21 07:38:49.719095: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719097: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.719101: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:38:49.719104: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:38:49.719107: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.719109: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.719111: | length: 116 (0x74) Sep 21 07:38:49.719114: | prop #: 3 (0x3) Sep 21 07:38:49.719116: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.719118: | spi size: 0 (0x0) Sep 21 07:38:49.719121: | # transforms: 13 (0xd) Sep 21 07:38:49.719124: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.719127: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719130: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719132: | length: 12 (0xc) Sep 21 07:38:49.719135: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.719137: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.719140: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.719143: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.719145: | length/value: 256 (0x100) Sep 21 07:38:49.719148: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719150: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719153: | length: 8 (0x8) Sep 21 07:38:49.719155: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.719157: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.719160: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719163: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719165: | length: 8 (0x8) Sep 21 07:38:49.719168: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.719170: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.719173: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719175: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719178: | length: 8 (0x8) Sep 21 07:38:49.719180: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.719182: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:49.719185: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719188: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719190: | length: 8 (0x8) Sep 21 07:38:49.719193: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.719195: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.719198: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719201: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719203: | length: 8 (0x8) Sep 21 07:38:49.719206: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719209: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.719211: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719216: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719219: | length: 8 (0x8) Sep 21 07:38:49.719222: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719224: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.719227: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719229: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719231: | length: 8 (0x8) Sep 21 07:38:49.719234: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719236: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.719239: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719242: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719244: | length: 8 (0x8) Sep 21 07:38:49.719247: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719249: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.719252: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719255: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719257: | length: 8 (0x8) Sep 21 07:38:49.719259: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719262: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.719265: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719267: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719269: | length: 8 (0x8) Sep 21 07:38:49.719272: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719274: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.719277: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719279: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719282: | length: 8 (0x8) Sep 21 07:38:49.719285: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719287: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.719290: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719292: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.719295: | length: 8 (0x8) Sep 21 07:38:49.719297: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719300: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.719304: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:49.719307: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:49.719310: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.719313: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.719315: | length: 116 (0x74) Sep 21 07:38:49.719317: | prop #: 4 (0x4) Sep 21 07:38:49.719320: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.719322: | spi size: 0 (0x0) Sep 21 07:38:49.719325: | # transforms: 13 (0xd) Sep 21 07:38:49.719328: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.719331: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719333: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719336: | length: 12 (0xc) Sep 21 07:38:49.719338: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.719341: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.719343: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.719346: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.719348: | length/value: 128 (0x80) Sep 21 07:38:49.719351: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719354: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719356: | length: 8 (0x8) Sep 21 07:38:49.719358: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.719361: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.719363: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719366: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719370: | length: 8 (0x8) Sep 21 07:38:49.719373: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.719375: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.719378: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719380: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719382: | length: 8 (0x8) Sep 21 07:38:49.719385: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.719387: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:49.719390: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719392: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719394: | length: 8 (0x8) Sep 21 07:38:49.719397: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.719399: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.719401: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719406: | length: 8 (0x8) Sep 21 07:38:49.719408: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719411: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.719413: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719416: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719418: | length: 8 (0x8) Sep 21 07:38:49.719420: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719423: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.719425: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719427: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719429: | length: 8 (0x8) Sep 21 07:38:49.719432: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719434: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.719437: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719440: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719442: | length: 8 (0x8) Sep 21 07:38:49.719444: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719447: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.719449: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719452: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719454: | length: 8 (0x8) Sep 21 07:38:49.719457: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719459: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.719462: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719464: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719466: | length: 8 (0x8) Sep 21 07:38:49.719469: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719471: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.719474: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719476: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.719478: | length: 8 (0x8) Sep 21 07:38:49.719481: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719483: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.719486: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.719488: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.719490: | length: 8 (0x8) Sep 21 07:38:49.719493: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.719495: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.719499: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:49.719502: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:49.719509: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:38:49.719516: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:38:49.719519: | converting proposal to internal trans attrs Sep 21 07:38:49.719524: | natd_hash: rcookie is zero Sep 21 07:38:49.719543: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:49.719547: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.719549: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:49.719551: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:49.719553: | natd_hash: port= 01 f4 Sep 21 07:38:49.719556: | natd_hash: hash= df af 3c f6 79 4f 24 c0 d8 96 8e fe 11 27 e6 61 Sep 21 07:38:49.719558: | natd_hash: hash= 41 a3 35 ff Sep 21 07:38:49.719561: | natd_hash: rcookie is zero Sep 21 07:38:49.719569: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:49.719571: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.719573: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:49.719575: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:49.719578: | natd_hash: port= 01 f4 Sep 21 07:38:49.719580: | natd_hash: hash= 43 45 b1 46 b7 18 26 19 a8 29 5d c9 76 ae da 46 Sep 21 07:38:49.719582: | natd_hash: hash= 82 c9 2b 4c Sep 21 07:38:49.719585: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:38:49.719587: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:38:49.719589: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:38:49.719593: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:38:49.719598: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:38:49.719602: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fe43640c70 Sep 21 07:38:49.719606: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:49.719610: | libevent_malloc: new ptr-libevent@0x55fe43640cb0 size 128 Sep 21 07:38:49.719625: | #1 spent 1.07 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:38:49.719628: | crypto helper 0 resuming Sep 21 07:38:49.719633: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.719635: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:38:49.719637: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:49.719639: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:38:49.720669: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001029 seconds Sep 21 07:38:49.720682: | (#1) spent 1.04 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:38:49.720685: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:38:49.720689: | scheduling resume sending helper answer for #1 Sep 21 07:38:49.720692: | libevent_malloc: new ptr-libevent@0x7fc884006900 size 128 Sep 21 07:38:49.720698: | crypto helper 0 waiting (nothing to do) Sep 21 07:38:49.719639: | suspending state #1 and saving MD Sep 21 07:38:49.720707: | #1 is busy; has a suspended MD Sep 21 07:38:49.720714: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:49.720719: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:49.720727: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:49.720732: | #1 spent 1.66 milliseconds in ikev2_process_packet() Sep 21 07:38:49.720736: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:49.720739: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:49.720741: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:49.720745: | spent 1.68 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:49.720754: | processing resume sending helper answer for #1 Sep 21 07:38:49.720760: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:49.720764: | crypto helper 0 replies to request ID 1 Sep 21 07:38:49.720766: | calling continuation function 0x55fe42fd4630 Sep 21 07:38:49.720769: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:38:49.720803: | **emit ISAKMP Message: Sep 21 07:38:49.720808: | initiator cookie: Sep 21 07:38:49.720810: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.720812: | responder cookie: Sep 21 07:38:49.720814: | af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.720817: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:49.720820: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.720823: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:49.720825: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:49.720828: | Message ID: 0 (0x0) Sep 21 07:38:49.720831: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:49.720833: | Emitting ikev2_proposal ... Sep 21 07:38:49.720836: | ***emit IKEv2 Security Association Payload: Sep 21 07:38:49.720839: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.720841: | flags: none (0x0) Sep 21 07:38:49.720844: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:49.720847: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.720850: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.720853: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.720855: | prop #: 1 (0x1) Sep 21 07:38:49.720857: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.720860: | spi size: 0 (0x0) Sep 21 07:38:49.720862: | # transforms: 3 (0x3) Sep 21 07:38:49.720865: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:49.720867: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.720870: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.720872: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.720875: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.720878: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.720881: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.720883: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.720886: | length/value: 256 (0x100) Sep 21 07:38:49.720888: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:49.720891: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.720893: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.720896: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.720898: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.720901: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.720904: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.720908: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.720911: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.720913: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.720915: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.720918: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.720921: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.720923: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.720926: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.720928: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:38:49.720931: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:49.720934: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:38:49.720936: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:49.720939: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:38:49.720942: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.720944: | flags: none (0x0) Sep 21 07:38:49.720947: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.720950: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:38:49.720953: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.720956: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:38:49.720958: | ikev2 g^x c6 04 30 e1 26 19 b5 09 1d d9 97 95 b0 80 e3 72 Sep 21 07:38:49.720960: | ikev2 g^x f8 09 2c 5b f4 e9 07 31 eb af 20 15 f0 5e 1e 9a Sep 21 07:38:49.720963: | ikev2 g^x 3f f4 62 a0 f8 df 26 ac 12 23 17 39 e1 cc 5d d4 Sep 21 07:38:49.720965: | ikev2 g^x f8 dc cb 41 48 53 8e eb 74 ca 5a 2c a8 56 4d f4 Sep 21 07:38:49.720968: | ikev2 g^x 19 a4 1b f8 b5 9c 04 85 e4 d7 59 4e 8c 12 34 c2 Sep 21 07:38:49.720970: | ikev2 g^x ea c7 e4 c6 5d 0f e2 aa a1 17 2f 45 1d 52 45 c5 Sep 21 07:38:49.720972: | ikev2 g^x 27 54 07 44 9f a8 da 1c be aa 38 6d dc 3e 44 df Sep 21 07:38:49.720975: | ikev2 g^x f3 ea db a7 60 5c 25 57 c4 d8 31 ff 5e 14 d9 ec Sep 21 07:38:49.720977: | ikev2 g^x 23 83 a0 92 5e 7f a4 16 f2 0f da 62 68 9b f9 1b Sep 21 07:38:49.720979: | ikev2 g^x 23 91 c7 06 cc 61 62 80 50 a5 e4 6c c4 6b cb 32 Sep 21 07:38:49.720981: | ikev2 g^x f5 d3 92 c5 b9 c0 17 1d fa 2d cf e5 3e 21 16 7b Sep 21 07:38:49.720984: | ikev2 g^x f4 f4 90 d0 5d 33 6e d4 e7 f2 05 da 97 f9 68 95 Sep 21 07:38:49.720986: | ikev2 g^x e2 e7 df 00 e5 c4 8d 53 b3 d0 a1 f1 0a 5e 80 72 Sep 21 07:38:49.720988: | ikev2 g^x 36 31 ff 6a e7 c4 c2 a9 2f b7 ae 02 31 55 b1 cf Sep 21 07:38:49.720991: | ikev2 g^x 4d e7 a4 15 51 a9 62 19 c9 0f b4 52 3c aa 32 e7 Sep 21 07:38:49.720993: | ikev2 g^x 0c ae d0 f2 6e 26 ff 2d 30 62 89 40 f8 79 6d 95 Sep 21 07:38:49.720995: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:38:49.720998: | ***emit IKEv2 Nonce Payload: Sep 21 07:38:49.721000: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.721003: | flags: none (0x0) Sep 21 07:38:49.721005: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:38:49.721009: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:38:49.721011: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.721015: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:38:49.721018: | IKEv2 nonce fd cb 7c 9b 62 ac 35 72 9c a9 de 77 90 c2 7c f6 Sep 21 07:38:49.721020: | IKEv2 nonce db d0 79 12 67 14 ba bb 31 0d cd 50 c0 21 18 e2 Sep 21 07:38:49.721022: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:38:49.721025: | Adding a v2N Payload Sep 21 07:38:49.721027: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.721030: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.721032: | flags: none (0x0) Sep 21 07:38:49.721035: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.721037: | SPI size: 0 (0x0) Sep 21 07:38:49.721040: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:49.721043: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.721045: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.721048: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:49.721051: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:49.721059: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:49.721062: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.721064: | natd_hash: rcookie= af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.721066: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:49.721069: | natd_hash: port= 01 f4 Sep 21 07:38:49.721071: | natd_hash: hash= 70 81 e8 e9 dd a0 f1 cc 97 c9 e9 b3 0d 80 3b 53 Sep 21 07:38:49.721073: | natd_hash: hash= 9e c2 93 f0 Sep 21 07:38:49.721075: | Adding a v2N Payload Sep 21 07:38:49.721078: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.721080: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.721082: | flags: none (0x0) Sep 21 07:38:49.721085: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.721087: | SPI size: 0 (0x0) Sep 21 07:38:49.721090: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:49.721092: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.721095: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.721098: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:49.721101: | Notify data 70 81 e8 e9 dd a0 f1 cc 97 c9 e9 b3 0d 80 3b 53 Sep 21 07:38:49.721103: | Notify data 9e c2 93 f0 Sep 21 07:38:49.721105: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:49.721111: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:49.721113: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.721116: | natd_hash: rcookie= af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.721118: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:49.721120: | natd_hash: port= 01 f4 Sep 21 07:38:49.721122: | natd_hash: hash= 64 e4 31 4e 48 d1 96 6e 54 42 9a 58 e9 b3 82 af Sep 21 07:38:49.721124: | natd_hash: hash= 96 ed 60 77 Sep 21 07:38:49.721126: | Adding a v2N Payload Sep 21 07:38:49.721129: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.721131: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.721133: | flags: none (0x0) Sep 21 07:38:49.721136: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.721138: | SPI size: 0 (0x0) Sep 21 07:38:49.721140: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:49.721143: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.721146: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.721149: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:49.721151: | Notify data 64 e4 31 4e 48 d1 96 6e 54 42 9a 58 e9 b3 82 af Sep 21 07:38:49.721153: | Notify data 96 ed 60 77 Sep 21 07:38:49.721157: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:49.721160: | emitting length of ISAKMP Message: 432 Sep 21 07:38:49.721167: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.721170: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:38:49.721173: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:38:49.721177: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:38:49.721179: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:38:49.721184: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:38:49.721189: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:49.721195: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:38:49.721199: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:49.721208: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:49.721210: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.721212: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:38:49.721215: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:38:49.721217: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:38:49.721219: | 04 00 00 0e 28 00 01 08 00 0e 00 00 c6 04 30 e1 Sep 21 07:38:49.721221: | 26 19 b5 09 1d d9 97 95 b0 80 e3 72 f8 09 2c 5b Sep 21 07:38:49.721224: | f4 e9 07 31 eb af 20 15 f0 5e 1e 9a 3f f4 62 a0 Sep 21 07:38:49.721226: | f8 df 26 ac 12 23 17 39 e1 cc 5d d4 f8 dc cb 41 Sep 21 07:38:49.721228: | 48 53 8e eb 74 ca 5a 2c a8 56 4d f4 19 a4 1b f8 Sep 21 07:38:49.721231: | b5 9c 04 85 e4 d7 59 4e 8c 12 34 c2 ea c7 e4 c6 Sep 21 07:38:49.721233: | 5d 0f e2 aa a1 17 2f 45 1d 52 45 c5 27 54 07 44 Sep 21 07:38:49.721235: | 9f a8 da 1c be aa 38 6d dc 3e 44 df f3 ea db a7 Sep 21 07:38:49.721237: | 60 5c 25 57 c4 d8 31 ff 5e 14 d9 ec 23 83 a0 92 Sep 21 07:38:49.721240: | 5e 7f a4 16 f2 0f da 62 68 9b f9 1b 23 91 c7 06 Sep 21 07:38:49.721242: | cc 61 62 80 50 a5 e4 6c c4 6b cb 32 f5 d3 92 c5 Sep 21 07:38:49.721244: | b9 c0 17 1d fa 2d cf e5 3e 21 16 7b f4 f4 90 d0 Sep 21 07:38:49.721246: | 5d 33 6e d4 e7 f2 05 da 97 f9 68 95 e2 e7 df 00 Sep 21 07:38:49.721249: | e5 c4 8d 53 b3 d0 a1 f1 0a 5e 80 72 36 31 ff 6a Sep 21 07:38:49.721251: | e7 c4 c2 a9 2f b7 ae 02 31 55 b1 cf 4d e7 a4 15 Sep 21 07:38:49.721253: | 51 a9 62 19 c9 0f b4 52 3c aa 32 e7 0c ae d0 f2 Sep 21 07:38:49.721255: | 6e 26 ff 2d 30 62 89 40 f8 79 6d 95 29 00 00 24 Sep 21 07:38:49.721258: | fd cb 7c 9b 62 ac 35 72 9c a9 de 77 90 c2 7c f6 Sep 21 07:38:49.721260: | db d0 79 12 67 14 ba bb 31 0d cd 50 c0 21 18 e2 Sep 21 07:38:49.721262: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:38:49.721264: | 70 81 e8 e9 dd a0 f1 cc 97 c9 e9 b3 0d 80 3b 53 Sep 21 07:38:49.721267: | 9e c2 93 f0 00 00 00 1c 00 00 40 05 64 e4 31 4e Sep 21 07:38:49.721269: | 48 d1 96 6e 54 42 9a 58 e9 b3 82 af 96 ed 60 77 Sep 21 07:38:49.721322: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:49.721326: | libevent_free: release ptr-libevent@0x55fe43640cb0 Sep 21 07:38:49.721329: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fe43640c70 Sep 21 07:38:49.721332: | event_schedule: new EVENT_SO_DISCARD-pe@0x55fe43640c70 Sep 21 07:38:49.721336: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:38:49.721339: | libevent_malloc: new ptr-libevent@0x55fe43640cb0 size 128 Sep 21 07:38:49.721342: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:49.721349: | #1 spent 0.552 milliseconds in resume sending helper answer Sep 21 07:38:49.721355: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:49.721358: | libevent_free: release ptr-libevent@0x7fc884006900 Sep 21 07:38:49.724742: | spent 0.0026 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:49.724762: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:49.724766: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.724768: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Sep 21 07:38:49.724771: | 78 a2 28 20 4e a1 7e 8d 13 2f 79 f2 ab e2 72 97 Sep 21 07:38:49.724773: | b0 7e e4 cb 36 f0 86 7d db f7 44 e8 a6 bd 68 c0 Sep 21 07:38:49.724776: | ac ea 8e 90 f5 01 ff 45 2b cf ba d9 9d 7b 50 9b Sep 21 07:38:49.724778: | 89 d0 f4 77 1a 3e 58 12 f1 7c 82 c8 f8 7b 65 0b Sep 21 07:38:49.724781: | 98 61 ef 04 e4 c4 d8 d2 3e e0 ab 35 6a b8 01 92 Sep 21 07:38:49.724788: | 03 b8 58 3e 48 89 98 12 93 26 63 96 4d 26 4c bc Sep 21 07:38:49.724791: | 0b eb 54 10 67 aa 07 9e a6 f5 1f 5a e1 25 0a 88 Sep 21 07:38:49.724794: | 07 bb 69 ff 1a ac 4a 59 61 3f 48 33 aa 37 b9 d6 Sep 21 07:38:49.724796: | 71 9d a4 c8 00 13 a5 fc ab 7b 0d d3 67 b7 e4 08 Sep 21 07:38:49.724799: | b0 ae 60 da ef 9d 4f 4c e5 e0 41 94 50 ac 6c b5 Sep 21 07:38:49.724801: | 13 a9 f4 33 fa 15 3e b1 a5 0b 27 9c d8 73 dc ed Sep 21 07:38:49.724804: | af 87 4b 5e 4b 5e de 38 2c c6 4d 39 45 29 89 a6 Sep 21 07:38:49.724806: | 15 58 d7 3a 15 f8 3b 93 83 a5 7b 5a be f6 64 08 Sep 21 07:38:49.724808: | 89 Sep 21 07:38:49.724814: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:49.724817: | **parse ISAKMP Message: Sep 21 07:38:49.724820: | initiator cookie: Sep 21 07:38:49.724823: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.724825: | responder cookie: Sep 21 07:38:49.724828: | af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.724831: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:49.724834: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.724837: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:49.724839: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:49.724842: | Message ID: 1 (0x1) Sep 21 07:38:49.724845: | length: 241 (0xf1) Sep 21 07:38:49.724848: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:38:49.724852: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:38:49.724856: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:38:49.724864: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:49.724868: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:49.724874: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:49.724877: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:38:49.724882: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:38:49.724885: | unpacking clear payload Sep 21 07:38:49.724887: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:49.724890: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:49.724893: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:38:49.724896: | flags: none (0x0) Sep 21 07:38:49.724899: | length: 213 (0xd5) Sep 21 07:38:49.724901: | processing payload: ISAKMP_NEXT_v2SK (len=209) Sep 21 07:38:49.724906: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:49.724909: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:49.724915: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:49.724918: | Now let's proceed with state specific processing Sep 21 07:38:49.724921: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:49.724924: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:38:49.724928: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:38:49.724933: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:38:49.724935: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:38:49.724939: | libevent_free: release ptr-libevent@0x55fe43640cb0 Sep 21 07:38:49.724942: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55fe43640c70 Sep 21 07:38:49.724945: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55fe43640c70 Sep 21 07:38:49.724949: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:49.724952: | libevent_malloc: new ptr-libevent@0x55fe43640cb0 size 128 Sep 21 07:38:49.724963: | #1 spent 0.037 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:38:49.724970: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.724974: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:49.724976: | suspending state #1 and saving MD Sep 21 07:38:49.724979: | #1 is busy; has a suspended MD Sep 21 07:38:49.724985: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:49.724990: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:49.724996: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:49.725000: | #1 spent 0.243 milliseconds in ikev2_process_packet() Sep 21 07:38:49.725005: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:49.725008: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:49.725011: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:49.725015: | spent 0.258 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:49.725027: | crypto helper 1 resuming Sep 21 07:38:49.725032: | crypto helper 1 starting work-order 2 for state #1 Sep 21 07:38:49.725036: | crypto helper 1 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:38:49.726036: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:38:49.726495: | crypto helper 1 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001458 seconds Sep 21 07:38:49.726503: | (#1) spent 1.46 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:38:49.726506: | crypto helper 1 sending results from work-order 2 for state #1 to event queue Sep 21 07:38:49.726509: | scheduling resume sending helper answer for #1 Sep 21 07:38:49.726512: | libevent_malloc: new ptr-libevent@0x7fc87c006b90 size 128 Sep 21 07:38:49.726520: | crypto helper 1 waiting (nothing to do) Sep 21 07:38:49.726531: | processing resume sending helper answer for #1 Sep 21 07:38:49.726538: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:49.726542: | crypto helper 1 replies to request ID 2 Sep 21 07:38:49.726545: | calling continuation function 0x55fe42fd4630 Sep 21 07:38:49.726548: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:38:49.726551: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:49.726563: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:38:49.726571: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:38:49.726574: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:38:49.726577: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:38:49.726580: | flags: none (0x0) Sep 21 07:38:49.726583: | length: 12 (0xc) Sep 21 07:38:49.726586: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:49.726589: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:38:49.726591: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:38:49.726594: | **parse IKEv2 Authentication Payload: Sep 21 07:38:49.726597: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.726600: | flags: none (0x0) Sep 21 07:38:49.726602: | length: 72 (0x48) Sep 21 07:38:49.726605: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:49.726608: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:38:49.726610: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:49.726613: | **parse IKEv2 Security Association Payload: Sep 21 07:38:49.726616: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:38:49.726618: | flags: none (0x0) Sep 21 07:38:49.726621: | length: 44 (0x2c) Sep 21 07:38:49.726623: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:38:49.726626: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:38:49.726629: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:49.726631: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:38:49.726634: | flags: none (0x0) Sep 21 07:38:49.726637: | length: 24 (0x18) Sep 21 07:38:49.726639: | number of TS: 1 (0x1) Sep 21 07:38:49.726642: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:38:49.726644: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:38:49.726647: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:49.726650: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.726652: | flags: none (0x0) Sep 21 07:38:49.726655: | length: 24 (0x18) Sep 21 07:38:49.726657: | number of TS: 1 (0x1) Sep 21 07:38:49.726660: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:38:49.726663: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.726666: | **parse IKEv2 Notify Payload: Sep 21 07:38:49.726668: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.726671: | flags: none (0x0) Sep 21 07:38:49.726673: | length: 8 (0x8) Sep 21 07:38:49.726676: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.726679: | SPI size: 0 (0x0) Sep 21 07:38:49.726682: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:49.726684: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:49.726687: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:38:49.726690: | Now let's proceed with state specific processing Sep 21 07:38:49.726693: | calling processor Responder: process IKE_AUTH request Sep 21 07:38:49.726700: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Sep 21 07:38:49.726707: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:49.726711: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:38:49.726714: | peer ID c0 01 03 21 Sep 21 07:38:49.726719: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:49.726725: | match_id a=192.1.3.33 Sep 21 07:38:49.726728: | b=192.1.3.33 Sep 21 07:38:49.726731: | results matched Sep 21 07:38:49.726737: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:38:49.726740: | Warning: not switching back to template of current instance Sep 21 07:38:49.726743: | No IDr payload received from peer Sep 21 07:38:49.726748: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Sep 21 07:38:49.726755: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.726759: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.726763: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.726769: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.726774: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.726777: | line 1: match=002 Sep 21 07:38:49.726780: | match 002 beats previous best_match 000 match=0x55fe436305d0 (line=1) Sep 21 07:38:49.727077: | concluding with best_match=002 best=0x55fe436305d0 (lineno=1) Sep 21 07:38:49.727087: | returning because exact peer id match Sep 21 07:38:49.727090: | offered CA: '%none' Sep 21 07:38:49.727096: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Sep 21 07:38:49.727100: | received v2N_MOBIKE_SUPPORTED while it did not sent Sep 21 07:38:49.727123: | verifying AUTH payload Sep 21 07:38:49.727127: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:38:49.727133: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.727137: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.727141: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.727146: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.727151: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.727154: | line 1: match=002 Sep 21 07:38:49.727157: | match 002 beats previous best_match 000 match=0x55fe436305d0 (line=1) Sep 21 07:38:49.727160: | concluding with best_match=002 best=0x55fe436305d0 (lineno=1) Sep 21 07:38:49.727228: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Sep 21 07:38:49.727234: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:38:49.727239: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:49.727242: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:49.727245: | libevent_free: release ptr-libevent@0x55fe43640cb0 Sep 21 07:38:49.727248: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55fe43640c70 Sep 21 07:38:49.727251: | event_schedule: new EVENT_SA_REKEY-pe@0x55fe43640c70 Sep 21 07:38:49.727255: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:38:49.727258: | libevent_malloc: new ptr-libevent@0x55fe43640cb0 size 128 Sep 21 07:38:49.727592: | pstats #1 ikev2.ike established Sep 21 07:38:49.727602: | **emit ISAKMP Message: Sep 21 07:38:49.727605: | initiator cookie: Sep 21 