Sep 21 07:38:46.946767: FIPS Product: YES Sep 21 07:38:46.946819: FIPS Kernel: NO Sep 21 07:38:46.946822: FIPS Mode: NO Sep 21 07:38:46.946825: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:38:46.947205: Initializing NSS Sep 21 07:38:46.947211: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:38:47.041836: NSS initialized Sep 21 07:38:47.041850: NSS crypto library initialized Sep 21 07:38:47.041853: FIPS HMAC integrity support [enabled] Sep 21 07:38:47.041855: FIPS mode disabled for pluto daemon Sep 21 07:38:47.190441: FIPS HMAC integrity verification self-test FAILED Sep 21 07:38:47.190593: libcap-ng support [enabled] Sep 21 07:38:47.190607: Linux audit support [enabled] Sep 21 07:38:47.190637: Linux audit activated Sep 21 07:38:47.190642: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:28228 Sep 21 07:38:47.190646: core dump dir: /tmp Sep 21 07:38:47.190649: secrets file: /etc/ipsec.secrets Sep 21 07:38:47.190651: leak-detective disabled Sep 21 07:38:47.190653: NSS crypto [enabled] Sep 21 07:38:47.190655: XAUTH PAM support [enabled] Sep 21 07:38:47.190730: | libevent is using pluto's memory allocator Sep 21 07:38:47.190741: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:38:47.190754: | libevent_malloc: new ptr-libevent@0x56513f26c4e0 size 40 Sep 21 07:38:47.190760: | libevent_malloc: new ptr-libevent@0x56513f26d790 size 40 Sep 21 07:38:47.190763: | libevent_malloc: new ptr-libevent@0x56513f26d7c0 size 40 Sep 21 07:38:47.190765: | creating event base Sep 21 07:38:47.190768: | libevent_malloc: new ptr-libevent@0x56513f26d750 size 56 Sep 21 07:38:47.190771: | libevent_malloc: new ptr-libevent@0x56513f26d7f0 size 664 Sep 21 07:38:47.190789: | libevent_malloc: new ptr-libevent@0x56513f26da90 size 24 Sep 21 07:38:47.190796: | libevent_malloc: new ptr-libevent@0x56513f25f250 size 384 Sep 21 07:38:47.190807: | libevent_malloc: new ptr-libevent@0x56513f26dab0 size 16 Sep 21 07:38:47.190810: | libevent_malloc: new ptr-libevent@0x56513f26dad0 size 40 Sep 21 07:38:47.190813: | libevent_malloc: new ptr-libevent@0x56513f26db00 size 48 Sep 21 07:38:47.190820: | libevent_realloc: new ptr-libevent@0x56513f1f1370 size 256 Sep 21 07:38:47.190823: | libevent_malloc: new ptr-libevent@0x56513f26db40 size 16 Sep 21 07:38:47.190829: | libevent_free: release ptr-libevent@0x56513f26d750 Sep 21 07:38:47.190832: | libevent initialized Sep 21 07:38:47.190837: | libevent_realloc: new ptr-libevent@0x56513f26db60 size 64 Sep 21 07:38:47.190840: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:38:47.190861: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:38:47.190865: NAT-Traversal support [enabled] Sep 21 07:38:47.190868: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:38:47.190875: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:38:47.190887: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:38:47.190925: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:38:47.190932: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:38:47.190936: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:38:47.190986: Encryption algorithms: Sep 21 07:38:47.190994: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:38:47.190998: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:38:47.191002: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:38:47.191006: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:38:47.191009: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:38:47.191020: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:38:47.191024: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:38:47.191027: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:38:47.191031: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:38:47.191034: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:38:47.191037: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:38:47.191041: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:38:47.191044: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:38:47.191048: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:38:47.191052: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:38:47.191054: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:38:47.191058: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:38:47.191070: Hash algorithms: Sep 21 07:38:47.191073: MD5 IKEv1: IKE IKEv2: Sep 21 07:38:47.191076: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:38:47.191080: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:38:47.191083: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:38:47.191085: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:38:47.191098: PRF algorithms: Sep 21 07:38:47.191101: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:38:47.191105: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:38:47.191108: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:38:47.191111: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:38:47.191114: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:38:47.191117: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:38:47.191142: Integrity algorithms: Sep 21 07:38:47.191147: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:38:47.191151: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:38:47.191155: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:38:47.191159: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:38:47.191163: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:38:47.191166: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:38:47.191170: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:38:47.191172: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:38:47.191176: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:38:47.191187: DH algorithms: Sep 21 07:38:47.191191: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:38:47.191193: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:38:47.191196: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:38:47.191202: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:38:47.191206: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:38:47.191208: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:38:47.191212: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:38:47.191215: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:38:47.191218: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:38:47.191221: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:38:47.191224: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:38:47.191226: testing CAMELLIA_CBC: Sep 21 07:38:47.191229: Camellia: 16 bytes with 128-bit key Sep 21 07:38:47.191368: Camellia: 16 bytes with 128-bit key Sep 21 07:38:47.191401: Camellia: 16 bytes with 256-bit key Sep 21 07:38:47.191438: Camellia: 16 bytes with 256-bit key Sep 21 07:38:47.191469: testing AES_GCM_16: Sep 21 07:38:47.191474: empty string Sep 21 07:38:47.191504: one block Sep 21 07:38:47.191533: two blocks Sep 21 07:38:47.191562: two blocks with associated data Sep 21 07:38:47.191591: testing AES_CTR: Sep 21 07:38:47.191595: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:38:47.191623: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:38:47.191652: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:38:47.191684: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:38:47.191713: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:38:47.191745: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:38:47.191776: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:38:47.191810: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:38:47.191844: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:38:47.191876: testing AES_CBC: Sep 21 07:38:47.191880: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:38:47.191910: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.191942: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.191973: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:38:47.192011: testing AES_XCBC: Sep 21 07:38:47.192016: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:38:47.192142: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:38:47.192282: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:38:47.192416: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:38:47.192552: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:38:47.192691: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:38:47.192838: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:38:47.193153: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:38:47.193296: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:38:47.193446: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:38:47.193704: testing HMAC_MD5: Sep 21 07:38:47.193709: RFC 2104: MD5_HMAC test 1 Sep 21 07:38:47.193906: RFC 2104: MD5_HMAC test 2 Sep 21 07:38:47.194077: RFC 2104: MD5_HMAC test 3 Sep 21 07:38:47.194335: 8 CPU cores online Sep 21 07:38:47.194341: starting up 7 crypto helpers Sep 21 07:38:47.194376: started thread for crypto helper 0 Sep 21 07:38:47.194400: started thread for crypto helper 1 Sep 21 07:38:47.194426: started thread for crypto helper 2 Sep 21 07:38:47.194449: started thread for crypto helper 3 Sep 21 07:38:47.194472: started thread for crypto helper 4 Sep 21 07:38:47.194494: started thread for crypto helper 5 Sep 21 07:38:47.194524: started thread for crypto helper 6 Sep 21 07:38:47.194528: | checking IKEv1 state table Sep 21 07:38:47.194536: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194538: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:38:47.194541: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194544: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:38:47.194547: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:38:47.194549: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:38:47.194551: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.194554: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.194557: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:38:47.194559: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:38:47.194561: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.194563: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:47.194566: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:38:47.194569: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.194571: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.194573: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:47.194576: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:38:47.194578: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.194581: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.194583: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:47.194586: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:38:47.194588: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194591: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:38:47.194593: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194596: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194598: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:38:47.194601: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194603: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:47.194605: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:47.194608: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:38:47.194610: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:47.194613: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:47.194615: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:38:47.194617: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194620: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.194622: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194625: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:38:47.194627: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:38:47.194630: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:38:47.194632: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:38:47.194635: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:38:47.194637: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:38:47.194640: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:38:47.194642: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194645: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:38:47.194647: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194650: | INFO: category: informational flags: 0: Sep 21 07:38:47.194652: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194655: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:38:47.194657: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194660: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:38:47.194662: | -> XAUTH_R1 EVENT_NULL Sep 21 07:38:47.194665: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:38:47.194667: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:47.194670: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:38:47.194672: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:38:47.194675: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:38:47.194677: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:38:47.194680: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.194682: | -> UNDEFINED EVENT_NULL Sep 21 07:38:47.194685: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:38:47.194690: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:47.194693: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.194695: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:38:47.194698: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:38:47.194700: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:38:47.194707: | checking IKEv2 state table Sep 21 07:38:47.194713: | PARENT_I0: category: ignore flags: 0: Sep 21 07:38:47.194716: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:38:47.194719: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194722: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:38:47.194725: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:38:47.194728: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:38:47.194730: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:38:47.194733: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:38:47.194735: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:38:47.194738: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:38:47.194740: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:38:47.194743: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:38:47.194746: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:38:47.194748: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:38:47.194751: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:38:47.194753: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:38:47.194756: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194758: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:38:47.194761: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:38:47.194764: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:38:47.194766: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:38:47.194769: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:38:47.194772: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:38:47.194774: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:38:47.194777: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:38:47.194779: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:38:47.194782: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.194807: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:38:47.194810: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:38:47.194813: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:38:47.194816: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.194818: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:47.194821: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:38:47.194824: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:38:47.194827: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:38:47.194830: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:38:47.194833: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:38:47.194835: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:38:47.194838: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:38:47.194844: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:38:47.194852: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:47.194857: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:38:47.194860: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:38:47.194862: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:38:47.194864: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:38:47.194867: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:38:47.194871: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:38:47.194922: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:38:47.194984: | Hard-wiring algorithms Sep 21 07:38:47.194989: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:38:47.194993: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:38:47.194996: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:38:47.194998: | adding 3DES_CBC to kernel algorithm db Sep 21 07:38:47.195001: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:38:47.195003: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:38:47.195005: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:38:47.195008: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:38:47.195010: | adding AES_CTR to kernel algorithm db Sep 21 07:38:47.195013: | adding AES_CBC to kernel algorithm db Sep 21 07:38:47.195015: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:38:47.195018: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:38:47.195020: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:38:47.195023: | adding NULL to kernel algorithm db Sep 21 07:38:47.195026: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:38:47.195028: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:38:47.195031: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:38:47.195033: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:38:47.195036: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:38:47.195038: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:38:47.195041: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:38:47.195043: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:38:47.195045: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:38:47.195048: | adding NONE to kernel algorithm db Sep 21 07:38:47.195071: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:38:47.195078: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:38:47.195081: | setup kernel fd callback Sep 21 07:38:47.195084: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x56513f277f10 