Sep 21 07:38:48.114977: FIPS Product: YES Sep 21 07:38:48.115023: FIPS Kernel: NO Sep 21 07:38:48.115026: FIPS Mode: NO Sep 21 07:38:48.115029: NSS DB directory: sql:/etc/ipsec.d Sep 21 07:38:48.115199: Initializing NSS Sep 21 07:38:48.115202: Opening NSS database "sql:/etc/ipsec.d" read-only Sep 21 07:38:48.165588: NSS initialized Sep 21 07:38:48.165599: NSS crypto library initialized Sep 21 07:38:48.165602: FIPS HMAC integrity support [enabled] Sep 21 07:38:48.165604: FIPS mode disabled for pluto daemon Sep 21 07:38:48.248859: FIPS HMAC integrity verification self-test FAILED Sep 21 07:38:48.248965: libcap-ng support [enabled] Sep 21 07:38:48.248974: Linux audit support [enabled] Sep 21 07:38:48.248998: Linux audit activated Sep 21 07:38:48.249005: Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:29285 Sep 21 07:38:48.249008: core dump dir: /tmp Sep 21 07:38:48.249010: secrets file: /etc/ipsec.secrets Sep 21 07:38:48.249012: leak-detective disabled Sep 21 07:38:48.249014: NSS crypto [enabled] Sep 21 07:38:48.249016: XAUTH PAM support [enabled] Sep 21 07:38:48.249186: | libevent is using pluto's memory allocator Sep 21 07:38:48.249196: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Sep 21 07:38:48.249212: | libevent_malloc: new ptr-libevent@0x55c59fd274e0 size 40 Sep 21 07:38:48.249233: | libevent_malloc: new ptr-libevent@0x55c59fd28790 size 40 Sep 21 07:38:48.249238: | libevent_malloc: new ptr-libevent@0x55c59fd287c0 size 40 Sep 21 07:38:48.249240: | creating event base Sep 21 07:38:48.249243: | libevent_malloc: new ptr-libevent@0x55c59fd28750 size 56 Sep 21 07:38:48.249246: | libevent_malloc: new ptr-libevent@0x55c59fd287f0 size 664 Sep 21 07:38:48.249257: | libevent_malloc: new ptr-libevent@0x55c59fd28a90 size 24 Sep 21 07:38:48.249261: | libevent_malloc: new ptr-libevent@0x55c59fd1a250 size 384 Sep 21 07:38:48.249273: | libevent_malloc: new ptr-libevent@0x55c59fd28ab0 size 16 Sep 21 07:38:48.249276: | libevent_malloc: new ptr-libevent@0x55c59fd28ad0 size 40 Sep 21 07:38:48.249279: | libevent_malloc: new ptr-libevent@0x55c59fd28b00 size 48 Sep 21 07:38:48.249286: | libevent_realloc: new ptr-libevent@0x55c59fcac370 size 256 Sep 21 07:38:48.249289: | libevent_malloc: new ptr-libevent@0x55c59fd28b40 size 16 Sep 21 07:38:48.249295: | libevent_free: release ptr-libevent@0x55c59fd28750 Sep 21 07:38:48.249299: | libevent initialized Sep 21 07:38:48.249303: | libevent_realloc: new ptr-libevent@0x55c59fd28b60 size 64 Sep 21 07:38:48.249309: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Sep 21 07:38:48.249324: | init_nat_traversal() initialized with keep_alive=0s Sep 21 07:38:48.249327: NAT-Traversal support [enabled] Sep 21 07:38:48.249330: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Sep 21 07:38:48.249336: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Sep 21 07:38:48.249339: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Sep 21 07:38:48.249377: | global one-shot timer EVENT_REVIVE_CONNS initialized Sep 21 07:38:48.249381: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Sep 21 07:38:48.249385: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Sep 21 07:38:48.249439: Encryption algorithms: Sep 21 07:38:48.249446: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c Sep 21 07:38:48.249450: AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b Sep 21 07:38:48.249454: AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a Sep 21 07:38:48.249457: 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des Sep 21 07:38:48.249460: CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} Sep 21 07:38:48.249471: CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia Sep 21 07:38:48.249474: AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c Sep 21 07:38:48.249478: AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b Sep 21 07:38:48.249482: AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a Sep 21 07:38:48.249485: AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr Sep 21 07:38:48.249488: AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes Sep 21 07:38:48.249491: SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent Sep 21 07:38:48.249495: TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish Sep 21 07:38:48.249498: TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh Sep 21 07:38:48.249502: NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac Sep 21 07:38:48.249504: NULL IKEv1: ESP IKEv2: ESP [] Sep 21 07:38:48.249508: CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Sep 21 07:38:48.249515: Hash algorithms: Sep 21 07:38:48.249518: MD5 IKEv1: IKE IKEv2: Sep 21 07:38:48.249521: SHA1 IKEv1: IKE IKEv2: FIPS sha Sep 21 07:38:48.249524: SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 Sep 21 07:38:48.249526: SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 Sep 21 07:38:48.249529: SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 Sep 21 07:38:48.249546: PRF algorithms: Sep 21 