07:38:49.727607: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:49.727610: | responder cookie: Sep 21 07:38:49.727612: | af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.727615: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:49.727618: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.727620: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:49.727623: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:49.727626: | Message ID: 1 (0x1) Sep 21 07:38:49.727628: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:49.727632: | IKEv2 CERT: send a certificate? Sep 21 07:38:49.727635: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:38:49.727637: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:49.727640: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.727643: | flags: none (0x0) Sep 21 07:38:49.727646: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:49.727649: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.727652: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:49.727663: | Adding a v2N Payload Sep 21 07:38:49.727666: | ****emit IKEv2 Notify Payload: Sep 21 07:38:49.727668: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.727671: | flags: none (0x0) Sep 21 07:38:49.727673: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.727675: | SPI size: 0 (0x0) Sep 21 07:38:49.727678: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:49.727680: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.727683: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.727685: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:49.727688: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:49.727702: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:38:49.727705: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.727708: | flags: none (0x0) Sep 21 07:38:49.727710: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:49.727714: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:38:49.727716: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.727720: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:38:49.727722: | my identity c0 01 02 17 Sep 21 07:38:49.727725: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:38:49.727733: | assembled IDr payload Sep 21 07:38:49.727736: | CHILD SA proposals received Sep 21 07:38:49.727738: | going to assemble AUTH payload Sep 21 07:38:49.727741: | ****emit IKEv2 Authentication Payload: Sep 21 07:38:49.727743: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.727745: | flags: none (0x0) Sep 21 07:38:49.727748: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:49.727751: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:38:49.727754: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:38:49.727757: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.727760: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:38:49.727765: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.727769: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.727772: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.727777: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.727782: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.727791: | line 1: match=002 Sep 21 07:38:49.727795: | match 002 beats previous best_match 000 match=0x55fe436305d0 (line=1) Sep 21 07:38:49.727797: | concluding with best_match=002 best=0x55fe436305d0 (lineno=1) Sep 21 07:38:49.727857: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:38:49.727861: | PSK auth a0 be b1 1f 46 ca c8 1c d0 ab 5b 10 c8 c3 c7 d5 Sep 21 07:38:49.727863: | PSK auth 95 6b cf 08 86 96 ae 87 60 7a 6a a3 72 57 62 a0 Sep 21 07:38:49.727866: | PSK auth 63 dd 45 7e be d8 ab 80 12 62 3a 42 29 52 c9 6e Sep 21 07:38:49.727868: | PSK auth 1a dc c5 5b 58 b2 1f 0d e7 41 79 75 96 b8 ac 37 Sep 21 07:38:49.727871: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:38:49.727875: | creating state object #2 at 0x55fe436421d0 Sep 21 07:38:49.727878: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:38:49.727883: | pstats #2 ikev2.child started Sep 21 07:38:49.727890: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Sep 21 07:38:49.727895: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:38:49.727902: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:49.727908: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:49.727913: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:49.727917: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:38:49.727920: | TSi: parsing 1 traffic selectors Sep 21 07:38:49.727923: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:49.727926: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.727929: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.727932: | length: 16 (0x10) Sep 21 07:38:49.727934: | start port: 0 (0x0) Sep 21 07:38:49.727937: | end port: 65535 (0xffff) Sep 21 07:38:49.727940: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:49.727943: | TS low c0 00 03 00 Sep 21 07:38:49.727946: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:49.727948: | TS high c0 00 03 ff Sep 21 07:38:49.727951: | TSi: parsed 1 traffic selectors Sep 21 07:38:49.727954: | TSr: parsing 1 traffic selectors Sep 21 07:38:49.727957: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:49.727959: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.727962: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.727965: | length: 16 (0x10) Sep 21 07:38:49.727968: | start port: 0 (0x0) Sep 21 07:38:49.727970: | end port: 65535 (0xffff) Sep 21 07:38:49.727973: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:49.727976: | TS low c0 00 02 00 Sep 21 07:38:49.727979: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:49.727981: | TS high c0 00 02 ff Sep 21 07:38:49.727984: | TSr: parsed 1 traffic selectors Sep 21 07:38:49.727986: | looking for best SPD in current connection Sep 21 07:38:49.727995: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:49.728001: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.728008: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:49.728012: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:49.728014: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:49.728018: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:49.728021: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.728026: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.728033: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:49.728037: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:49.728039: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:49.728042: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:49.728046: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.728049: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:49.728051: | found better spd route for TSi[0],TSr[0] Sep 21 07:38:49.728054: | looking for better host pair Sep 21 07:38:49.728060: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:38:49.728066: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:38:49.728069: | investigating connection "eastnet-northnet" as a better match Sep 21 07:38:49.728075: | match_id a=192.1.3.33 Sep 21 07:38:49.728078: | b=192.1.3.33 Sep 21 07:38:49.728081: | results matched Sep 21 07:38:49.728089: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:49.728094: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.728101: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:49.728104: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:49.728107: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:49.728110: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:49.728114: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.728119: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.728126: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:49.728129: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:49.728132: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:49.728135: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:49.728138: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.728141: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:49.728144: | did not find a better connection using host pair Sep 21 07:38:49.728147: | printing contents struct traffic_selector Sep 21 07:38:49.728149: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:49.728152: | ipprotoid: 0 Sep 21 07:38:49.728155: | port range: 0-65535 Sep 21 07:38:49.728159: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:38:49.728162: | printing contents struct traffic_selector Sep 21 07:38:49.728165: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:49.728167: | ipprotoid: 0 Sep 21 07:38:49.728170: | port range: 0-65535 Sep 21 07:38:49.728174: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:38:49.728179: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:38:49.728186: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:38:49.728193: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:38:49.728200: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:38:49.728204: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:38:49.728207: | local proposal 1 type ENCR has 1 transforms Sep 21 07:38:49.728210: | local proposal 1 type PRF has 0 transforms Sep 21 07:38:49.728213: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:49.728216: | local proposal 1 type DH has 1 transforms Sep 21 07:38:49.728218: | local proposal 1 type ESN has 1 transforms Sep 21 07:38:49.728222: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:38:49.728225: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.728228: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.728231: | length: 40 (0x28) Sep 21 07:38:49.728234: | prop #: 1 (0x1) Sep 21 07:38:49.728236: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:49.728239: | spi size: 4 (0x4) Sep 21 07:38:49.728242: | # transforms: 3 (0x3) Sep 21 07:38:49.728245: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:38:49.728248: | remote SPI 65 7e e0 be Sep 21 07:38:49.728251: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:38:49.728254: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728257: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728260: | length: 12 (0xc) Sep 21 07:38:49.728265: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.728268: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.728271: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.728274: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.728276: | length/value: 256 (0x100) Sep 21 07:38:49.728281: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:49.728284: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728287: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728289: | length: 8 (0x8) Sep 21 07:38:49.728292: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.728295: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.728299: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:38:49.728301: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728304: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.728307: | length: 8 (0x8) Sep 21 07:38:49.728309: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:49.728312: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:49.728316: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:38:49.728320: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:38:49.728324: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:38:49.728327: | remote proposal 1 matches local proposal 1 Sep 21 07:38:49.728334: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=657ee0be;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Sep 21 07:38:49.728340: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=657ee0be;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:38:49.728343: | converting proposal to internal trans attrs Sep 21 07:38:49.728364: | netlink_get_spi: allocated 0xdd1416dd for esp.0@192.1.2.23 Sep 21 07:38:49.728367: | Emitting ikev2_proposal ... Sep 21 07:38:49.728370: | ****emit IKEv2 Security Association Payload: Sep 21 07:38:49.728373: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.728375: | flags: none (0x0) Sep 21 