Sep 21 07:38:47.195088: | libevent_malloc: new ptr-libevent@0x56513f27f3e0 size 128 Sep 21 07:38:47.195091: | libevent_malloc: new ptr-libevent@0x56513f26dca0 size 16 Sep 21 07:38:47.195098: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x56513f2727b0 Sep 21 07:38:47.195100: | libevent_malloc: new ptr-libevent@0x56513f27f470 size 128 Sep 21 07:38:47.195103: | libevent_malloc: new ptr-libevent@0x56513f272700 size 16 Sep 21 07:38:47.195326: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:38:47.195336: selinux support is enabled. Sep 21 07:38:47.195895: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:38:47.196081: | unbound context created - setting debug level to 5 Sep 21 07:38:47.196116: | /etc/hosts lookups activated Sep 21 07:38:47.196136: | /etc/resolv.conf usage activated Sep 21 07:38:47.196193: | outgoing-port-avoid set 0-65535 Sep 21 07:38:47.196220: | outgoing-port-permit set 32768-60999 Sep 21 07:38:47.196223: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:38:47.196226: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:38:47.196230: | Setting up events, loop start Sep 21 07:38:47.196233: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x56513f272500 Sep 21 07:38:47.196240: | libevent_malloc: new ptr-libevent@0x56513f2899e0 size 128 Sep 21 07:38:47.196243: | libevent_malloc: new ptr-libevent@0x56513f289a70 size 16 Sep 21 07:38:47.196250: | libevent_realloc: new ptr-libevent@0x56513f1ef5b0 size 256 Sep 21 07:38:47.196253: | libevent_malloc: new ptr-libevent@0x56513f289a90 size 8 Sep 21 07:38:47.196256: | libevent_realloc: new ptr-libevent@0x56513f27e6e0 size 144 Sep 21 07:38:47.196259: | libevent_malloc: new ptr-libevent@0x56513f289ab0 size 152 Sep 21 07:38:47.196263: | libevent_malloc: new ptr-libevent@0x56513f289b50 size 16 Sep 21 07:38:47.196267: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:38:47.196270: | libevent_malloc: new ptr-libevent@0x56513f289b70 size 8 Sep 21 07:38:47.196273: | libevent_malloc: new ptr-libevent@0x56513f289b90 size 152 Sep 21 07:38:47.196276: | signal event handler PLUTO_SIGTERM installed Sep 21 07:38:47.196278: | libevent_malloc: new ptr-libevent@0x56513f289c30 size 8 Sep 21 07:38:47.196281: | libevent_malloc: new ptr-libevent@0x56513f289c50 size 152 Sep 21 07:38:47.196284: | signal event handler PLUTO_SIGHUP installed Sep 21 07:38:47.196287: | libevent_malloc: new ptr-libevent@0x56513f289cf0 size 8 Sep 21 07:38:47.196289: | libevent_realloc: release ptr-libevent@0x56513f27e6e0 Sep 21 07:38:47.196292: | libevent_realloc: new ptr-libevent@0x56513f289d10 size 256 Sep 21 07:38:47.196295: | libevent_malloc: new ptr-libevent@0x56513f27e6e0 size 152 Sep 21 07:38:47.196298: | signal event handler PLUTO_SIGSYS installed Sep 21 07:38:47.196666: | created addconn helper (pid:28457) using fork+execve Sep 21 07:38:47.196684: | forked child 28457 Sep 21 07:38:47.196725: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.197052: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:47.197065: listening for IKE messages Sep 21 07:38:47.197444: | Inspecting interface lo Sep 21 07:38:47.197455: | found lo with address 127.0.0.1 Sep 21 07:38:47.197458: | Inspecting interface eth0 Sep 21 07:38:47.197463: | found eth0 with address 192.0.2.254 Sep 21 07:38:47.197465: | Inspecting interface eth1 Sep 21 07:38:47.197469: | found eth1 with address 192.1.2.23 Sep 21 07:38:47.197527: Kernel supports NIC esp-hw-offload Sep 21 07:38:47.197549: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:38:47.197625: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.197632: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.197636: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:38:47.197674: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:38:47.197708: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.197714: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.197718: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:38:47.197754: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:38:47.197793: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:47.197801: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:47.197805: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:38:47.197883: | no interfaces to sort Sep 21 07:38:47.197889: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:38:47.197898: | add_fd_read_event_handler: new ethX-pe@0x56513f273280 Sep 21 07:38:47.197902: | libevent_malloc: new ptr-libevent@0x56513f28a080 size 128 Sep 21 07:38:47.197905: | libevent_malloc: new ptr-libevent@0x56513f28a110 size 16 Sep 21 07:38:47.197915: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:47.197918: | add_fd_read_event_handler: new ethX-pe@0x56513f28a130 Sep 21 07:38:47.197921: | libevent_malloc: new ptr-libevent@0x56513f28a170 size 128 Sep 21 07:38:47.197924: | libevent_malloc: new ptr-libevent@0x56513f28a200 size 16 Sep 21 07:38:47.197933: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:47.197937: | add_fd_read_event_handler: new ethX-pe@0x56513f28a220 Sep 21 07:38:47.197939: | libevent_malloc: new ptr-libevent@0x56513f28a260 size 128 Sep 21 07:38:47.197942: | libevent_malloc: new ptr-libevent@0x56513f28a2f0 size 16 Sep 21 07:38:47.197947: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:47.197950: | add_fd_read_event_handler: new ethX-pe@0x56513f28a310 Sep 21 07:38:47.197953: | libevent_malloc: new ptr-libevent@0x56513f28a350 size 128 Sep 21 07:38:47.197955: | libevent_malloc: new ptr-libevent@0x56513f28a3e0 size 16 Sep 21 07:38:47.197960: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:47.197963: | add_fd_read_event_handler: new ethX-pe@0x56513f28a400 Sep 21 07:38:47.197966: | libevent_malloc: new ptr-libevent@0x56513f28a440 size 128 Sep 21 07:38:47.197968: | libevent_malloc: new ptr-libevent@0x56513f28a4d0 size 16 Sep 21 07:38:47.197973: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:47.197975: | add_fd_read_event_handler: new ethX-pe@0x56513f28a4f0 Sep 21 07:38:47.197978: | libevent_malloc: new ptr-libevent@0x56513f28a530 size 128 Sep 21 07:38:47.197981: | libevent_malloc: new ptr-libevent@0x56513f28a5c0 size 16 Sep 21 07:38:47.197986: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:47.197992: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:47.197995: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:47.198016: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:47.198038: | Processing PSK at line 1: passed Sep 21 07:38:47.198042: | certs and keys locked by 'process_secret' Sep 21 07:38:47.198047: | certs and keys unlocked by 'process_secret' Sep 21 07:38:47.198053: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:47.198155: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.198163: | spent 0.738 milliseconds in whack Sep 21 07:38:47.198179: | starting up helper thread 4 Sep 21 07:38:47.198190: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:38:47.198195: | crypto helper 4 waiting (nothing to do) Sep 21 07:38:47.198702: | starting up helper thread 5 Sep 21 07:38:47.198712: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:38:47.198716: | crypto helper 5 waiting (nothing to do) Sep 21 07:38:47.198727: | starting up helper thread 2 Sep 21 07:38:47.198732: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:38:47.198735: | crypto helper 2 waiting (nothing to do) Sep 21 07:38:47.199028: | starting up helper thread 0 Sep 21 07:38:47.199041: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:38:47.199044: | crypto helper 0 waiting (nothing to do) Sep 21 07:38:47.201410: | starting up helper thread 1 Sep 21 07:38:47.201423: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:38:47.201426: | crypto helper 1 waiting (nothing to do) Sep 21 07:38:47.201442: | starting up helper thread 6 Sep 21 07:38:47.201448: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:38:47.201450: | crypto helper 6 waiting (nothing to do) Sep 21 07:38:47.201464: | starting up helper thread 3 Sep 21 07:38:47.201469: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:38:47.201472: | crypto helper 3 waiting (nothing to do) Sep 21 07:38:47.276981: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.277002: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:47.277007: listening for IKE messages Sep 21 07:38:47.277042: | Inspecting interface lo Sep 21 07:38:47.277049: | found lo with address 127.0.0.1 Sep 21 07:38:47.277052: | Inspecting interface eth0 Sep 21 07:38:47.277056: | found eth0 with address 192.0.2.254 Sep 21 07:38:47.277062: | Inspecting interface eth1 Sep 21 07:38:47.277066: | found eth1 with address 192.1.2.23 Sep 21 07:38:47.277136: | no interfaces to sort Sep 21 07:38:47.277146: | libevent_free: release ptr-libevent@0x56513f28a080 Sep 21 07:38:47.277149: | free_event_entry: release EVENT_NULL-pe@0x56513f273280 Sep 21 07:38:47.277152: | add_fd_read_event_handler: new ethX-pe@0x56513f273280 Sep 21 07:38:47.277156: | libevent_malloc: new ptr-libevent@0x56513f28a080 size 128 Sep 21 07:38:47.277163: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:47.277167: | libevent_free: release ptr-libevent@0x56513f28a170 Sep 21 07:38:47.277170: | free_event_entry: release EVENT_NULL-pe@0x56513f28a130 Sep 21 07:38:47.277173: | add_fd_read_event_handler: new ethX-pe@0x56513f28a130 Sep 21 07:38:47.277175: | libevent_malloc: new ptr-libevent@0x56513f28a170 size 128 Sep 21 07:38:47.277180: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:47.277183: | libevent_free: release ptr-libevent@0x56513f28a260 Sep 21 07:38:47.277186: | free_event_entry: release EVENT_NULL-pe@0x56513f28a220 Sep 21 07:38:47.277188: | add_fd_read_event_handler: new ethX-pe@0x56513f28a220 Sep 21 07:38:47.277191: | libevent_malloc: new ptr-libevent@0x56513f28a260 size 128 Sep 21 07:38:47.277195: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:47.277199: | libevent_free: release ptr-libevent@0x56513f28a350 Sep 21 07:38:47.277201: | free_event_entry: release EVENT_NULL-pe@0x56513f28a310 Sep 21 07:38:47.277203: | add_fd_read_event_handler: new ethX-pe@0x56513f28a310 Sep 21 07:38:47.277206: | libevent_malloc: new ptr-libevent@0x56513f28a350 size 128 Sep 21 07:38:47.277210: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:47.277214: | libevent_free: release ptr-libevent@0x56513f28a440 Sep 21 07:38:47.277216: | free_event_entry: release EVENT_NULL-pe@0x56513f28a400 Sep 21 07:38:47.277219: | add_fd_read_event_handler: new ethX-pe@0x56513f28a400 Sep 21 07:38:47.277221: | libevent_malloc: new ptr-libevent@0x56513f28a440 size 128 Sep 21 07:38:47.277226: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:47.277229: | libevent_free: release ptr-libevent@0x56513f28a530 Sep 21 07:38:47.277232: | free_event_entry: release EVENT_NULL-pe@0x56513f28a4f0 Sep 21 07:38:47.277234: | add_fd_read_event_handler: new ethX-pe@0x56513f28a4f0 Sep 21 07:38:47.277237: | libevent_malloc: new ptr-libevent@0x56513f28a530 size 128 Sep 21 07:38:47.277241: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:47.277244: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:47.277246: forgetting secrets Sep 21 07:38:47.277252: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:47.277265: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:47.277271: | Processing PSK at line 1: passed Sep 21 07:38:47.277274: | certs and keys locked by 'process_secret' Sep 21 07:38:47.277277: | certs and keys unlocked by 'process_secret' Sep 21 07:38:47.277281: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:47.277287: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.277294: | spent 0.321 milliseconds in whack Sep 21 07:38:47.278238: | processing signal PLUTO_SIGCHLD Sep 21 07:38:47.278251: | waitpid returned pid 28457 (exited with status 0) Sep 21 07:38:47.278255: | reaped addconn helper child (status 0) Sep 21 07:38:47.278259: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:47.278264: | spent 0.0152 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:47.381863: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:47.390822: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.390839: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:47.390843: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.390846: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:47.390850: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:47.390902: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:47.390961: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:38:47.390969: | from whack: got --esp=aes256-sha2 Sep 21 07:38:47.390985: | ESP/AH string values: AES_CBC_256-HMAC_SHA2_256_128 Sep 21 07:38:47.390989: | counting wild cards for (none) is 15 Sep 21 07:38:47.390994: | counting wild cards for 192.1.2.23 is 0 Sep 21 07:38:47.391000: | based upon policy, the connection is a template. Sep 21 07:38:47.391007: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:38:47.391011: | new hp@0x56513f256a10 Sep 21 07:38:47.391016: added connection description "eastnet-northnet" Sep 21 07:38:47.391025: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:47.391035: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Sep 21 07:38:47.391043: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:47.391049: | spent 0.27 milliseconds in whack Sep 21 07:38:49.646802: | spent 0.00588 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:49.646835: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:49.646839: | 15 00 5c f1 36 77 c5 dc 00 00 00 00 00 00 00 00 Sep 21 07:38:49.646841: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:38:49.646844: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:38:49.646846: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:38:49.646848: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:38:49.646850: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:38:49.646853: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:38:49.646855: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:38:49.646857: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:38:49.646859: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:38:49.646862: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:38:49.646864: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:38:49.646866: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:38:49.646868: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:38:49.646871: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:38:49.646873: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:38:49.646875: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:38:49.646878: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:38:49.646880: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:38:49.646882: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:38:49.646884: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:38:49.646887: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:38:49.646889: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:38:49.646891: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:38:49.646893: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:38:49.646896: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:38:49.646898: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:38:49.646900: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:38:49.646902: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:38:49.646908: | 28 00 01 08 00 0e 00 00 c0 a3 44 9d b1 55 f0 29 Sep 21 07:38:49.646911: | 98 68 d4 4e e5 71 b0 b7 a7 3f 41 54 ef e3 9d 32 Sep 21 07:38:49.646913: | 6a b2 28 95 3d 45 3e 8b 55 22 62 03 e6 09 0d 8e Sep 21 07:38:49.646915: | 9f 7a 78 7e 8c 2c 69 f3 ee f6 fe 76 15 82 47 f2 Sep 21 07:38:49.646917: | ea 16 e3 58 24 8b 76 d1 7a fb 6e 51 63 55 b5 f8 Sep 21 07:38:49.646920: | fd 00 7d e1 f9 dc 4c d7 02 72 e7 b7 25 40 86 91 Sep 21 07:38:49.646922: | e3 8d be 33 64 89 7b 08 fc 29 ac a2 94 9a bd e7 Sep 21 07:38:49.646924: | dc 22 68 57 be 74 0a b0 32 71 ae b3 a9 c5 d7 d6 Sep 21 07:38:49.646926: | 88 58 de ab 44 86 8a ab 77 7d 82 aa 85 8a 7d 5c Sep 21 07:38:49.646929: | 5e 2e e4 87 c3 64 2b 49 a7 56 6f 3b 70 34 d8 27 Sep 21 07:38:49.646931: | 83 7b 19 4e ca 65 63 a3 1b cb 0b 58 c0 77 af 6a Sep 21 07:38:49.646933: | 73 42 71 7a 78 3f 8c 45 b7 73 3d 28 ee 1a ff 23 Sep 21 07:38:49.646935: | 8a 27 11 12 c8 f1 e3 87 ec 01 12 0e 14 b2 bd b2 Sep 21 07:38:49.646938: | bb 68 91 24 6d f5 a2 40 3d 0d bb ba 32 b8 55 47 Sep 21 07:38:49.646940: | 87 85 d8 37 3f f3 c8 f3 e5 90 56 68 c6 0e c7 96 Sep 21 07:38:49.646942: | d4 c4 d1 25 00 8f 3e 62 c3 f0 05 0c 35 ce c3 b0 Sep 21 07:38:49.646945: | ed 16 ff f7 87 a0 d8 6c 29 00 00 24 de 52 5e 64 Sep 21 07:38:49.646947: | 6f c1 ba b3 14 57 90 1f e7 c0 cc 05 b3 b7 f8 0d Sep 21 07:38:49.646949: | 07 c1 11 68 98 f1 d6 6e 29 be 04 ed 29 00 00 08 Sep 21 07:38:49.646951: | 00 00 40 2e 29 00 00 1c 00 00 40 04 1b 9f 81 31 Sep 21 07:38:49.646954: | ed 65 89 e4 da 0c f2 e8 e1 58 20 f7 32 49 8d 9b Sep 21 07:38:49.646956: | 00 00 00 1c 00 00 40 05 be 0e d5 1e 8b bd 25 e2 Sep 21 07:38:49.646958: | a0 0d 5b 26 25 3c fb 5c aa 87 9f 5d Sep 21 07:38:49.646964: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:49.646968: | **parse ISAKMP Message: Sep 21 07:38:49.646971: | initiator cookie: Sep 21 07:38:49.646973: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.646975: | responder cookie: Sep 21 07:38:49.646978: | 00 00 00 00 00 00 00 00 Sep 21 07:38:49.646980: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.646983: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.646986: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:49.646988: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:49.646991: | Message ID: 0 (0x0) Sep 21 07:38:49.646993: | length: 828 (0x33c) Sep 21 07:38:49.646996: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:38:49.647000: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:38:49.647003: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:38:49.647010: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:49.647013: | ***parse IKEv2 Security Association Payload: Sep 21 07:38:49.647016: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:38:49.647018: | flags: none (0x0) Sep 21 07:38:49.647021: | length: 436 (0x1b4) Sep 21 07:38:49.647023: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:38:49.647026: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:38:49.647028: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:38:49.647031: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:38:49.647033: | flags: none (0x0) Sep 21 07:38:49.647035: | length: 264 (0x108) Sep 21 07:38:49.647038: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.647040: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:38:49.647043: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:38:49.647045: | ***parse IKEv2 Nonce Payload: Sep 21 07:38:49.647048: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.647050: | flags: none (0x0) Sep 21 07:38:49.647075: | length: 36 (0x24) Sep 21 07:38:49.647078: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:38:49.647083: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.647086: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.647089: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.647091: | flags: none (0x0) Sep 21 07:38:49.647093: | length: 8 (0x8) Sep 21 07:38:49.647096: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.647098: | SPI size: 0 (0x0) Sep 21 07:38:49.647101: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:49.647103: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:49.647105: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.647108: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.647110: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.647112: | flags: none (0x0) Sep 21 07:38:49.647115: | length: 28 (0x1c) Sep 21 07:38:49.647117: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.647119: | SPI size: 0 (0x0) Sep 21 07:38:49.647122: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:49.647124: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:49.647127: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.647129: | ***parse IKEv2 Notify Payload: Sep 21 07:38:49.647131: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.647134: | flags: none (0x0) Sep 21 07:38:49.647136: | length: 28 (0x1c) Sep 21 07:38:49.647138: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.647140: | SPI size: 0 (0x0) Sep 21 07:38:49.647143: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:49.647145: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:49.647148: | DDOS disabled and no cookie sent, continuing Sep 21 07:38:49.647154: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647157: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:49.647160: | find_next_host_connection returns empty Sep 21 07:38:49.647164: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647169: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.647172: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:49.647176: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.647178: | find_next_host_connection returns empty Sep 21 07:38:49.647183: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:38:49.647187: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647190: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:49.647193: | find_next_host_connection returns empty Sep 21 07:38:49.647197: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647201: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.647204: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:49.647207: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.647209: | find_next_host_connection returns empty Sep 21 07:38:49.647213: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:38:49.647218: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647221: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.647223: | find_next_host_connection returns empty Sep 21 07:38:49.647227: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:49.647231: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.647236: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.647239: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:49.647241: | find_next_host_connection returns eastnet-northnet Sep 21 07:38:49.647244: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:49.647246: | find_next_host_connection returns empty Sep 21 07:38:49.647248: | rw_instantiate Sep 21 07:38:49.647256: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:38:49.647260: | new hp@0x56513f21ce70 Sep 21 07:38:49.647267: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Sep 21 07:38:49.647271: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Sep 21 07:38:49.647276: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:49.647304: | creating state object #1 at 0x56513f28daf0 Sep 21 07:38:49.647307: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:38:49.647313: | pstats #1 ikev2.ike started Sep 21 07:38:49.647317: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:38:49.647320: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:38:49.647325: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:49.647336: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:49.647339: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:49.647345: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:49.647348: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:38:49.647351: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:38:49.647356: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:38:49.647358: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:38:49.647361: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:38:49.647364: | Now let's proceed with state specific processing Sep 21 07:38:49.647366: | calling processor Respond to IKE_SA_INIT Sep 21 07:38:49.647372: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:49.647376: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Sep 21 07:38:49.647384: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.647392: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.647395: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.647401: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.647404: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.647410: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.647868: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:49.647886: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.647901: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:49.647905: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:38:49.647908: | local proposal 1 type ENCR has 1 transforms Sep 21 07:38:49.647911: | local proposal 1 type PRF has 2 transforms Sep 21 07:38:49.647913: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:49.647916: | local proposal 1 type DH has 8 transforms Sep 21 07:38:49.647919: | local proposal 1 type ESN has 0 transforms Sep 21 07:38:49.647922: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:49.647924: | local proposal 2 type ENCR has 1 transforms Sep 21 07:38:49.647927: | local proposal 2 type PRF has 2 transforms Sep 21 07:38:49.647929: | local proposal 2 type INTEG has 1 transforms Sep 21 07:38:49.647932: | local proposal 2 type DH has 8 transforms Sep 21 07:38:49.647934: | local proposal 2 type ESN has 0 transforms Sep 21 07:38:49.647937: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:49.647940: | local proposal 3 type ENCR has 1 transforms Sep 21 07:38:49.647942: | local proposal 3 type PRF has 2 transforms Sep 21 07:38:49.647945: | local proposal 3 type INTEG has 2 transforms Sep 21 07:38:49.647947: | local proposal 3 type DH has 8 transforms Sep 21 07:38:49.647950: | local proposal 3 type ESN has 0 transforms Sep 21 07:38:49.647953: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:49.647955: | local proposal 4 type ENCR has 1 transforms Sep 21 07:38:49.647957: | local proposal 4 type PRF has 2 transforms Sep 21 07:38:49.647960: | local proposal 4 type INTEG has 2 transforms Sep 21 07:38:49.647963: | local proposal 4 type DH has 8 transforms Sep 21 07:38:49.647965: | local proposal 4 type ESN has 0 transforms Sep 21 07:38:49.647968: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:49.647971: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.647974: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.647976: | length: 100 (0x64) Sep 21 07:38:49.647979: | prop #: 1 (0x1) Sep 21 07:38:49.647981: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.647984: | spi size: 0 (0x0) Sep 21 07:38:49.647986: | # transforms: 11 (0xb) Sep 21 07:38:49.647990: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:38:49.647993: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.647995: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648007: | length: 12 (0xc) Sep 21 07:38:49.648009: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.648012: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.648015: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.648017: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.648020: | length/value: 256 (0x100) Sep 21 07:38:49.648024: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:49.648029: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648032: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648034: | length: 8 (0x8) Sep 21 07:38:49.648037: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648039: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.648043: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:38:49.648046: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:38:49.648049: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:38:49.648052: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:38:49.648054: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648065: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648067: | length: 8 (0x8) Sep 21 07:38:49.648070: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648072: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.648075: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648077: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648080: | length: 8 (0x8) Sep 21 07:38:49.648082: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648084: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.648088: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:38:49.648091: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:38:49.648094: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:38:49.648097: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:38:49.648100: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648102: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648104: | length: 8 (0x8) Sep 21 07:38:49.648107: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648109: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.648112: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648114: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648116: | length: 8 (0x8) Sep 21 07:38:49.648119: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648121: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.648124: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648126: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648129: | length: 8 (0x8) Sep 21 07:38:49.648131: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648134: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.648136: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648139: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648141: | length: 8 (0x8) Sep 21 07:38:49.648143: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648146: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.648149: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648151: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648153: | length: 8 (0x8) Sep 21 07:38:49.648156: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648158: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.648161: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648163: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648166: | length: 8 (0x8) Sep 21 07:38:49.648168: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648170: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.648175: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648177: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.648180: | length: 8 (0x8) Sep 21 07:38:49.648182: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648185: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.648188: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:38:49.648193: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:38:49.648195: | remote proposal 1 matches local proposal 1 Sep 21 07:38:49.648198: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.648201: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.648203: | length: 100 (0x64) Sep 21 07:38:49.648205: | prop #: 2 (0x2) Sep 21 07:38:49.648208: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.648210: | spi size: 0 (0x0) Sep 21 07:38:49.648212: | # transforms: 11 (0xb) Sep 21 07:38:49.648216: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.648218: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648221: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648223: | length: 12 (0xc) Sep 21 07:38:49.648225: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.648228: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.648230: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.648233: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.648235: | length/value: 128 (0x80) Sep 21 07:38:49.648238: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648240: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648243: | length: 8 (0x8) Sep 21 07:38:49.648245: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648247: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.648250: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648253: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648255: | length: 8 (0x8) Sep 21 07:38:49.648257: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648260: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.648262: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648265: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648267: | length: 8 (0x8) Sep 21 07:38:49.648269: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648272: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.648274: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648277: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648279: | length: 8 (0x8) Sep 21 07:38:49.648282: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648284: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.648287: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648289: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648291: | length: 8 (0x8) Sep 21 07:38:49.648294: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648296: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.648299: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648301: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648303: | length: 8 (0x8) Sep 21 07:38:49.648306: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648308: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.648311: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648313: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648316: | length: 8 (0x8) Sep 21 07:38:49.648318: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648320: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.648327: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648329: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648332: | length: 8 (0x8) Sep 21 07:38:49.648334: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648337: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.648339: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648342: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648344: | length: 8 (0x8) Sep 21 07:38:49.648346: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648349: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.648351: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648354: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.648356: | length: 8 (0x8) Sep 21 07:38:49.648358: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648361: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.648364: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:38:49.648367: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:38:49.648370: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.648372: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:49.648375: | length: 116 (0x74) Sep 21 07:38:49.648377: | prop #: 3 (0x3) Sep 21 07:38:49.648379: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.648381: | spi size: 0 (0x0) Sep 21 07:38:49.648384: | # transforms: 13 (0xd) Sep 21 07:38:49.648387: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.648389: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648392: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648394: | length: 12 (0xc) Sep 21 07:38:49.648397: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.648399: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.648401: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.648404: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.648406: | length/value: 256 (0x100) Sep 21 07:38:49.648409: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648412: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648414: | length: 8 (0x8) Sep 21 07:38:49.648416: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648419: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.648421: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648424: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648426: | length: 8 (0x8) Sep 21 07:38:49.648428: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648431: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.648434: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648436: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648438: | length: 8 (0x8) Sep 21 07:38:49.648441: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.648443: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:49.648446: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648448: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648450: | length: 8 (0x8) Sep 21 07:38:49.648453: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.648455: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.648458: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648461: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648463: | length: 8 (0x8) Sep 21 07:38:49.648465: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648468: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.648470: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648476: | length: 8 (0x8) Sep 21 07:38:49.648479: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648481: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.648484: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648486: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648489: | length: 8 (0x8) Sep 21 07:38:49.648491: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648493: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.648496: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648498: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648501: | length: 8 (0x8) Sep 21 07:38:49.648503: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648506: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.648508: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648511: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648513: | length: 8 (0x8) Sep 21 07:38:49.648515: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648518: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.648520: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648523: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648525: | length: 8 (0x8) Sep 21 07:38:49.648527: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648530: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.648533: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648535: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648537: | length: 8 (0x8) Sep 21 07:38:49.648540: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648542: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.648545: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648547: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.648550: | length: 8 (0x8) Sep 21 07:38:49.648552: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648554: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.648558: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:49.648561: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:49.648563: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.648566: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.648568: | length: 116 (0x74) Sep 21 07:38:49.648570: | prop #: 4 (0x4) Sep 21 07:38:49.648573: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.648575: | spi size: 0 (0x0) Sep 21 07:38:49.648577: | # transforms: 13 (0xd) Sep 21 07:38:49.648580: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:49.648583: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648586: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648588: | length: 12 (0xc) Sep 21 07:38:49.648590: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.648593: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.648595: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.648597: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.648600: | length/value: 128 (0x80) Sep 21 07:38:49.648603: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648605: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648607: | length: 8 (0x8) Sep 21 07:38:49.648610: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648612: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.648615: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648617: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648622: | length: 8 (0x8) Sep 21 07:38:49.648625: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.648627: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:49.648630: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648632: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648635: | length: 8 (0x8) Sep 21 07:38:49.648637: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.648640: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:49.648642: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648645: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648647: | length: 8 (0x8) Sep 21 07:38:49.648650: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.648652: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.648655: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648657: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648659: | length: 8 (0x8) Sep 21 07:38:49.648662: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648664: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.648667: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648669: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648672: | length: 8 (0x8) Sep 21 07:38:49.648674: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648676: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:49.648679: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648681: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648684: | length: 8 (0x8) Sep 21 07:38:49.648686: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648688: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:49.648691: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648693: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648696: | length: 8 (0x8) Sep 21 07:38:49.648698: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648700: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:49.648703: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648705: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648708: | length: 8 (0x8) Sep 21 07:38:49.648710: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648713: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:49.648716: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648718: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648720: | length: 8 (0x8) Sep 21 07:38:49.648723: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648725: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:49.648728: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648730: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.648732: | length: 8 (0x8) Sep 21 07:38:49.648735: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648737: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:49.648740: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.648742: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.648744: | length: 8 (0x8) Sep 21 07:38:49.648747: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.648749: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:49.648753: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:49.648756: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:49.648761: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:38:49.648767: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:38:49.648770: | converting proposal to internal trans attrs Sep 21 07:38:49.648774: | natd_hash: rcookie is zero Sep 21 07:38:49.648796: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:49.648801: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.648803: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:49.648805: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:49.648808: | natd_hash: port= 01 f4 Sep 21 07:38:49.648810: | natd_hash: hash= be 0e d5 1e 8b bd 25 e2 a0 0d 5b 26 25 3c fb 5c Sep 21 07:38:49.648812: | natd_hash: hash= aa 87 9f 5d Sep 21 07:38:49.648815: | natd_hash: rcookie is zero Sep 21 07:38:49.648822: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:49.648824: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.648826: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:49.648829: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:49.648831: | natd_hash: port= 01 f4 Sep 21 07:38:49.648833: | natd_hash: hash= 1b 9f 81 31 ed 65 89 e4 da 0c f2 e8 e1 58 20 f7 Sep 21 07:38:49.648835: | natd_hash: hash= 32 49 8d 9b Sep 21 07:38:49.648838: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:38:49.648840: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:38:49.648842: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:38:49.648846: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:38:49.648851: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:38:49.648854: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56513f28fc60 Sep 21 07:38:49.648858: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:49.648862: | libevent_malloc: new ptr-libevent@0x56513f28fca0 size 128 Sep 21 07:38:49.648872: | #1 spent 1.04 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:38:49.648875: | crypto helper 4 resuming Sep 21 07:38:49.648880: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.648888: | crypto helper 4 starting work-order 1 for state #1 Sep 21 07:38:49.648903: | crypto helper 4 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:38:49.649952: | crypto helper 4 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001048 seconds Sep 21 07:38:49.649964: | (#1) spent 1.06 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:38:49.649968: | crypto helper 4 sending results from work-order 1 for state #1 to event queue Sep 21 07:38:49.649971: | scheduling resume sending helper answer for #1 Sep 21 07:38:49.649974: | libevent_malloc: new ptr-libevent@0x7f9cac006900 size 128 Sep 21 07:38:49.649980: | crypto helper 4 waiting (nothing to do) Sep 21 07:38:49.648896: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:49.649988: | suspending state #1 and saving MD Sep 21 07:38:49.649991: | #1 is busy; has a suspended MD Sep 21 07:38:49.649998: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:49.650003: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:49.650011: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:49.650016: | #1 spent 1.63 milliseconds in ikev2_process_packet() Sep 21 07:38:49.650021: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:49.650024: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:49.650027: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:49.650030: | spent 1.64 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:49.650040: | processing resume sending helper answer for #1 Sep 21 07:38:49.650046: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:49.650050: | crypto helper 4 replies to request ID 1 Sep 21 07:38:49.650052: | calling continuation function 0x56513d3cb630 Sep 21 07:38:49.650055: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:38:49.650086: | **emit ISAKMP Message: Sep 21 07:38:49.650089: | initiator cookie: Sep 21 07:38:49.650091: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.650094: | responder cookie: Sep 21 07:38:49.650096: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.650099: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:49.650101: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.650104: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:49.650107: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:49.650110: | Message ID: 0 (0x0) Sep 21 07:38:49.650112: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:49.650115: | Emitting ikev2_proposal ... Sep 21 07:38:49.650118: | ***emit IKEv2 Security Association Payload: Sep 21 07:38:49.650120: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.650123: | flags: none (0x0) Sep 21 07:38:49.650126: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:49.650129: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650132: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.650135: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.650137: | prop #: 1 (0x1) Sep 21 07:38:49.650140: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:49.650142: | spi size: 0 (0x0) Sep 21 07:38:49.650144: | # transforms: 3 (0x3) Sep 21 07:38:49.650147: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:49.650150: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.650152: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.650155: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.650158: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:49.650160: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.650163: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.650166: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.650168: | length/value: 256 (0x100) Sep 21 07:38:49.650171: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:49.650173: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.650176: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.650178: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:49.650181: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:49.650184: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.650187: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.650191: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.650193: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.650196: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.650198: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:49.650201: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.650204: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.650206: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.650209: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.650211: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:38:49.650214: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:49.650217: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:38:49.650219: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:49.650223: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:38:49.650226: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.650228: | flags: none (0x0) Sep 21 07:38:49.650230: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:49.650234: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:38:49.650236: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650240: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:38:49.650242: | ikev2 g^x 85 c0 f3 c0 3b 8a b5 c3 79 9a d0 f7 64 79 43 fb Sep 21 07:38:49.650244: | ikev2 g^x f0 42 e2 de 45 fa 46 04 e8 e3 c6 5e ad 14 96 22 Sep 21 07:38:49.650247: | ikev2 g^x ad 8e db f9 67 07 a2 80 79 73 09 0b 48 ee b2 46 Sep 21 07:38:49.650249: | ikev2 g^x 31 5b 7c 8a d0 ee e4 5a c0 85 88 9c 48 48 7e 31 Sep 21 07:38:49.650251: | ikev2 g^x 9e c8 d3 09 94 c4 ac 8c 78 17 9b 65 09 95 ff 70 Sep 21 07:38:49.650254: | ikev2 g^x 6b d1 07 e8 e6 74 d0 28 ad 83 c7 0d 32 c3 e3 29 Sep 21 07:38:49.650256: | ikev2 g^x 50 77 e9 fe 3a 94 84 1e e5 25 b4 6e 04 30 97 8c Sep 21 07:38:49.650258: | ikev2 g^x 49 fa e5 90 08 c8 e0 fd c9 8e 19 12 86 75 0e 89 Sep 21 07:38:49.650261: | ikev2 g^x 5a 52 0d 4b 05 ff 4d 3b 71 50 39 76 3e 5b 95 9e Sep 21 07:38:49.650263: | ikev2 g^x c5 3a 24 c6 68 dc b0 08 4e 42 74 e4 f9 4a a6 5a Sep 21 07:38:49.650265: | ikev2 g^x 20 ac c1 25 c3 97 61 7c 57 ff 3c 58 28 92 58 34 Sep 21 07:38:49.650268: | ikev2 g^x 75 e2 c6 1c fa 8c c7 0b c6 9c c2 cc fa e6 98 f0 Sep 21 07:38:49.650270: | ikev2 g^x 8d 0a 9e 97 48 4b 8d c2 07 ea 4b 22 13 87 30 ec Sep 21 07:38:49.650272: | ikev2 g^x 51 47 ff 69 cb a1 0f 81 c7 1c a5 e9 e3 cf 89 b5 Sep 21 07:38:49.650274: | ikev2 g^x d6 4f 5a c5 b4 af 04 97 4f 2c 5c d4 c6 9d 34 c0 Sep 21 07:38:49.650277: | ikev2 g^x 24 b2 b4 e7 c7 47 fa a3 b1 f0 98 fc c5 74 e6 61 Sep 21 07:38:49.650279: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:38:49.650282: | ***emit IKEv2 Nonce Payload: Sep 21 07:38:49.650284: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.650286: | flags: none (0x0) Sep 21 07:38:49.650289: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:38:49.650292: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:38:49.650295: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650299: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:38:49.650301: | IKEv2 nonce 9c de 09 fa fb ed eb 21 ac c1 1d 99 79 2a 90 95 Sep 21 07:38:49.650304: | IKEv2 nonce 7a 39 4b 21 de 91 66 5b 49 8d 29 3c a7 54 c6 a9 Sep 21 07:38:49.650306: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:38:49.650309: | Adding a v2N Payload Sep 21 07:38:49.650311: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.650313: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.650316: | flags: none (0x0) Sep 21 07:38:49.650318: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.650321: | SPI size: 0 (0x0) Sep 21 07:38:49.650324: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:49.650327: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.650329: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650332: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:49.650335: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:49.650343: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:49.650346: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.650349: | natd_hash: rcookie= e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.650351: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:49.650353: | natd_hash: port= 01 f4 Sep 21 07:38:49.650356: | natd_hash: hash= 38 51 e1 cc fe 74 a4 c1 13 59 6b d5 68 0e 03 5f Sep 21 07:38:49.650358: | natd_hash: hash= 53 7b aa 51 Sep 21 07:38:49.650360: | Adding a v2N Payload Sep 21 07:38:49.650362: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.650365: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.650367: | flags: none (0x0) Sep 21 07:38:49.650370: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.650372: | SPI size: 0 (0x0) Sep 21 07:38:49.650374: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:49.650377: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.650380: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650383: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:49.650386: | Notify data 38 51 e1 cc fe 74 a4 c1 13 59 6b d5 68 0e 03 5f Sep 21 07:38:49.650388: | Notify data 53 7b aa 51 Sep 21 07:38:49.650390: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:49.650396: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:49.650399: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.650401: | natd_hash: rcookie= e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.650403: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:49.650405: | natd_hash: port= 01 f4 Sep 21 07:38:49.650408: | natd_hash: hash= b7 c9 bf fb 5d bb d7 b6 e5 38 37 18 28 3d e0 da Sep 21 07:38:49.650410: | natd_hash: hash= 62 e2 48 54 Sep 21 07:38:49.650412: | Adding a v2N Payload Sep 21 07:38:49.650414: | ***emit IKEv2 Notify Payload: Sep 21 07:38:49.650417: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.650419: | flags: none (0x0) Sep 21 07:38:49.650421: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.650424: | SPI size: 0 (0x0) Sep 21 07:38:49.650426: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:49.650429: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.650432: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.650435: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:49.650437: | Notify data b7 c9 bf fb 5d bb d7 b6 e5 38 37 18 28 3d e0 da Sep 21 07:38:49.650439: | Notify data 62 e2 48 54 Sep 21 07:38:49.650443: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:49.650445: | emitting length of ISAKMP Message: 432 Sep 21 