07:38:49.728379: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:49.728382: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.728385: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.728388: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.728390: | prop #: 1 (0x1) Sep 21 07:38:49.728393: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:49.728396: | spi size: 4 (0x4) Sep 21 07:38:49.728398: | # transforms: 3 (0x3) Sep 21 07:38:49.728401: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:49.728405: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:38:49.728407: | our spi dd 14 16 dd Sep 21 07:38:49.728410: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728413: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728415: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.728418: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.728421: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.728424: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.728427: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.728432: | length/value: 256 (0x100) Sep 21 07:38:49.728435: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:49.728437: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728440: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728443: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.728446: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.728449: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728452: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.728455: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.728457: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.728460: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.728463: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:49.728465: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:49.728469: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.728472: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.728474: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.728477: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:38:49.728480: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:49.728483: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:38:49.728486: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:49.728489: | received v2N_MOBIKE_SUPPORTED Sep 21 07:38:49.728492: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:49.728494: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.728497: | flags: none (0x0) Sep 21 07:38:49.728500: | number of TS: 1 (0x1) Sep 21 07:38:49.728503: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:38:49.728506: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.728509: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:49.728512: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.728514: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.728517: | start port: 0 (0x0) Sep 21 07:38:49.728520: | end port: 65535 (0xffff) Sep 21 07:38:49.728523: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:49.728525: | IP start c0 00 03 00 Sep 21 07:38:49.728528: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:49.728530: | IP end c0 00 03 ff Sep 21 07:38:49.728533: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:49.728536: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:38:49.728539: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:49.728541: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.728544: | flags: none (0x0) Sep 21 07:38:49.728547: | number of TS: 1 (0x1) Sep 21 07:38:49.728550: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:38:49.728553: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.728556: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:49.728560: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.728562: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.728565: | start port: 0 (0x0) Sep 21 07:38:49.728568: | end port: 65535 (0xffff) Sep 21 07:38:49.728571: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:49.728573: | IP start c0 00 02 00 Sep 21 07:38:49.728576: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:49.728578: | IP end c0 00 02 ff Sep 21 07:38:49.728581: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:49.728584: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:38:49.728587: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:49.728590: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Sep 21 07:38:49.728758: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:38:49.728768: | #1 spent 1.55 milliseconds Sep 21 07:38:49.728771: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:38:49.728774: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Sep 21 07:38:49.728777: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:49.728781: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.728788: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.728794: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.728797: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.728805: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:49.728809: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Sep 21 07:38:49.728813: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Sep 21 07:38:49.728816: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Sep 21 07:38:49.728820: | setting IPsec SA replay-window to 32 Sep 21 07:38:49.728824: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:49.728827: | netlink: enabling tunnel mode Sep 21 07:38:49.728830: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:49.728834: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:49.729096: | netlink response for Add SA esp.657ee0be@192.1.3.33 included non-error error Sep 21 07:38:49.729103: | set up outgoing SA, ref=0/0 Sep 21 07:38:49.729107: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Sep 21 07:38:49.729111: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Sep 21 07:38:49.729114: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Sep 21 07:38:49.729118: | setting IPsec SA replay-window to 32 Sep 21 07:38:49.729122: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:49.729125: | netlink: enabling tunnel mode Sep 21 07:38:49.729128: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:49.729131: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:49.729315: | netlink response for Add SA esp.dd1416dd@192.1.2.23 included non-error error Sep 21 07:38:49.729321: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:49.729329: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:38:49.729333: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:49.729586: | raw_eroute result=success Sep 21 07:38:49.729592: | set up incoming SA, ref=0/0 Sep 21 07:38:49.729595: | sr for #2: unrouted Sep 21 07:38:49.729598: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:38:49.729600: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:49.729604: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.729606: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.729609: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.729615: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.729620: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:49.729623: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:38:49.729627: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:49.729634: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:38:49.729637: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:49.729756: | raw_eroute result=success Sep 21 07:38:49.729762: | running updown command "ipsec _updown" for verb up Sep 21 07:38:49.729765: | command executing up-client Sep 21 07:38:49.729798: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Sep 21 07:38:49.729804: | popen cmd is 1048 chars long Sep 21 07:38:49.729807: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Sep 21 07:38:49.729810: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:38:49.729813: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Sep 21 07:38:49.729816: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:38:49.729818: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Sep 21 07:38:49.729821: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Sep 21 07:38:49.729823: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:38:49.729826: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Sep 21 07:38:49.729829: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Sep 21 07:38:49.729831: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Sep 21 07:38:49.729834: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Sep 21 07:38:49.729836: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Sep 21 07:38:49.729839: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x657ee0be SPI_OUT=0xdd1416dd ipsec _upd: Sep 21 07:38:49.729841: | cmd(1040):own 2>&1: Sep 21 07:38:49.739976: | route_and_eroute: firewall_notified: true Sep 21 07:38:49.739989: | running updown command "ipsec _updown" for verb prepare Sep 21 07:38:49.739993: | command executing prepare-client Sep 21 07:38:49.740024: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Sep 21 07:38:49.740031: | popen cmd is 1053 chars long Sep 21 07:38:49.740034: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:38:49.740037: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:38:49.740039: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:38:49.740042: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:38:49.740044: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Sep 21 07:38:49.740047: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Sep 21 07:38:49.740049: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Sep 21 07:38:49.740052: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Sep 21 07:38:49.740054: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Sep 21 07:38:49.740057: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Sep 21 07:38:49.740059: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Sep 21 07:38:49.740062: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Sep 21 07:38:49.740064: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x657ee0be SPI_OUT=0xdd1416dd ipsec: Sep 21 07:38:49.740067: | cmd(1040): _updown 2>&1: Sep 21 07:38:49.789680: | running updown command "ipsec _updown" for verb route Sep 21 07:38:49.789694: | command executing route-client Sep 21 07:38:49.789726: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:38:49.789730: | popen cmd is 1051 chars long Sep 21 07:38:49.789733: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Sep 21 07:38:49.789736: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Sep 21 07:38:49.789739: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Sep 21 07:38:49.789741: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:38:49.789744: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Sep 21 07:38:49.789747: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Sep 21 07:38:49.789753: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Sep 21 07:38:49.789756: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Sep 21 07:38:49.789759: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Sep 21 07:38:49.789761: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:38:49.789764: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:38:49.789766: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:38:49.789769: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x657ee0be SPI_OUT=0xdd1416dd ipsec _: Sep 21 07:38:49.789771: | cmd(1040):updown 2>&1: Sep 21 07:38:49.854918: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x55fe4363e3e0,sr=0x55fe4363e3e0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:38:49.859817: | #1 spent 1.03 milliseconds in install_ipsec_sa() Sep 21 07:38:49.859832: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:38:49.859835: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:49.859839: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:49.859843: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:49.859845: | emitting length of IKEv2 Encryption Payload: 213 Sep 21 07:38:49.859848: | emitting length of ISAKMP Message: 241 Sep 21 07:38:49.859869: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:38:49.859875: | #1 spent 2.64 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:38:49.859884: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.859890: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.859895: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:38:49.859898: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:38:49.859901: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:38:49.859904: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:38:49.859910: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:49.859915: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:38:49.859918: | pstats #2 ikev2.child established Sep 21 07:38:49.859927: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:38:49.859932: | NAT-T: encaps is 'auto' Sep 21 07:38:49.859937: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x657ee0be <0xdd1416dd xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Sep 21 07:38:49.859943: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:49.859949: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:49.859952: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:38:49.859954: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Sep 21 07:38:49.859957: | 06 15 45 6e 5e bb 66 0c 7c 0b 4c 8b db ad 3e 84 Sep 21 07:38:49.859963: | d4 30 43 8a e5 3e ae ee 2e ae 15 77 fe 50 8e 9c Sep 21 07:38:49.859965: | 00 e2 91 e1 07 f1 59 38 22 bb c4 c8 13 11 0f 9d Sep 21 07:38:49.859967: | 31 c6 4f a9 f4 4b c5 c0 ff 33 72 12 db 28 98 8a Sep 21 07:38:49.859970: | 8d 2a 27 c8 a7 09 eb 3c bf 7b 43 cf fc 0f 07 67 Sep 21 07:38:49.859972: | f2 e5 7b 5a 2e 20 02 ca 34 c8 6f 89 0e 0f 13 cd Sep 21 07:38:49.859974: | ff 13 25 4a fe ae 99 4b 7f 9e 8c e6 d1 86 91 96 Sep 21 07:38:49.859977: | 93 8f fe ab 1e ed f3 a6 89 47 3d f3 d3 f3 10 ad Sep 21 07:38:49.859979: | 10 46 2d 65 25 c8 16 0e a4 91 41 b6 5f f1 a1 07 Sep 21 07:38:49.859982: | 23 12 60 be b0 30 71 ba 10 63 56 27 55 14 49 e7 Sep 21 07:38:49.859984: | 50 60 c8 7b 76 b9 15 dd 51 8e 4b b9 a8 40 21 d0 Sep 21 07:38:49.859986: | 7c dc 53 53 20 f1 38 0f 2f 89 7d 7d c5 48 59 09 Sep 21 07:38:49.859989: | d7 e1 38 d3 0d 84 21 cb 8b 6e 43 d5 04 7d 29 b7 Sep 21 07:38:49.859991: | 53 Sep 21 07:38:49.860049: | releasing whack for #2 (sock=fd@-1) Sep 21 07:38:49.860053: | releasing whack and unpending for parent #1 Sep 21 07:38:49.860057: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:49.860062: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:49.860065: | event_schedule: new EVENT_SA_REKEY-pe@0x7fc884002b20 Sep 21 07:38:49.860069: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:38:49.860073: | libevent_malloc: new ptr-libevent@0x55fe436453b0 size 128 Sep 21 07:38:49.860079: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:49.860085: | #1 spent 2.98 milliseconds in resume sending helper answer Sep 21 07:38:49.860091: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:49.860095: | libevent_free: release ptr-libevent@0x7fc87c006b90 Sep 21 07:38:49.860107: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.860112: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.860117: | spent 0.00506 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:49.860119: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.860123: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.860126: | spent 0.00333 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:49.860129: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.860132: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.860136: | spent 0.0037 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:56.620763: | spent 0.00276 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:56.620802: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Sep 21 07:38:56.620808: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.620810: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Sep 21 07:38:56.620812: | ae 1a f6 e1 63 98 dc 90 a6 ff 4a 58 cd 8f 35 fe Sep 21 07:38:56.620814: | 5b 26 09 d3 99 84 c9 dd 28 44 aa 2e 4c 52 4a 60 Sep 21 07:38:56.620816: | b7 c9 35 9a c9 37 71 5d 5d 64 a1 db 8e b6 2e b5 Sep 21 07:38:56.620818: | be d7 25 e2 bd 54 4e ee e4 9f 23 83 d9 fb 0a 04 Sep 21 07:38:56.620820: | 66 57 ae 11 10 c5 5f 65 93 60 f1 7d ed a8 4c 74 Sep 21 07:38:56.620822: | 65 e9 23 0b 33 ea 0d 7a 41 Sep 21 07:38:56.620839: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Sep 21 07:38:56.620841: | **parse ISAKMP Message: Sep 21 07:38:56.620843: | initiator cookie: Sep 21 07:38:56.620845: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:56.620846: | responder cookie: Sep 21 07:38:56.620848: | af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.620851: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:56.620854: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:56.620856: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:56.620859: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:56.620864: | Message ID: 2 (0x2) Sep 21 07:38:56.620865: | length: 121 (0x79) Sep 21 07:38:56.620867: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:38:56.620869: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:38:56.620872: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:38:56.620878: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:56.620880: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:56.620883: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:56.620885: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:38:56.620888: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:38:56.620889: | unpacking clear payload Sep 21 07:38:56.620891: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:56.620893: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:56.620894: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:56.620896: | flags: none (0x0) Sep 21 07:38:56.620897: | length: 93 (0x5d) Sep 21 07:38:56.620899: | processing payload: ISAKMP_NEXT_v2SK (len=89) Sep 21 07:38:56.620902: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:38:56.620905: | #1 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:56.620920: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:38:56.620923: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:56.620925: | **parse IKEv2 Notify Payload: Sep 21 07:38:56.620927: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:56.620928: | flags: none (0x0) Sep 21 07:38:56.620930: | length: 8 (0x8) Sep 21 07:38:56.620931: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:56.620933: | SPI size: 0 (0x0) Sep 21 07:38:56.620934: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Sep 21 07:38:56.620936: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:56.620937: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:56.620939: | **parse IKEv2 Notify Payload: Sep 21 07:38:56.620940: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:56.620942: | flags: none (0x0) Sep 21 07:38:56.620943: | length: 28 (0x1c) Sep 21 07:38:56.620944: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:56.620946: | SPI size: 0 (0x0) Sep 21 07:38:56.620947: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:56.620949: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:56.620950: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:56.620952: | **parse IKEv2 Notify Payload: Sep 21 07:38:56.620953: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:56.620955: | flags: none (0x0) Sep 21 07:38:56.620956: | length: 28 (0x1c) Sep 21 07:38:56.620957: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:56.620959: | SPI size: 0 (0x0) Sep 21 07:38:56.620960: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:56.620962: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:56.620964: | selected state microcode R2: process Informational Request Sep 21 07:38:56.620966: | Now let's proceed with state specific processing Sep 21 07:38:56.620968: | calling processor R2: process Informational Request Sep 21 07:38:56.620972: | an informational request should send a response Sep 21 07:38:56.620975: | Need to process v2N_UPDATE_SA_ADDRESSES Sep 21 07:38:56.620977: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:56.620979: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:56.620988: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:56.620995: | responder migrate kernel SA esp.657ee0be@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Sep 21 07:38:56.621075: | responder migrate kernel SA esp.dd1416dd@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Sep 21 07:38:56.621107: | responder migrate kernel SA esp.dd1416dd@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Sep 21 07:38:56.621117: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:56.621120: | free hp@0x55fe435cde80 Sep 21 07:38:56.621124: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Sep 21 07:38:56.621125: | new hp@0x55fe4363ea30 Sep 21 07:38:56.621129: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:56.621131: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Sep 21 07:38:56.621135: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:38:56.621137: | **emit ISAKMP Message: Sep 21 07:38:56.621139: | initiator cookie: Sep 21 07:38:56.621140: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:56.621141: | responder cookie: Sep 21 07:38:56.621143: | af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.621144: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:56.621146: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:56.621148: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:56.621149: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:56.621151: | Message ID: 2 (0x2) Sep 21 07:38:56.621152: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:56.621154: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:56.621156: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:56.621157: | flags: none (0x0) Sep 21 07:38:56.621159: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:56.621161: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:56.621163: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:56.621167: | adding NATD payloads to MOBIKE response Sep 21 07:38:56.621169: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:56.621176: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:56.621177: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:56.621179: | natd_hash: rcookie= af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.621180: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:56.621182: | natd_hash: port= 01 f4 Sep 21 07:38:56.621183: | natd_hash: hash= 70 81 e8 e9 dd a0 f1 cc 97 c9 e9 b3 0d 80 3b 53 Sep 21 07:38:56.621184: | natd_hash: hash= 9e c2 93 f0 Sep 21 07:38:56.621186: | Adding a v2N Payload Sep 21 07:38:56.621187: | ****emit IKEv2 Notify Payload: Sep 21 07:38:56.621189: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:56.621190: | flags: none (0x0) Sep 21 07:38:56.621192: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:56.621193: | SPI size: 0 (0x0) Sep 21 07:38:56.621195: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:56.621197: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:56.621198: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:56.621200: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:56.621202: | Notify data 70 81 e8 e9 dd a0 f1 cc 97 c9 e9 b3 0d 80 3b 53 Sep 21 07:38:56.621203: | Notify data 9e c2 93 f0 Sep 21 07:38:56.621205: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:56.621208: | natd_hash: hasher=0x55fe430aa7a0(20) Sep 21 07:38:56.621212: | natd_hash: icookie= 1b 4a a3 ae a4 7b 22 0d Sep 21 07:38:56.621213: | natd_hash: rcookie= af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.621229: | natd_hash: ip= c0 01 08 16 Sep 21 07:38:56.621231: | natd_hash: port= 01 f4 Sep 21 07:38:56.621232: | natd_hash: hash= 98 89 63 fc af cc 7c 4c 73 1e 3d fe d8 f8 75 cd Sep 21 07:38:56.621234: | natd_hash: hash= af 5c 2a 2b Sep 21 07:38:56.621235: | Adding a v2N Payload Sep 21 07:38:56.621237: | ****emit IKEv2 Notify Payload: Sep 21 07:38:56.621238: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:56.621239: | flags: none (0x0) Sep 21 07:38:56.621241: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:56.621242: | SPI size: 0 (0x0) Sep 21 