07:38:49.650453: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.650457: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:38:49.650460: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:38:49.650463: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:38:49.650466: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:38:49.650471: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:38:49.650476: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:49.650482: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:38:49.650487: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:49.650493: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:49.650495: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.650497: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:38:49.650500: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:38:49.650502: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:38:49.650504: | 04 00 00 0e 28 00 01 08 00 0e 00 00 85 c0 f3 c0 Sep 21 07:38:49.650507: | 3b 8a b5 c3 79 9a d0 f7 64 79 43 fb f0 42 e2 de Sep 21 07:38:49.650509: | 45 fa 46 04 e8 e3 c6 5e ad 14 96 22 ad 8e db f9 Sep 21 07:38:49.650511: | 67 07 a2 80 79 73 09 0b 48 ee b2 46 31 5b 7c 8a Sep 21 07:38:49.650513: | d0 ee e4 5a c0 85 88 9c 48 48 7e 31 9e c8 d3 09 Sep 21 07:38:49.650516: | 94 c4 ac 8c 78 17 9b 65 09 95 ff 70 6b d1 07 e8 Sep 21 07:38:49.650518: | e6 74 d0 28 ad 83 c7 0d 32 c3 e3 29 50 77 e9 fe Sep 21 07:38:49.650520: | 3a 94 84 1e e5 25 b4 6e 04 30 97 8c 49 fa e5 90 Sep 21 07:38:49.650522: | 08 c8 e0 fd c9 8e 19 12 86 75 0e 89 5a 52 0d 4b Sep 21 07:38:49.650524: | 05 ff 4d 3b 71 50 39 76 3e 5b 95 9e c5 3a 24 c6 Sep 21 07:38:49.650527: | 68 dc b0 08 4e 42 74 e4 f9 4a a6 5a 20 ac c1 25 Sep 21 07:38:49.650529: | c3 97 61 7c 57 ff 3c 58 28 92 58 34 75 e2 c6 1c Sep 21 07:38:49.650531: | fa 8c c7 0b c6 9c c2 cc fa e6 98 f0 8d 0a 9e 97 Sep 21 07:38:49.650533: | 48 4b 8d c2 07 ea 4b 22 13 87 30 ec 51 47 ff 69 Sep 21 07:38:49.650536: | cb a1 0f 81 c7 1c a5 e9 e3 cf 89 b5 d6 4f 5a c5 Sep 21 07:38:49.650538: | b4 af 04 97 4f 2c 5c d4 c6 9d 34 c0 24 b2 b4 e7 Sep 21 07:38:49.650540: | c7 47 fa a3 b1 f0 98 fc c5 74 e6 61 29 00 00 24 Sep 21 07:38:49.650542: | 9c de 09 fa fb ed eb 21 ac c1 1d 99 79 2a 90 95 Sep 21 07:38:49.650545: | 7a 39 4b 21 de 91 66 5b 49 8d 29 3c a7 54 c6 a9 Sep 21 07:38:49.650547: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:38:49.650549: | 38 51 e1 cc fe 74 a4 c1 13 59 6b d5 68 0e 03 5f Sep 21 07:38:49.650551: | 53 7b aa 51 00 00 00 1c 00 00 40 05 b7 c9 bf fb Sep 21 07:38:49.650554: | 5d bb d7 b6 e5 38 37 18 28 3d e0 da 62 e2 48 54 Sep 21 07:38:49.650609: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:49.650613: | libevent_free: release ptr-libevent@0x56513f28fca0 Sep 21 07:38:49.650617: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56513f28fc60 Sep 21 07:38:49.650620: | event_schedule: new EVENT_SO_DISCARD-pe@0x56513f28fc60 Sep 21 07:38:49.650623: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:38:49.650626: | libevent_malloc: new ptr-libevent@0x56513f28fca0 size 128 Sep 21 07:38:49.650630: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:49.650637: | #1 spent 0.556 milliseconds in resume sending helper answer Sep 21 07:38:49.650643: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:49.650646: | libevent_free: release ptr-libevent@0x7f9cac006900 Sep 21 07:38:49.653742: | spent 0.00286 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:49.653763: | *received 241 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:49.653768: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.653770: | 2e 20 23 08 00 00 00 01 00 00 00 f1 23 00 00 d5 Sep 21 07:38:49.653772: | 37 6b 03 af 75 47 1a 49 b3 0a e6 85 1f 42 d5 a6 Sep 21 07:38:49.653775: | a3 1b b0 7c a8 54 95 99 91 e8 64 90 5d b5 b5 55 Sep 21 07:38:49.653777: | 91 b2 12 97 0c e5 9b 4f 0f 9e 7c 58 4c 27 33 d5 Sep 21 07:38:49.653779: | ba 06 28 ef 5e 83 12 bb f1 94 7a 2b 46 25 83 c0 Sep 21 07:38:49.653781: | 80 37 5a e3 99 d5 bb c9 f8 53 c1 c1 5e 50 3f 37 Sep 21 07:38:49.653857: | 2e 26 a1 65 d6 3a b8 d2 09 09 2e 41 77 2c 10 60 Sep 21 07:38:49.653861: | 1c 6c 34 f1 9a bd e4 dc db 4f 93 23 b0 59 b3 44 Sep 21 07:38:49.653864: | a7 08 f5 03 04 43 e5 92 a1 f4 e6 a6 4e 32 1d 4b Sep 21 07:38:49.653866: | 57 6f 1a 32 ae 3c 5c 42 79 86 85 84 e7 30 de 34 Sep 21 07:38:49.653868: | f0 32 b7 27 2e aa 43 53 72 29 00 52 3f cd f4 53 Sep 21 07:38:49.653870: | 73 44 83 8a 26 5e 0e f4 0a 57 e1 d9 e9 dc fc 03 Sep 21 07:38:49.653872: | f4 c6 22 9b d2 d4 71 b3 cf 7e 41 cc c8 63 46 43 Sep 21 07:38:49.653874: | db 09 81 bf 25 66 67 91 12 19 60 d7 5e f4 d7 e1 Sep 21 07:38:49.653876: | 2f Sep 21 07:38:49.653881: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:49.653884: | **parse ISAKMP Message: Sep 21 07:38:49.653887: | initiator cookie: Sep 21 07:38:49.653889: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.653891: | responder cookie: Sep 21 07:38:49.653893: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.653895: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:49.653898: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.653900: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:49.653903: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:49.653905: | Message ID: 1 (0x1) Sep 21 07:38:49.653907: | length: 241 (0xf1) Sep 21 07:38:49.653911: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:38:49.653914: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:38:49.653917: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:38:49.653925: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:49.653928: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:49.653933: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:49.653936: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:38:49.653940: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:38:49.653942: | unpacking clear payload Sep 21 07:38:49.653945: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:49.653948: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:49.653951: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:38:49.653953: | flags: none (0x0) Sep 21 07:38:49.653955: | length: 213 (0xd5) Sep 21 07:38:49.653958: | processing payload: ISAKMP_NEXT_v2SK (len=209) Sep 21 07:38:49.653963: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:49.653966: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:49.653973: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:49.653976: | Now let's proceed with state specific processing Sep 21 07:38:49.653978: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:49.653982: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:38:49.653986: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:38:49.653989: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:38:49.653992: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:38:49.653996: | libevent_free: release ptr-libevent@0x56513f28fca0 Sep 21 07:38:49.653999: | free_event_entry: release EVENT_SO_DISCARD-pe@0x56513f28fc60 Sep 21 07:38:49.654001: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x56513f28fc60 Sep 21 07:38:49.654005: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:49.654008: | libevent_malloc: new ptr-libevent@0x56513f28fca0 size 128 Sep 21 07:38:49.654018: | #1 spent 0.035 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:38:49.654020: | crypto helper 5 resuming Sep 21 07:38:49.654025: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.654040: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:49.654043: | suspending state #1 and saving MD Sep 21 07:38:49.654045: | #1 is busy; has a suspended MD Sep 21 07:38:49.654051: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:49.654055: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:49.654061: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:49.654065: | #1 spent 0.262 milliseconds in ikev2_process_packet() Sep 21 07:38:49.654069: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:49.654072: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:49.654075: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:49.654079: | spent 0.276 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:49.654033: | crypto helper 5 starting work-order 2 for state #1 Sep 21 07:38:49.654089: | crypto helper 5 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:38:49.655051: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:38:49.655488: | crypto helper 5 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001398 seconds Sep 21 07:38:49.655495: | (#1) spent 1.4 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:38:49.655498: | crypto helper 5 sending results from work-order 2 for state #1 to event queue Sep 21 07:38:49.655500: | scheduling resume sending helper answer for #1 Sep 21 07:38:49.655503: | libevent_malloc: new ptr-libevent@0x7f9ca4006b90 size 128 Sep 21 07:38:49.655511: | crypto helper 5 waiting (nothing to do) Sep 21 07:38:49.655520: | processing resume sending helper answer for #1 Sep 21 07:38:49.655527: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:49.655531: | crypto helper 5 replies to request ID 2 Sep 21 07:38:49.655533: | calling continuation function 0x56513d3cb630 Sep 21 07:38:49.655536: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:38:49.655539: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:49.655551: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:38:49.655558: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:38:49.655562: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:38:49.655564: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:38:49.655567: | flags: none (0x0) Sep 21 07:38:49.655570: | length: 12 (0xc) Sep 21 07:38:49.655572: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:49.655575: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:38:49.655577: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:38:49.655580: | **parse IKEv2 Authentication Payload: Sep 21 07:38:49.655582: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.655585: | flags: none (0x0) Sep 21 07:38:49.655587: | length: 72 (0x48) Sep 21 07:38:49.655589: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:49.655592: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:38:49.655594: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:49.655597: | **parse IKEv2 Security Association Payload: Sep 21 07:38:49.655599: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:38:49.655601: | flags: none (0x0) Sep 21 07:38:49.655604: | length: 44 (0x2c) Sep 21 07:38:49.655606: | processing payload: ISAKMP_NEXT_v2SA (len=40) Sep 21 07:38:49.655609: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:38:49.655611: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:49.655614: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:38:49.655616: | flags: none (0x0) Sep 21 07:38:49.655618: | length: 24 (0x18) Sep 21 07:38:49.655621: | number of TS: 1 (0x1) Sep 21 07:38:49.655623: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:38:49.655626: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:38:49.655628: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:49.655630: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:49.655633: | flags: none (0x0) Sep 21 07:38:49.655635: | length: 24 (0x18) Sep 21 07:38:49.655637: | number of TS: 1 (0x1) Sep 21 07:38:49.655640: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:38:49.655642: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:49.655645: | **parse IKEv2 Notify Payload: Sep 21 07:38:49.655647: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.655650: | flags: none (0x0) Sep 21 07:38:49.655652: | length: 8 (0x8) Sep 21 07:38:49.655654: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.655657: | SPI size: 0 (0x0) Sep 21 07:38:49.655660: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:49.655662: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:49.655665: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:38:49.655667: | Now let's proceed with state specific processing Sep 21 07:38:49.655669: | calling processor Responder: process IKE_AUTH request Sep 21 07:38:49.655676: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Sep 21 07:38:49.655682: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:49.655686: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:38:49.655688: | peer ID c0 01 03 21 Sep 21 07:38:49.655693: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:49.655697: | match_id a=192.1.3.33 Sep 21 07:38:49.655700: | b=192.1.3.33 Sep 21 07:38:49.655703: | results matched Sep 21 07:38:49.655709: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:38:49.655711: | Warning: not switching back to template of current instance Sep 21 07:38:49.655714: | No IDr payload received from peer Sep 21 07:38:49.655719: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Sep 21 07:38:49.655725: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.655729: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.655733: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.655738: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.655742: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.655744: | line 1: match=002 Sep 21 07:38:49.655747: | match 002 beats previous best_match 000 match=0x56513f27f5c0 (line=1) Sep 21 07:38:49.655750: | concluding with best_match=002 best=0x56513f27f5c0 (lineno=1) Sep 21 07:38:49.655752: | returning because exact peer id match Sep 21 07:38:49.655755: | offered CA: '%none' Sep 21 07:38:49.655760: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Sep 21 07:38:49.655763: | received v2N_MOBIKE_SUPPORTED while it did not sent Sep 21 07:38:49.655779: | verifying AUTH payload Sep 21 07:38:49.655786: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:38:49.655793: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.655797: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.655800: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.655805: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.655809: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.655812: | line 1: match=002 Sep 21 07:38:49.655814: | match 002 beats previous best_match 000 match=0x56513f27f5c0 (line=1) Sep 21 07:38:49.655817: | concluding with best_match=002 best=0x56513f27f5c0 (lineno=1) Sep 21 07:38:49.655878: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Sep 21 07:38:49.655883: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:38:49.655888: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:49.655891: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:49.655895: | libevent_free: release ptr-libevent@0x56513f28fca0 Sep 21 07:38:49.655897: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x56513f28fc60 Sep 21 07:38:49.655900: | event_schedule: new EVENT_SA_REKEY-pe@0x56513f28fc60 Sep 21 07:38:49.655904: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:38:49.655906: | libevent_malloc: new ptr-libevent@0x56513f28fca0 size 128 Sep 21 07:38:49.656258: | pstats #1 ikev2.ike established Sep 21 07:38:49.656268: | **emit ISAKMP Message: Sep 21 07:38:49.656271: | initiator cookie: Sep 21 07:38:49.656273: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:49.656276: | responder cookie: Sep 21 07:38:49.656279: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.656282: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:49.656285: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:49.656288: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:49.656291: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:49.656294: | Message ID: 1 (0x1) Sep 21 07:38:49.656298: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:49.656301: | IKEv2 CERT: send a certificate? Sep 21 07:38:49.656305: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:38:49.656308: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:49.656311: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.656313: | flags: none (0x0) Sep 21 07:38:49.656318: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:49.656321: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.656325: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:49.656338: | Adding a v2N Payload Sep 21 07:38:49.656341: | ****emit IKEv2 Notify Payload: Sep 21 07:38:49.656344: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.656346: | flags: none (0x0) Sep 21 07:38:49.656349: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:49.656352: | SPI size: 0 (0x0) Sep 21 07:38:49.656355: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:49.656359: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:49.656363: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.656366: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:49.656369: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:49.656385: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:38:49.656389: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.656391: | flags: none (0x0) Sep 21 07:38:49.656394: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:49.656398: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:38:49.656402: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.656406: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:38:49.656409: | my identity c0 01 02 17 Sep 21 07:38:49.656412: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:38:49.656420: | assembled IDr payload Sep 21 07:38:49.656423: | CHILD SA proposals received Sep 21 07:38:49.656425: | going to assemble AUTH payload Sep 21 07:38:49.656429: | ****emit IKEv2 Authentication Payload: Sep 21 07:38:49.656432: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:49.656434: | flags: none (0x0) Sep 21 07:38:49.656437: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:49.656441: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:38:49.656446: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:38:49.656449: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.656453: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:38:49.656460: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.656465: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:49.656469: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:49.656475: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.656480: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:49.656482: | line 1: match=002 Sep 21 07:38:49.656486: | match 002 beats previous best_match 000 match=0x56513f27f5c0 (line=1) Sep 21 07:38:49.656489: | concluding with best_match=002 best=0x56513f27f5c0 (lineno=1) Sep 21 07:38:49.656547: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:38:49.656551: | PSK auth f3 69 81 cd e9 df b9 94 81 e9 d0 c0 a4 68 8a b3 Sep 21 07:38:49.656554: | PSK auth f5 5f 22 d0 16 83 2f 12 bd cd cd b1 e9 ad 35 b7 Sep 21 07:38:49.656557: | PSK auth a5 ba e6 89 bc c1 65 17 17 1b 7c e0 55 85 42 c0 Sep 21 07:38:49.656560: | PSK auth 8f b0 5f 0f 49 17 29 6a 42 9b a9 e5 ff db ae ef Sep 21 07:38:49.656563: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:38:49.656567: | creating state object #2 at 0x56513f2911c0 Sep 21 07:38:49.656571: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:38:49.656576: | pstats #2 ikev2.child started Sep 21 07:38:49.656583: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Sep 21 07:38:49.656589: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:38:49.656596: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:49.656602: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:49.656608: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:49.656611: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:38:49.656614: | TSi: parsing 1 traffic selectors Sep 21 07:38:49.656618: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:49.656621: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.656623: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.656626: | length: 16 (0x10) Sep 21 07:38:49.656629: | start port: 0 (0x0) Sep 21 07:38:49.656632: | end port: 65535 (0xffff) Sep 21 07:38:49.656635: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:49.656637: | TS low c0 00 03 00 Sep 21 07:38:49.656641: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:49.656643: | TS high c0 00 03 ff Sep 21 07:38:49.656646: | TSi: parsed 1 traffic selectors Sep 21 07:38:49.656648: | TSr: parsing 1 traffic selectors Sep 21 07:38:49.656651: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:49.656654: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.656657: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.656660: | length: 16 (0x10) Sep 21 07:38:49.656662: | start port: 0 (0x0) Sep 21 07:38:49.656665: | end port: 65535 (0xffff) Sep 21 07:38:49.656668: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:49.656670: | TS low c0 00 02 00 Sep 21 07:38:49.656674: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:49.656676: | TS high c0 00 02 ff Sep 21 07:38:49.656679: | TSr: parsed 1 traffic selectors Sep 21 07:38:49.656682: | looking for best SPD in current connection Sep 21 07:38:49.656690: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:49.656696: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.656703: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:49.656707: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:49.656710: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:49.656713: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:49.656717: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.656722: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.656729: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:49.656732: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:49.656735: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:49.656738: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:49.656743: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.656746: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:49.656748: | found better spd route for TSi[0],TSr[0] Sep 21 07:38:49.656751: | looking for better host pair Sep 21 07:38:49.656757: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:38:49.656763: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:38:49.656766: | investigating connection "eastnet-northnet" as a better match Sep 21 07:38:49.656770: | match_id a=192.1.3.33 Sep 21 07:38:49.656774: | b=192.1.3.33 Sep 21 07:38:49.656777: | results matched Sep 21 07:38:49.656789: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:49.656798: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.656805: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:49.656808: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:49.656811: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:49.656814: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:49.656818: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.656823: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:49.656830: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:49.656833: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:49.656836: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:49.656839: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:49.656843: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:49.656846: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:49.656848: | did not find a better connection using host pair Sep 21 07:38:49.656852: | printing contents struct traffic_selector Sep 21 07:38:49.656854: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:49.656857: | ipprotoid: 0 Sep 21 07:38:49.656859: | port range: 0-65535 Sep 21 07:38:49.656864: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:38:49.656866: | printing contents struct traffic_selector Sep 21 07:38:49.656869: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:49.656871: | ipprotoid: 0 Sep 21 07:38:49.656874: | port range: 0-65535 Sep 21 07:38:49.656878: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:38:49.656883: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:38:49.656891: | converting proposal AES_CBC_256-HMAC_SHA2_256_128 to ikev2 ... Sep 21 07:38:49.656898: | ... ikev2_proposal: 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:38:49.656904: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED Sep 21 07:38:49.656908: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:38:49.656912: | local proposal 1 type ENCR has 1 transforms Sep 21 07:38:49.656915: | local proposal 1 type PRF has 0 transforms Sep 21 07:38:49.656918: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:49.656921: | local proposal 1 type DH has 1 transforms Sep 21 07:38:49.656924: | local proposal 1 type ESN has 1 transforms Sep 21 07:38:49.656928: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Sep 21 07:38:49.656931: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.656935: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.656937: | length: 40 (0x28) Sep 21 07:38:49.656940: | prop #: 1 (0x1) Sep 21 07:38:49.656943: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:49.656945: | spi size: 4 (0x4) Sep 21 07:38:49.656948: | # transforms: 3 (0x3) Sep 21 07:38:49.656952: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:38:49.656954: | remote SPI 4b 54 05 62 Sep 21 07:38:49.656958: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:38:49.656962: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.656965: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.656967: | length: 12 (0xc) Sep 21 07:38:49.656972: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.656975: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.656978: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.656981: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.656984: | length/value: 256 (0x100) Sep 21 07:38:49.656989: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:49.656992: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.656995: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.656997: | length: 8 (0x8) Sep 21 07:38:49.657000: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.657003: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.657008: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Sep 21 07:38:49.657011: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:49.657013: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.657016: | length: 8 (0x8) Sep 21 07:38:49.657019: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:49.657022: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:49.657026: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:38:49.657030: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Sep 21 07:38:49.657036: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Sep 21 07:38:49.657040: | remote proposal 1 matches local proposal 1 Sep 21 07:38:49.657047: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=4b540562;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED[first-match] Sep 21 07:38:49.657053: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=4b540562;ENCR=AES_CBC_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Sep 21 07:38:49.657056: | converting proposal to internal trans attrs Sep 21 07:38:49.657074: | netlink_get_spi: allocated 0xdbb4e487 for esp.0@192.1.2.23 Sep 21 07:38:49.657077: | Emitting ikev2_proposal ... Sep 21 07:38:49.657080: | ****emit IKEv2 Security Association Payload: Sep 21 07:38:49.657083: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.657086: | flags: none (0x0) Sep 21 07:38:49.657090: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:49.657094: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.657098: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:49.657100: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:49.657103: | prop #: 1 (0x1) Sep 21 07:38:49.657106: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:49.657108: | spi size: 4 (0x4) Sep 21 07:38:49.657111: | # transforms: 3 (0x3) Sep 21 07:38:49.657115: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:49.657119: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:38:49.657121: | our spi db b4 e4 87 Sep 21 07:38:49.657124: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.657127: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.657130: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:49.657133: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:49.657136: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.657140: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:49.657143: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:49.657147: | length/value: 256 (0x100) Sep 21 07:38:49.657150: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:49.657153: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.657156: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.657159: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:49.657162: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:49.657166: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.657170: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.657173: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.657176: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:49.657178: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:49.657181: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:49.657184: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:49.657188: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:49.657192: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:49.657195: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:49.657198: | emitting length of IKEv2 Proposal Substructure Payload: 40 Sep 21 07:38:49.657201: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:49.657204: | emitting length of IKEv2 Security Association Payload: 44 Sep 21 07:38:49.657208: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:49.657211: | received v2N_MOBIKE_SUPPORTED Sep 21 07:38:49.657214: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:49.657217: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.657219: | flags: none (0x0) Sep 21 07:38:49.657222: | number of TS: 1 (0x1) Sep 21 07:38:49.657226: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:38:49.657230: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.657233: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:49.657236: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.657239: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.657241: | start port: 0 (0x0) Sep 21 07:38:49.657244: | end port: 65535 (0xffff) Sep 21 07:38:49.657247: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:49.657250: | IP start c0 00 03 00 Sep 21 07:38:49.657253: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:49.657255: | IP end c0 00 03 ff Sep 21 07:38:49.657258: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:49.657261: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:38:49.657264: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:49.657267: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:49.657269: | flags: none (0x0) Sep 21 07:38:49.657272: | number of TS: 1 (0x1) Sep 21 07:38:49.657276: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:38:49.657280: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:49.657283: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:49.657287: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:49.657290: | IP Protocol ID: 0 (0x0) Sep 21 07:38:49.657292: | start port: 0 (0x0) Sep 21 07:38:49.657295: | end port: 65535 (0xffff) Sep 21 07:38:49.657298: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:49.657301: | IP start c0 00 02 00 Sep 21 07:38:49.657304: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:49.657306: | IP end c0 00 02 ff Sep 21 07:38:49.657309: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:49.657312: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:38:49.657315: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:49.657319: | integ=sha2_256: .key_size=32 encrypt=aes: .key_size=32 .salt_size=0 keymat_len=64 Sep 21 07:38:49.657470: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:38:49.657479: | #1 spent 1.54 milliseconds Sep 21 07:38:49.657482: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:38:49.657485: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Sep 21 07:38:49.657489: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:49.657492: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.657495: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.657498: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.657501: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.657509: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:49.657514: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Sep 21 07:38:49.657517: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Sep 21 07:38:49.657521: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Sep 21 07:38:49.657525: | setting IPsec SA replay-window to 32 Sep 21 07:38:49.657528: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:49.657532: | netlink: enabling tunnel mode Sep 21 07:38:49.657535: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:49.657538: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:49.657792: | netlink response for Add SA esp.4b540562@192.1.3.33 included non-error error Sep 21 07:38:49.657801: | set up outgoing SA, ref=0/0 Sep 21 07:38:49.657805: | looking for alg with encrypt: AES_CBC keylen: 256 integ: HMAC_SHA2_256_128 Sep 21 07:38:49.657809: | encrypt AES_CBC keylen=256 transid=12, key_size=32, encryptalg=12 Sep 21 07:38:49.657812: | st->st_esp.keymat_len=64 is encrypt_keymat_size=32 + integ_keymat_size=32 Sep 21 07:38:49.657816: | setting IPsec SA replay-window to 32 Sep 21 07:38:49.657820: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:49.657823: | netlink: enabling tunnel mode Sep 21 07:38:49.657826: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:49.657829: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:49.658005: | netlink response for Add SA esp.dbb4e487@192.1.2.23 included non-error error Sep 21 07:38:49.658012: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:49.658021: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:38:49.658024: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:49.658276: | raw_eroute result=success Sep 21 07:38:49.658282: | set up incoming SA, ref=0/0 Sep 21 07:38:49.658284: | sr for #2: unrouted Sep 21 07:38:49.658288: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:38:49.658291: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:49.658295: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.658298: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.658301: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:49.658307: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:49.658313: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:49.658317: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:38:49.658321: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:49.658329: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:38:49.658332: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:49.658459: | raw_eroute result=success Sep 21 07:38:49.658466: | running updown command "ipsec _updown" for verb up Sep 21 07:38:49.658469: | command executing up-client Sep 21 07:38:49.658504: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Sep 21 07:38:49.658508: | popen cmd is 1048 chars long Sep 21 07:38:49.658512: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Sep 21 07:38:49.658515: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:38:49.658518: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Sep 21 07:38:49.658522: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:38:49.658525: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Sep 21 07:38:49.658529: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Sep 21 07:38:49.658532: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:38:49.658535: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Sep 21 07:38:49.658538: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Sep 21 07:38:49.658542: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Sep 21 07:38:49.658545: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Sep 21 07:38:49.658548: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Sep 21 07:38:49.658552: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4b540562 SPI_OUT=0xdbb4e487 ipsec _upd: Sep 21 07:38:49.658554: | cmd(1040):own 2>&1: Sep 21 07:38:49.681574: | route_and_eroute: firewall_notified: true Sep 21 07:38:49.681595: | running updown command "ipsec _updown" for verb prepare Sep 21 07:38:49.681600: | command executing prepare-client Sep 21 07:38:49.681646: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Sep 21 07:38:49.681655: | popen cmd is 1053 chars long Sep 21 07:38:49.681660: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:38:49.681664: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:38:49.681668: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:38:49.681671: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:38:49.681675: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Sep 21 07:38:49.681679: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Sep 21 07:38:49.681683: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Sep 21 07:38:49.681687: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Sep 21 07:38:49.681691: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Sep 21 07:38:49.681694: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Sep 21 07:38:49.681698: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Sep 21 07:38:49.681702: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Sep 21 07:38:49.681706: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4b540562 SPI_OUT=0xdbb4e487 ipsec: Sep 21 07:38:49.681709: | cmd(1040): _updown 2>&1: Sep 21 