07:38:56.621244: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:56.621246: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:56.621247: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:56.621249: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:56.621251: | Notify data 98 89 63 fc af cc 7c 4c 73 1e 3d fe d8 f8 75 cd Sep 21 07:38:56.621252: | Notify data af 5c 2a 2b Sep 21 07:38:56.621254: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:56.621256: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:56.621258: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:56.621273: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:56.621274: | emitting length of IKEv2 Encryption Payload: 85 Sep 21 07:38:56.621276: | emitting length of ISAKMP Message: 113 Sep 21 07:38:56.621284: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:38:56.621286: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:38:56.621287: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Sep 21 07:38:56.621288: | 8a 98 ba 78 2d 66 13 a1 6b 61 32 08 e0 b4 0a 21 Sep 21 07:38:56.621290: | fa 3b e3 02 f1 e1 b3 cd 86 30 97 8c 2b a8 cd 2f Sep 21 07:38:56.621291: | 46 79 6a e7 3d c9 2d 8d 06 45 dc d4 79 35 6a 61 Sep 21 07:38:56.621292: | c6 cc 62 5b 31 f4 5c b3 32 eb d4 2c f2 36 3a b9 Sep 21 07:38:56.621294: | e1 1a ad ea ff 81 5f 14 e3 e1 b5 af 76 fd ef 1e Sep 21 07:38:56.621295: | 21 Sep 21 07:38:56.621324: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:56.621327: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:56.621332: | #1 spent 0.329 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Sep 21 07:38:56.621336: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:56.621338: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Sep 21 07:38:56.621340: | Message ID: updating counters for #1 to 2 after switching state Sep 21 07:38:56.621343: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:38:56.621345: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:56.621347: | STATE_PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:56.621351: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:56.621355: | #1 spent 0.546 milliseconds in ikev2_process_packet() Sep 21 07:38:56.621358: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Sep 21 07:38:56.621360: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:56.621362: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:56.621364: | spent 0.555 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:39:07.307147: | processing global timer EVENT_SHUNT_SCAN Sep 21 07:39:07.307178: | expiring aged bare shunts from shunt table Sep 21 07:39:07.307187: | spent 0.00675 milliseconds in global timer EVENT_SHUNT_SCAN Sep 21 07:39:10.107297: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:10.107319: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:39:10.107321: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:10.107328: | get_sa_info esp.dd1416dd@192.1.2.23 Sep 21 07:39:10.107342: | get_sa_info esp.657ee0be@192.1.8.22 Sep 21 07:39:10.107356: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:10.107362: | spent 0.074 milliseconds in whack Sep 21 07:39:10.351508: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:10.352175: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:10.352197: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:10.352538: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:39:10.352548: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:10.352590: | get_sa_info esp.dd1416dd@192.1.2.23 Sep 21 07:39:10.352635: | get_sa_info esp.657ee0be@192.1.8.22 Sep 21 07:39:10.352703: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:10.352723: | spent 1.23 milliseconds in whack Sep 21 07:39:11.754510: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:11.754526: shutting down Sep 21 07:39:11.754531: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:39:11.754534: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:39:11.754539: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:39:11.754540: forgetting secrets Sep 21 07:39:11.754542: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:39:11.754547: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Sep 21 07:39:11.754551: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Sep 21 07:39:11.754553: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:11.754554: | pass 0 Sep 21 07:39:11.754556: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:11.754557: | state #2 Sep 21 07:39:11.754576: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:11.754580: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:11.754582: | pstats #2 ikev2.child deleted completed Sep 21 07:39:11.754585: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:11.754589: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 22.026s and sending notification Sep 21 07:39:11.754591: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:39:11.754607: | get_sa_info esp.657ee0be@192.1.8.22 Sep 21 07:39:11.754617: | get_sa_info esp.dd1416dd@192.1.2.23 Sep 21 07:39:11.754622: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Sep 21 07:39:11.754628: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:39:11.754630: | Opening output PBS informational exchange delete request Sep 21 07:39:11.754633: | **emit ISAKMP Message: Sep 21 07:39:11.754634: | initiator cookie: Sep 21 07:39:11.754636: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:39:11.754637: | responder cookie: Sep 21 07:39:11.754638: | af 24 43 63 c6 85 f5 b2 Sep 21 07:39:11.754640: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:11.754642: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:11.754644: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:11.754646: | flags: none (0x0) Sep 21 07:39:11.754647: | Message ID: 0 (0x0) Sep 21 07:39:11.754649: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:11.754651: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:11.754653: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:11.754654: | flags: none (0x0) Sep 21 07:39:11.754656: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:11.754658: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:11.754660: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:11.754669: | ****emit IKEv2 Delete Payload: Sep 21 07:39:11.754670: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:11.754672: | flags: none (0x0) Sep 21 07:39:11.754673: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:39:11.754675: | SPI size: 4 (0x4) Sep 21 07:39:11.754676: | number of SPIs: 1 (0x1) Sep 21 07:39:11.754678: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:11.754680: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:11.754682: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:39:11.754683: | local spis dd 14 16 dd Sep 21 07:39:11.754685: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:39:11.754687: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:11.754689: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:11.754691: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:11.754692: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:39:11.754694: | emitting length of ISAKMP Message: 69 Sep 21 07:39:11.754714: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Sep 21 07:39:11.754716: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:39:11.754717: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:39:11.754718: | 22 c1 bb 01 d4 59 1c 64 4e a8 67 e8 91 b5 4d 90 Sep 21 07:39:11.754720: | fc a2 3f a0 fa 59 1c 71 da 5c bb ba 54 a6 a8 1e Sep 21 07:39:11.754721: | d3 93 65 9b 17 Sep 21 07:39:11.754763: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:39:11.754766: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:39:11.754769: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:39:11.754771: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:11.754774: | libevent_free: release ptr-libevent@0x55fe436453b0 Sep 21 07:39:11.754776: | free_event_entry: release EVENT_SA_REKEY-pe@0x7fc884002b20 Sep 21 07:39:11.754881: | running updown command "ipsec _updown" for verb down Sep 21 07:39:11.754887: | command executing down-client Sep 21 07:39:11.754932: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051529' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Sep 21 07:39:11.754940: | popen cmd is 1061 chars long Sep 21 07:39:11.754944: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Sep 21 07:39:11.754947: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:39:11.754950: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:39:11.754953: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:39:11.754956: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Sep 21 07:39:11.754960: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Sep 21 07:39:11.754963: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Sep 21 07:39:11.754966: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051529' PLUTO_CONN_P: Sep 21 07:39:11.754969: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Sep 21 07:39:11.754972: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Sep 21 07:39:11.754975: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Sep 21 07:39:11.754977: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Sep 21 07:39:11.754979: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x657ee0be SPI_OUT=0xdd1416: Sep 21 07:39:11.754981: | cmd(1040):dd ipsec _updown 2>&1: Sep 21 07:39:11.761655: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:11.761666: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:11.761669: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:11.761671: | IPsec Sa SPD priority set to 1042407 Sep 21 07:39:11.761705: | delete esp.657ee0be@192.1.8.22 Sep 21 07:39:11.761729: | netlink response for Del SA esp.657ee0be@192.1.8.22 included non-error error Sep 21 07:39:11.761732: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:11.761754: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:39:11.761803: | raw_eroute result=success Sep 21 07:39:11.761811: | delete esp.dd1416dd@192.1.2.23 Sep 21 07:39:11.761866: | netlink response for Del SA esp.dd1416dd@192.1.2.23 included non-error error Sep 21 07:39:11.761876: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:39:11.761880: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:39:11.761884: | in connection_discard for connection eastnet-northnet Sep 21 07:39:11.761887: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:39:11.761908: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:39:11.761914: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:11.761919: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:11.761920: | state #1 Sep 21 07:39:11.761922: | pass 1 Sep 21 07:39:11.761923: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:11.761925: | state #1 Sep 21 07:39:11.761928: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:11.761930: | pstats #1 ikev2.ike deleted completed Sep 21 07:39:11.761933: | #1 spent 8.48 milliseconds in total Sep 21 07:39:11.761936: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:11.761939: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 22.043s and sending notification Sep 21 07:39:11.761941: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:39:11.761999: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:39:11.762002: | Opening output PBS informational exchange delete request Sep 21 07:39:11.762003: | **emit ISAKMP Message: Sep 21 07:39:11.762005: | initiator cookie: Sep 21 07:39:11.762007: | 1b 4a a3 ae a4 7b 22 0d Sep 21 07:39:11.762010: | responder cookie: Sep 21 07:39:11.762012: | af 24 43 63 c6 85 f5 b2 Sep 21 07:39:11.762016: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:11.762019: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:11.762022: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:11.762025: | flags: none (0x0) Sep 21 07:39:11.762028: | Message ID: 1 (0x1) Sep 21 07:39:11.762044: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:11.762047: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:11.762051: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:11.762054: | flags: none (0x0) Sep 21 