07:38:49.696582: | running updown command "ipsec _updown" for verb route Sep 21 07:38:49.696601: | command executing route-client Sep 21 07:38:49.696632: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:38:49.696636: | popen cmd is 1051 chars long Sep 21 07:38:49.696639: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Sep 21 07:38:49.696642: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Sep 21 07:38:49.696644: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Sep 21 07:38:49.696647: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:38:49.696649: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Sep 21 07:38:49.696652: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Sep 21 07:38:49.696658: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Sep 21 07:38:49.696661: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Sep 21 07:38:49.696663: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Sep 21 07:38:49.696666: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:38:49.696668: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:38:49.696671: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:38:49.696673: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4b540562 SPI_OUT=0xdbb4e487 ipsec _: Sep 21 07:38:49.696675: | cmd(1040):updown 2>&1: Sep 21 07:38:49.767709: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x56513f28d3d0,sr=0x56513f28d3d0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:38:49.768371: | #1 spent 1.48 milliseconds in install_ipsec_sa() Sep 21 07:38:49.768381: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:38:49.768385: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:49.768389: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:49.768392: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:49.768395: | emitting length of IKEv2 Encryption Payload: 213 Sep 21 07:38:49.768398: | emitting length of ISAKMP Message: 241 Sep 21 07:38:49.768418: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:38:49.768424: | #1 spent 3.08 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:38:49.768432: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.768438: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:49.768442: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:38:49.768446: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:38:49.768449: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:38:49.768452: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:38:49.768458: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:49.768463: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:38:49.768466: | pstats #2 ikev2.child established Sep 21 07:38:49.768475: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:38:49.768480: | NAT-T: encaps is 'auto' Sep 21 07:38:49.768485: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x4b540562 <0xdbb4e487 xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} Sep 21 07:38:49.768491: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:49.768502: | sending 241 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:49.768504: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:49.768507: | 2e 20 23 20 00 00 00 01 00 00 00 f1 29 00 00 d5 Sep 21 07:38:49.768509: | 8f 63 b9 e6 21 54 1f 42 45 1d 0a 1e 8d 18 60 c8 Sep 21 07:38:49.768514: | d6 16 f4 98 ac d9 6e ed ed fb 4f e7 26 60 f3 91 Sep 21 07:38:49.768517: | 95 e4 49 60 28 20 93 c8 1d 67 bf ac 89 29 93 fe Sep 21 07:38:49.768519: | ca f6 be 27 bf 15 f3 52 e1 00 13 5e 0c df 1b 71 Sep 21 07:38:49.768521: | 7c 17 29 c7 c7 01 24 99 2f dd f9 31 1d 87 51 23 Sep 21 07:38:49.768524: | 02 64 e1 57 17 15 4b f6 d9 d5 28 ae 50 49 72 e3 Sep 21 07:38:49.768526: | 53 bb e7 9f 9e 0d 63 cd c3 22 79 e4 11 b6 d4 85 Sep 21 07:38:49.768528: | fe a3 be 1c f8 fc 1a df 0d a5 65 5d 4a 28 7a c5 Sep 21 07:38:49.768530: | 5d 0e a3 a1 58 07 02 ed 63 eb a6 57 2e ad 89 9b Sep 21 07:38:49.768533: | 0b b4 3b 52 aa 5c 24 62 9d f1 ac aa 54 00 d3 86 Sep 21 07:38:49.768535: | 70 63 7d 95 f5 86 38 7d 21 89 32 40 7d 24 1c c9 Sep 21 07:38:49.768537: | f1 f3 25 c5 49 c0 f7 55 48 e7 73 68 00 32 8c a1 Sep 21 07:38:49.768540: | ea f7 c6 8d c6 85 a3 d6 b3 ee b9 1f 68 36 07 bf Sep 21 07:38:49.768542: | 04 Sep 21 07:38:49.768594: | releasing whack for #2 (sock=fd@-1) Sep 21 07:38:49.768598: | releasing whack and unpending for parent #1 Sep 21 07:38:49.768602: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:49.768606: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:49.768610: | event_schedule: new EVENT_SA_REKEY-pe@0x7f9cac002b20 Sep 21 07:38:49.768613: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:38:49.768617: | libevent_malloc: new ptr-libevent@0x56513f2943a0 size 128 Sep 21 07:38:49.768622: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:49.768627: | #1 spent 3.39 milliseconds in resume sending helper answer Sep 21 07:38:49.768634: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:49.768638: | libevent_free: release ptr-libevent@0x7f9ca4006b90 Sep 21 07:38:49.768647: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.768652: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.768656: | spent 0.00519 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:49.768659: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.768662: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.768665: | spent 0.00327 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:49.768668: | processing signal PLUTO_SIGCHLD Sep 21 07:38:49.768671: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:49.768674: | spent 0.00325 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:59.599687: | spent 0.00287 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:59.599708: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Sep 21 07:38:59.599712: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.599714: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Sep 21 07:38:59.599716: | fa 0d 80 89 79 5a 72 c1 71 05 f2 29 71 52 d6 44 Sep 21 07:38:59.599718: | 8e d3 9d b7 93 89 75 73 f1 63 01 9f c4 d2 92 d9 Sep 21 07:38:59.599720: | 25 af c9 1d 7c 44 73 a1 25 41 cf 32 5f 0d 6a bd Sep 21 07:38:59.599722: | 92 00 a9 b6 96 c1 19 65 4d 49 aa d0 bf 3d ce 2e Sep 21 07:38:59.599724: | 12 6a c3 d5 74 19 a4 27 07 3b e2 2b 4c 93 7e eb Sep 21 07:38:59.599727: | c4 24 f2 1f b3 c3 df 5f 4b Sep 21 07:38:59.599731: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Sep 21 07:38:59.599734: | **parse ISAKMP Message: Sep 21 07:38:59.599737: | initiator cookie: Sep 21 07:38:59.599739: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:59.599742: | responder cookie: Sep 21 07:38:59.599744: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.599746: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:59.599749: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:59.599752: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:59.599754: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:59.599759: | Message ID: 2 (0x2) Sep 21 07:38:59.599762: | length: 121 (0x79) Sep 21 07:38:59.599765: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:38:59.599768: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:38:59.599772: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:38:59.599779: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:59.599782: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:59.599798: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:59.599801: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:38:59.599805: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:38:59.599808: | unpacking clear payload Sep 21 07:38:59.599810: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:59.599813: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:59.599816: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:59.599818: | flags: none (0x0) Sep 21 07:38:59.599821: | length: 93 (0x5d) Sep 21 07:38:59.599823: | processing payload: ISAKMP_NEXT_v2SK (len=89) Sep 21 07:38:59.599827: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:38:59.599830: | #1 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:59.599844: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:38:59.599846: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:59.599848: | **parse IKEv2 Notify Payload: Sep 21 07:38:59.599850: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:59.599851: | flags: none (0x0) Sep 21 07:38:59.599853: | length: 8 (0x8) Sep 21 07:38:59.599854: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:59.599856: | SPI size: 0 (0x0) Sep 21 07:38:59.599858: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Sep 21 07:38:59.599859: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:59.599861: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:59.599864: | **parse IKEv2 Notify Payload: Sep 21 07:38:59.599866: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:59.599868: | flags: none (0x0) Sep 21 07:38:59.599870: | length: 28 (0x1c) Sep 21 07:38:59.599871: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:59.599873: | SPI size: 0 (0x0) Sep 21 07:38:59.599874: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:59.599876: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:59.599877: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:59.599879: | **parse IKEv2 Notify Payload: Sep 21 07:38:59.599880: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:59.599882: | flags: none (0x0) Sep 21 07:38:59.599883: | length: 28 (0x1c) Sep 21 07:38:59.599885: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:59.599886: | SPI size: 0 (0x0) Sep 21 07:38:59.599888: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:59.599889: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:59.599891: | selected state microcode R2: process Informational Request Sep 21 07:38:59.599892: | Now let's proceed with state specific processing Sep 21 07:38:59.599894: | calling processor R2: process Informational Request Sep 21 07:38:59.599897: | an informational request should send a response Sep 21 07:38:59.599898: | Need to process v2N_UPDATE_SA_ADDRESSES Sep 21 07:38:59.599900: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:59.599901: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:59.599907: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:59.599913: | responder migrate kernel SA esp.4b540562@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Sep 21 07:38:59.599982: | responder migrate kernel SA esp.dbb4e487@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Sep 21 07:38:59.600009: | responder migrate kernel SA esp.dbb4e487@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Sep 21 07:38:59.600019: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:59.600023: | free hp@0x56513f21ce70 Sep 21 07:38:59.600029: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Sep 21 07:38:59.600031: | new hp@0x56513f28da20 Sep 21 07:38:59.600038: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:59.600042: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Sep 21 07:38:59.600048: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:38:59.600051: | **emit ISAKMP Message: Sep 21 07:38:59.600054: | initiator cookie: Sep 21 07:38:59.600056: | 15 00 5c f1 36 77 c5 dc Sep 21 07:38:59.600059: | responder cookie: Sep 21 07:38:59.600061: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.600063: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:59.600067: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:59.600069: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:59.600072: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:59.600074: | Message ID: 2 (0x2) Sep 21 07:38:59.600077: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:59.600080: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:59.600082: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:59.600085: | flags: none (0x0) Sep 21 07:38:59.600088: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:59.600091: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:59.600095: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:59.600103: | adding NATD payloads to MOBIKE response Sep 21 07:38:59.600106: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:59.600116: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:59.600119: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:59.600121: | natd_hash: rcookie= e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.600123: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:59.600124: | natd_hash: port= 01 f4 Sep 21 07:38:59.600126: | natd_hash: hash= 38 51 e1 cc fe 74 a4 c1 13 59 6b d5 68 0e 03 5f Sep 21 07:38:59.600127: | natd_hash: hash= 53 7b aa 51 Sep 21 07:38:59.600129: | Adding a v2N Payload Sep 21 07:38:59.600131: | ****emit IKEv2 Notify Payload: Sep 21 07:38:59.600132: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:59.600134: | flags: none (0x0) Sep 21 07:38:59.600135: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:59.600137: | SPI size: 0 (0x0) Sep 21 07:38:59.600138: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:59.600140: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:59.600142: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:59.600144: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:59.600146: | Notify data 38 51 e1 cc fe 74 a4 c1 13 59 6b d5 68 0e 03 5f Sep 21 07:38:59.600147: | Notify data 53 7b aa 51 Sep 21 07:38:59.600149: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:59.600153: | natd_hash: hasher=0x56513d4a17a0(20) Sep 21 07:38:59.600157: | natd_hash: icookie= 15 00 5c f1 36 77 c5 dc Sep 21 07:38:59.600158: | natd_hash: rcookie= e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.600160: | natd_hash: ip= c0 01 08 16 Sep 21 07:38:59.600161: | natd_hash: port= 01 f4 Sep 21 07:38:59.600162: | natd_hash: hash= dc dc 4b a2 b0 ca 6d 0f cf bd dc de 4c 2a 63 bf Sep 21 07:38:59.600164: | natd_hash: hash= a5 24 ab a0 Sep 21 07:38:59.600165: | Adding a v2N Payload Sep 21 07:38:59.600167: | ****emit IKEv2 Notify Payload: Sep 21 07:38:59.600168: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:59.600170: | flags: none (0x0) Sep 21 07:38:59.600171: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:59.600173: | SPI size: 0 (0x0) Sep 21 07:38:59.600174: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:59.600176: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:59.600178: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:59.600180: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:59.600181: | Notify data dc dc 4b a2 b0 ca 6d 0f cf bd dc de 4c 2a 63 bf Sep 21 07:38:59.600183: | Notify data a5 24 ab a0 Sep 21 07:38:59.600184: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:59.600186: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:59.600188: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:59.600190: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:59.600191: | emitting length of IKEv2 Encryption Payload: 85 Sep 21 07:38:59.600193: | emitting length of ISAKMP Message: 113 Sep 21 07:38:59.600201: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:38:59.600203: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:38:59.600204: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Sep 21 07:38:59.600206: | ab cb 92 bf 19 62 91 77 14 64 d6 fa 52 12 6d 27 Sep 21 07:38:59.600207: | 61 5a a3 06 55 d9 4e 0a 11 37 df c9 a8 29 37 48 Sep 21 07:38:59.600208: | 15 a7 cb d6 2b a1 7b e5 25 12 a5 83 52 ed 5c 1c Sep 21 07:38:59.600210: | fa 22 0b b1 bf 7b ce 1e 32 c6 ee 1f fc 33 ca c3 Sep 21 07:38:59.600211: | 67 53 11 2f 59 e6 9c 27 17 77 61 4f 51 d1 e9 28 Sep 21 07:38:59.600213: | 4f Sep 21 07:38:59.600245: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:59.600249: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:59.600253: | #1 spent 0.326 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Sep 21 07:38:59.600257: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:59.600260: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Sep 21 07:38:59.600262: | Message ID: updating counters for #1 to 2 after switching state Sep 21 07:38:59.600265: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:38:59.600267: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:59.600270: | STATE_PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:59.600273: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:59.600278: | #1 spent 0.543 milliseconds in ikev2_process_packet() Sep 21 07:38:59.600280: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Sep 21 07:38:59.600282: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:59.600284: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:59.600287: | spent 0.552 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:39:06.132645: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:06.132663: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:39:06.132679: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:06.132686: | get_sa_info esp.dbb4e487@192.1.2.23 Sep 21 07:39:06.132700: | get_sa_info esp.4b540562@192.1.8.22 Sep 21 07:39:06.132715: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:06.132720: | spent 0.0827 milliseconds in whack Sep 21 07:39:06.535719: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:06.536484: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:06.536508: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:06.536883: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:39:06.536901: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:06.536944: | get_sa_info esp.dbb4e487@192.1.2.23 Sep 21 07:39:06.536991: | get_sa_info esp.4b540562@192.1.8.22 Sep 21 07:39:06.537061: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:06.537081: | spent 1.36 milliseconds in whack Sep 21 07:39:07.197796: | processing global timer EVENT_SHUNT_SCAN Sep 21 07:39:07.197810: | expiring aged bare shunts from shunt table Sep 21 07:39:07.197815: | spent 0.004 milliseconds in global timer EVENT_SHUNT_SCAN Sep 21 07:39:08.106942: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:08.106961: shutting down Sep 21 07:39:08.106967: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:39:08.106970: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:39:08.106975: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:39:08.106976: forgetting secrets Sep 21 07:39:08.106979: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:39:08.106983: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Sep 21 07:39:08.106987: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Sep 21 07:39:08.106989: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:08.106991: | pass 0 Sep 21 07:39:08.106992: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:08.106994: | state #2 Sep 21 07:39:08.106997: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:08.107007: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:08.107010: | pstats #2 ikev2.child deleted completed Sep 21 07:39:08.107016: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:08.107021: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 18.450s and sending notification Sep 21 07:39:08.107024: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:39:08.107029: | get_sa_info esp.4b540562@192.1.8.22 Sep 21 07:39:08.107043: | get_sa_info esp.dbb4e487@192.1.2.23 Sep 21 07:39:08.107049: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=168B out=168B Sep 21 07:39:08.107055: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:39:08.107057: | Opening output PBS informational exchange delete request Sep 21 07:39:08.107059: | **emit ISAKMP Message: Sep 21 07:39:08.107061: | initiator cookie: Sep 21 07:39:08.107063: | 15 00 5c f1 36 77 c5 dc Sep 21 07:39:08.107064: | responder cookie: Sep 21 07:39:08.107066: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:39:08.107068: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:08.107069: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:08.107071: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:08.107073: | flags: none (0x0) Sep 21 07:39:08.107074: | Message ID: 0 (0x0) Sep 21 07:39:08.107076: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:08.107078: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:08.107080: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:08.107081: | flags: none (0x0) Sep 21 07:39:08.107083: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:08.107085: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:08.107087: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:08.107095: | ****emit IKEv2 Delete Payload: Sep 21 07:39:08.107096: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:08.107098: | flags: none (0x0) Sep 21 07:39:08.107100: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:39:08.107101: | SPI size: 4 (0x4) Sep 21 07:39:08.107102: | number of SPIs: 1 (0x1) Sep 21 07:39:08.107104: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:08.107106: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:08.107108: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:39:08.107109: | local spis db b4 e4 87 Sep 21 07:39:08.107111: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:39:08.107113: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:08.107115: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:08.107117: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:08.107118: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:39:08.107120: | emitting length of ISAKMP Message: 69 Sep 21 07:39:08.107138: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Sep 21 07:39:08.107140: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:39:08.107141: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:39:08.107142: | 4c 46 0f 19 45 12 fa aa 9e 67 d0 5a 1d a4 8e 97 Sep 21 07:39:08.107144: | c4 46 d8 b0 f7 f1 23 48 2f ca a5 aa 34 17 0e c8 Sep 21 07:39:08.107145: | 99 eb 39 a5 c8 Sep 21 07:39:08.107184: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:39:08.107186: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:39:08.107190: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:39:08.107192: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:08.107195: | libevent_free: release ptr-libevent@0x56513f2943a0 Sep 21 07:39:08.107197: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f9cac002b20 Sep 21 07:39:08.107245: | running updown command "ipsec _updown" for verb down Sep 21 07:39:08.107248: | command executing down-client Sep 21 07:39:08.107266: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051529' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Sep 21 07:39:08.107269: | popen cmd is 1061 chars long Sep 21 07:39:08.107271: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Sep 21 07:39:08.107273: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:39:08.107275: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:39:08.107276: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:39:08.107278: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Sep 21 07:39:08.107294: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Sep 21 07:39:08.107296: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Sep 21 07:39:08.107297: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051529' PLUTO_CONN_P: Sep 21 07:39:08.107299: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Sep 21 07:39:08.107300: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Sep 21 07:39:08.107302: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Sep 21 07:39:08.107304: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Sep 21 07:39:08.107305: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x4b540562 SPI_OUT=0xdbb4e4: Sep 21 07:39:08.107307: | cmd(1040):87 ipsec _updown 2>&1: Sep 21 07:39:08.113754: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:08.113768: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:08.113772: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:08.113776: | IPsec Sa SPD priority set to 1042407 Sep 21 07:39:08.113851: | delete esp.4b540562@192.1.8.22 Sep 21 07:39:08.113884: | netlink response for Del SA esp.4b540562@192.1.8.22 included non-error error Sep 21 07:39:08.113889: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:08.113895: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:39:08.113937: | raw_eroute result=success Sep 21 07:39:08.113942: | delete esp.dbb4e487@192.1.2.23 Sep 21 07:39:08.113967: | netlink response for Del SA esp.dbb4e487@192.1.2.23 included non-error error Sep 21 07:39:08.113975: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:39:08.113978: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:39:08.113981: | in connection_discard for connection eastnet-northnet Sep 21 07:39:08.113984: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:39:08.113990: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:39:08.113996: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:08.114002: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:08.114004: | state #1 Sep 21 07:39:08.114006: | pass 1 Sep 21 07:39:08.114009: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:08.114011: | state #1 Sep 21 07:39:08.114016: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:08.114019: | pstats #1 ikev2.ike deleted completed Sep 21 07:39:08.114024: | #1 spent 8.84 milliseconds in total Sep 21 07:39:08.114029: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:08.114034: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 18.466s and sending notification Sep 21 07:39:08.114037: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:39:08.114089: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:39:08.114093: | Opening output PBS informational exchange delete request Sep 21 07:39:08.114096: | **emit ISAKMP Message: Sep 21 07:39:08.114099: | initiator cookie: Sep 21 07:39:08.114101: | 15 00 5c f1 36 77 c5 dc Sep 21 07:39:08.114104: | responder cookie: Sep 21 07:39:08.114106: | e3 fe e0 15 e4 b7 70 02 Sep 21 07:39:08.114108: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:08.114111: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:08.114114: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:08.114116: | flags: none (0x0) Sep 21 07:39:08.114119: | Message ID: 1 (0x1) Sep 21 07:39:08.114121: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:08.114124: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:08.114127: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:08.114129: | flags: none (0x0) Sep 21 07:39:08.114133: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:08.114135: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:08.114138: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:08.114145: | ****emit IKEv2 Delete Payload: Sep 21 07:39:08.114148: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:08.114150: | flags: none (0x0) Sep 21 07:39:08.114152: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:39:08.114155: | SPI size: 0 (0x0) Sep 21 07:39:08.114157: | number of SPIs: 0 (0x0) Sep 21 07:39:08.114160: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:08.114163: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:08.114165: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:39:08.114168: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:08.114171: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:08.114174: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:08.114176: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:39:08.114179: | emitting length of ISAKMP Message: 65 Sep 21 07:39:08.114195: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:39:08.114198: | 15 00 5c f1 36 77 c5 dc e3 fe e0 15 e4 b7 70 02 Sep 21 07:39:08.114201: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:39:08.114203: | 9a 0b bd 6b 5d 03 1d 08 07 97 f8 64 23 fa cc 60 Sep 21 07:39:08.114207: | 0b a5 47 b3 35 98 cf b9 01 8e 8e 40 79 5e 53 30 Sep 21 07:39:08.114209: | 1b Sep 21 07:39:08.114246: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:39:08.114250: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:39:08.114255: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:39:08.114260: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:39:08.114263: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:08.114267: | libevent_free: release ptr-libevent@0x56513f28fca0 Sep 21 07:39:08.114270: | free_event_entry: release EVENT_SA_REKEY-pe@0x56513f28fc60 Sep 21 07:39:08.114272: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:39:08.114275: | in connection_discard for connection eastnet-northnet Sep 21 07:39:08.114277: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:39:08.114280: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:39:08.114297: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:08.114312: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:08.114319: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:08.114324: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:08.114327: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:08.114355: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:08.114366: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:39:08.114369: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:08.114372: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:08.114375: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:08.114377: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:08.114380: | route owner of "eastnet-northnet" unrouted: NULL Sep 21 07:39:08.114383: | running updown command "ipsec _updown" for verb unroute Sep 21 07:39:08.114386: | command executing unroute-client Sep 21 07:39:08.114413: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Sep 21 07:39:08.114417: | popen cmd is 1042 chars long Sep 21 07:39:08.114420: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:39:08.114422: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:39:08.114425: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:39:08.114429: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:39:08.114431: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Sep 21 07:39:08.114433: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Sep 21 07:39:08.114435: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Sep 21 07:39:08.114437: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Sep 21 07:39:08.114439: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Sep 21 07:39:08.114442: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Sep 21 07:39:08.114444: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Sep 21 07:39:08.114445: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Sep 21 07:39:08.114447: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Sep 21 07:39:08.114448: | cmd(1040):&1: Sep 21 07:39:08.121624: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121634: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121636: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121638: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121641: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121642: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121643: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121937: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121946: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.121948: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:08.125629: | free hp@0x56513f28da20 Sep 21 07:39:08.125638: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:08.125641: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:39:08.125645: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Sep 21 07:39:08.125647: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:08.125649: | pass 0 Sep 21 07:39:08.125651: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:08.125652: | pass 1 Sep 21 07:39:08.125653: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:08.125655: | free hp@0x56513f256a10 Sep 21 07:39:08.125657: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:08.125659: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Sep 21 07:39:08.125662: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:39:08.125664: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:39:08.125672: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:39:08.125674: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:39:08.125677: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:39:08.125678: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:39:08.125680: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:39:08.125682: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:39:08.125685: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:39:08.125692: | libevent_free: release ptr-libevent@0x56513f28a080 Sep 21 07:39:08.125694: | free_event_entry: release EVENT_NULL-pe@0x56513f273280 Sep 21 07:39:08.125702: | libevent_free: release ptr-libevent@0x56513f28a170 Sep 21 07:39:08.125703: | free_event_entry: release EVENT_NULL-pe@0x56513f28a130 Sep 21 07:39:08.125708: | libevent_free: release ptr-libevent@0x56513f28a260 Sep 21 07:39:08.125712: | free_event_entry: release EVENT_NULL-pe@0x56513f28a220 Sep 21 07:39:08.125717: | libevent_free: release ptr-libevent@0x56513f28a350 Sep 21 07:39:08.125719: | free_event_entry: release EVENT_NULL-pe@0x56513f28a310 Sep 21 07:39:08.125724: | libevent_free: release ptr-libevent@0x56513f28a440 Sep 21 07:39:08.125726: | free_event_entry: release EVENT_NULL-pe@0x56513f28a400 Sep 21 07:39:08.125730: | libevent_free: release ptr-libevent@0x56513f28a530 Sep 21 07:39:08.125732: | free_event_entry: release EVENT_NULL-pe@0x56513f28a4f0 Sep 21 07:39:08.125735: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:39:08.126149: | libevent_free: release ptr-libevent@0x56513f2899e0 Sep 21 07:39:08.126156: | free_event_entry: release EVENT_NULL-pe@0x56513f272500 Sep 21 07:39:08.126159: | libevent_free: release ptr-libevent@0x56513f27f470 Sep 21 07:39:08.126161: | free_event_entry: release EVENT_NULL-pe@0x56513f2727b0 Sep 21 07:39:08.126163: | libevent_free: release ptr-libevent@0x56513f27f3e0 Sep 21 07:39:08.126164: | free_event_entry: release EVENT_NULL-pe@0x56513f277f10 Sep 21 07:39:08.126166: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:39:08.126168: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:39:08.126170: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:39:08.126171: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:39:08.126173: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:39:08.126174: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:39:08.126176: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:39:08.126177: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:39:08.126179: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:39:08.126183: | libevent_free: release ptr-libevent@0x56513f289ab0 Sep 21 07:39:08.126185: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:39:08.126187: | libevent_free: release ptr-libevent@0x56513f289b90 Sep 21 07:39:08.126188: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:39:08.126190: | libevent_free: release ptr-libevent@0x56513f289c50 Sep 21 07:39:08.126192: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:39:08.126194: | libevent_free: release ptr-libevent@0x56513f27e6e0 Sep 21 07:39:08.126195: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:39:08.126196: | releasing event base Sep 21 07:39:08.126206: | libevent_free: release ptr-libevent@0x56513f289d10 Sep 21 07:39:08.126207: | libevent_free: release ptr-libevent@0x56513f25f250 Sep 21 07:39:08.126210: | libevent_free: release ptr-libevent@0x56513f26da90 Sep 21 07:39:08.126211: | libevent_free: release ptr-libevent@0x56513f26db60 Sep 21 07:39:08.126213: | libevent_free: release ptr-libevent@0x56513f26dab0 Sep 21 07:39:08.126215: | libevent_free: release ptr-libevent@0x56513f289a70 Sep 21 07:39:08.126216: | libevent_free: release ptr-libevent@0x56513f289b50 Sep 21 07:39:08.126217: | libevent_free: release ptr-libevent@0x56513f26db40 Sep 21 07:39:08.126219: | libevent_free: release ptr-libevent@0x56513f26dca0 Sep 21 07:39:08.126220: | libevent_free: release ptr-libevent@0x56513f272700 Sep 21 07:39:08.126222: | libevent_free: release ptr-libevent@0x56513f28a5c0 Sep 21 07:39:08.126223: | libevent_free: release ptr-libevent@0x56513f28a4d0 Sep 21 07:39:08.126225: | libevent_free: release ptr-libevent@0x56513f28a3e0 Sep 21 07:39:08.126226: | libevent_free: release ptr-libevent@0x56513f28a2f0 Sep 21 07:39:08.126227: | libevent_free: release ptr-libevent@0x56513f28a200 Sep 21 07:39:08.126229: | libevent_free: release ptr-libevent@0x56513f28a110 Sep 21 07:39:08.126230: | libevent_free: release ptr-libevent@0x56513f1f1370 Sep 21 07:39:08.126232: | libevent_free: release ptr-libevent@0x56513f289c30 Sep 21 07:39:08.126233: | libevent_free: release ptr-libevent@0x56513f289b70 Sep 21 07:39:08.126235: | libevent_free: release ptr-libevent@0x56513f289a90 Sep 21 07:39:08.126236: | libevent_free: release ptr-libevent@0x56513f289cf0 Sep 21 07:39:08.126240: | libevent_free: release ptr-libevent@0x56513f1ef5b0 Sep 21 07:39:08.126242: | libevent_free: release ptr-libevent@0x56513f26dad0 Sep 21 07:39:08.126244: | libevent_free: release ptr-libevent@0x56513f26db00 Sep 21 07:39:08.126245: | libevent_free: release ptr-libevent@0x56513f26d7f0 Sep 21 07:39:08.126247: | releasing global libevent data Sep 21 07:39:08.126249: | libevent_free: release ptr-libevent@0x56513f26c4e0 Sep 21 07:39:08.126250: | libevent_free: release ptr-libevent@0x56513f26d790 Sep 21 07:39:08.126252: | libevent_free: release ptr-libevent@0x56513f26d7c0