07:39:11.762057: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:11.762059: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:11.762061: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:11.762068: | ****emit IKEv2 Delete Payload: Sep 21 07:39:11.762069: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:11.762071: | flags: none (0x0) Sep 21 07:39:11.762072: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:39:11.762074: | SPI size: 0 (0x0) Sep 21 07:39:11.762075: | number of SPIs: 0 (0x0) Sep 21 07:39:11.762077: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:11.762079: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:11.762081: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:39:11.762082: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:11.762084: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:11.762086: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:11.762088: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:39:11.762089: | emitting length of ISAKMP Message: 65 Sep 21 07:39:11.762103: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:39:11.762105: | 1b 4a a3 ae a4 7b 22 0d af 24 43 63 c6 85 f5 b2 Sep 21 07:39:11.762106: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:39:11.762108: | 75 5c 7d b1 fc 4f e3 44 39 01 2e 6a 03 d7 d8 91 Sep 21 07:39:11.762111: | 2a 5e ff 02 0e 4f 9a ae 70 1a d2 1d 70 ed c6 0a Sep 21 07:39:11.762112: | 8a Sep 21 07:39:11.762146: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:39:11.762149: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:39:11.762152: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:39:11.762155: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:39:11.762157: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:11.762160: | libevent_free: release ptr-libevent@0x55fe43640cb0 Sep 21 07:39:11.762161: | free_event_entry: release EVENT_SA_REKEY-pe@0x55fe43640c70 Sep 21 07:39:11.762163: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:39:11.762165: | in connection_discard for connection eastnet-northnet Sep 21 07:39:11.762167: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:39:11.762169: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:39:11.762181: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:11.762192: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:11.762196: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:11.762199: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:11.762201: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:11.762222: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:11.762229: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:39:11.762231: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:11.762233: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:11.762234: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:11.762236: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:11.762238: | route owner of "eastnet-northnet" unrouted: NULL Sep 21 07:39:11.762240: | running updown command "ipsec _updown" for verb unroute Sep 21 07:39:11.762241: | command executing unroute-client Sep 21 07:39:11.762280: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Sep 21 07:39:11.762284: | popen cmd is 1042 chars long Sep 21 07:39:11.762287: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:39:11.762291: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:39:11.762295: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:39:11.762300: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:39:11.762304: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Sep 21 07:39:11.762308: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Sep 21 07:39:11.762311: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Sep 21 07:39:11.762315: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Sep 21 07:39:11.762318: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Sep 21 07:39:11.762322: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Sep 21 07:39:11.762325: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Sep 21 07:39:11.762329: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Sep 21 07:39:11.762333: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Sep 21 07:39:11.762335: | cmd(1040):&1: Sep 21 07:39:11.769416: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769426: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769428: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769430: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769432: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769434: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769436: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769443: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769487: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769490: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769491: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769493: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769494: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769496: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769500: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769542: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769545: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769546: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769547: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769549: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769551: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769558: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769566: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769575: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769583: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769592: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769713: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769722: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.769731: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:11.773593: | free hp@0x55fe4363ea30 Sep 21 07:39:11.773603: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:11.773606: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:39:11.773611: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Sep 21 07:39:11.773616: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:11.773618: | pass 0 Sep 21 07:39:11.773619: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:11.773621: | pass 1 Sep 21 07:39:11.773622: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:11.773624: | free hp@0x55fe43607a20 Sep 21 07:39:11.773626: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:11.773628: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Sep 21 07:39:11.773631: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:39:11.773633: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:39:11.773641: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:39:11.773643: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:39:11.773645: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:39:11.773647: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:39:11.773649: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:39:11.773651: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:39:11.773653: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:39:11.773660: | libevent_free: release ptr-libevent@0x55fe4363b090 Sep 21 07:39:11.773662: | free_event_entry: release EVENT_NULL-pe@0x55fe43624290 Sep 21 07:39:11.773670: | libevent_free: release ptr-libevent@0x55fe4363b180 Sep 21 07:39:11.773671: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b140 Sep 21 07:39:11.773676: | libevent_free: release ptr-libevent@0x55fe4363b270 Sep 21 07:39:11.773677: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b230 Sep 21 07:39:11.773681: | libevent_free: release ptr-libevent@0x55fe4363b360 Sep 21 07:39:11.773683: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b320 Sep 21 07:39:11.773688: | libevent_free: release ptr-libevent@0x55fe4363b450 Sep 21 07:39:11.773689: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b410 Sep 21 07:39:11.773693: | libevent_free: release ptr-libevent@0x55fe4363b540 Sep 21 07:39:11.773695: | free_event_entry: release EVENT_NULL-pe@0x55fe4363b500 Sep 21 07:39:11.773698: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:39:11.774060: | libevent_free: release ptr-libevent@0x55fe4363a9f0 Sep 21 07:39:11.774066: | free_event_entry: release EVENT_NULL-pe@0x55fe43623510 Sep 21 07:39:11.774069: | libevent_free: release ptr-libevent@0x55fe43630480 Sep 21 07:39:11.774070: | free_event_entry: release EVENT_NULL-pe@0x55fe436237c0 Sep 21 07:39:11.774073: | libevent_free: release ptr-libevent@0x55fe436303f0 Sep 21 07:39:11.774074: | free_event_entry: release EVENT_NULL-pe@0x55fe43628f20 Sep 21 07:39:11.774076: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:39:11.774078: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:39:11.774079: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:39:11.774081: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:39:11.774082: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:39:11.774084: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:39:11.774085: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:39:11.774086: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:39:11.774088: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:39:11.774091: | libevent_free: release ptr-libevent@0x55fe4363aac0 Sep 21 07:39:11.774093: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:39:11.774095: | libevent_free: release ptr-libevent@0x55fe4363aba0 Sep 21 07:39:11.774097: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:39:11.774099: | libevent_free: release ptr-libevent@0x55fe4363ac60 Sep 21 07:39:11.774100: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:39:11.774102: | libevent_free: release ptr-libevent@0x55fe4362f6f0 Sep 21 07:39:11.774104: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:39:11.774105: | releasing event base Sep 21 07:39:11.774118: | libevent_free: release ptr-libevent@0x55fe4363ad20 Sep 21 07:39:11.774120: | libevent_free: release ptr-libevent@0x55fe43610260 Sep 21 07:39:11.774122: | libevent_free: release ptr-libevent@0x55fe4361eaa0 Sep 21 07:39:11.774124: | libevent_free: release ptr-libevent@0x55fe4361eb70 Sep 21 07:39:11.774125: | libevent_free: release ptr-libevent@0x55fe4361eac0 Sep 21 07:39:11.774127: | libevent_free: release ptr-libevent@0x55fe4363aa80 Sep 21 07:39:11.774128: | libevent_free: release ptr-libevent@0x55fe4363ab60 Sep 21 07:39:11.774130: | libevent_free: release ptr-libevent@0x55fe4361eb50 Sep 21 07:39:11.774131: | libevent_free: release ptr-libevent@0x55fe4361ecb0 Sep 21 07:39:11.774133: | libevent_free: release ptr-libevent@0x55fe43623710 Sep 21 07:39:11.774134: | libevent_free: release ptr-libevent@0x55fe4363b5d0 Sep 21 07:39:11.774135: | libevent_free: release ptr-libevent@0x55fe4363b4e0 Sep 21 07:39:11.774137: | libevent_free: release ptr-libevent@0x55fe4363b3f0 Sep 21 07:39:11.774138: | libevent_free: release ptr-libevent@0x55fe4363b300 Sep 21 07:39:11.774139: | libevent_free: release ptr-libevent@0x55fe4363b210 Sep 21 07:39:11.774141: | libevent_free: release ptr-libevent@0x55fe4363b120 Sep 21 07:39:11.774142: | libevent_free: release ptr-libevent@0x55fe435a2370 Sep 21 07:39:11.774144: | libevent_free: release ptr-libevent@0x55fe4363ac40 Sep 21 07:39:11.774145: | libevent_free: release ptr-libevent@0x55fe4363ab80 Sep 21 07:39:11.774146: | libevent_free: release ptr-libevent@0x55fe4363aaa0 Sep 21 07:39:11.774148: | libevent_free: release ptr-libevent@0x55fe4363ad00 Sep 21 07:39:11.774149: | libevent_free: release ptr-libevent@0x55fe435a05b0 Sep 21 07:39:11.774151: | libevent_free: release ptr-libevent@0x55fe4361eae0 Sep 21 07:39:11.774153: | libevent_free: release ptr-libevent@0x55fe4361eb10 Sep 21 07:39:11.774154: | libevent_free: release ptr-libevent@0x55fe4361e800 Sep 21 07:39:11.774155: | releasing global libevent data Sep 21 07:39:11.774157: | libevent_free: release ptr-libevent@0x55fe4361d4f0 Sep 21 07:39:11.774159: | libevent_free: release ptr-libevent@0x55fe4361e7a0 Sep 21 07:39:11.774161: | libevent_free: release ptr-libevent@0x55fe4361e7d0