07:38:48.249549: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 Sep 21 07:38:48.249552: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 Sep 21 07:38:48.249556: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 Sep 21 07:38:48.249559: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 Sep 21 07:38:48.249562: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 Sep 21 07:38:48.249565: AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Sep 21 07:38:48.249591: Integrity algorithms: Sep 21 07:38:48.249595: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 Sep 21 07:38:48.249599: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 Sep 21 07:38:48.249603: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Sep 21 07:38:48.249606: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Sep 21 07:38:48.249610: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Sep 21 07:38:48.249613: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Sep 21 07:38:48.249617: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 Sep 21 07:38:48.249620: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Sep 21 07:38:48.249623: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Sep 21 07:38:48.249636: DH algorithms: Sep 21 07:38:48.249639: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 Sep 21 07:38:48.249643: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 Sep 21 07:38:48.249646: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 Sep 21 07:38:48.249652: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 Sep 21 07:38:48.249655: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 Sep 21 07:38:48.249658: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 Sep 21 07:38:48.249661: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 Sep 21 07:38:48.249664: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 Sep 21 07:38:48.249667: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 Sep 21 07:38:48.249671: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 Sep 21 07:38:48.249674: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 Sep 21 07:38:48.249676: testing CAMELLIA_CBC: Sep 21 07:38:48.249679: Camellia: 16 bytes with 128-bit key Sep 21 07:38:48.249819: Camellia: 16 bytes with 128-bit key Sep 21 07:38:48.249857: Camellia: 16 bytes with 256-bit key Sep 21 07:38:48.249890: Camellia: 16 bytes with 256-bit key Sep 21 07:38:48.249920: testing AES_GCM_16: Sep 21 07:38:48.249923: empty string Sep 21 07:38:48.249952: one block Sep 21 07:38:48.249979: two blocks Sep 21 07:38:48.250006: two blocks with associated data Sep 21 07:38:48.250035: testing AES_CTR: Sep 21 07:38:48.250039: Encrypting 16 octets using AES-CTR with 128-bit key Sep 21 07:38:48.250067: Encrypting 32 octets using AES-CTR with 128-bit key Sep 21 07:38:48.250094: Encrypting 36 octets using AES-CTR with 128-bit key Sep 21 07:38:48.250121: Encrypting 16 octets using AES-CTR with 192-bit key Sep 21 07:38:48.250147: Encrypting 32 octets using AES-CTR with 192-bit key Sep 21 07:38:48.250175: Encrypting 36 octets using AES-CTR with 192-bit key Sep 21 07:38:48.250203: Encrypting 16 octets using AES-CTR with 256-bit key Sep 21 07:38:48.250228: Encrypting 32 octets using AES-CTR with 256-bit key Sep 21 07:38:48.250256: Encrypting 36 octets using AES-CTR with 256-bit key Sep 21 07:38:48.250285: testing AES_CBC: Sep 21 07:38:48.250289: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Sep 21 07:38:48.250318: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Sep 21 07:38:48.250349: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Sep 21 07:38:48.250380: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Sep 21 07:38:48.250417: testing AES_XCBC: Sep 21 07:38:48.250421: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input Sep 21 07:38:48.250545: RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input Sep 21 07:38:48.250679: RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input Sep 21 07:38:48.250812: RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input Sep 21 07:38:48.250941: RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input Sep 21 07:38:48.251067: RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input Sep 21 07:38:48.251193: RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input Sep 21 07:38:48.251471: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Sep 21 07:38:48.251592: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Sep 21 07:38:48.252781: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Sep 21 07:38:48.253037: testing HMAC_MD5: Sep 21 07:38:48.253042: RFC 2104: MD5_HMAC test 1 Sep 21 07:38:48.253238: RFC 2104: MD5_HMAC test 2 Sep 21 07:38:48.253399: RFC 2104: MD5_HMAC test 3 Sep 21 07:38:48.253592: 8 CPU cores online Sep 21 07:38:48.253596: starting up 7 crypto helpers Sep 21 07:38:48.253632: started thread for crypto helper 0 Sep 21 07:38:48.253655: started thread for crypto helper 1 Sep 21 07:38:48.253684: started thread for crypto helper 2 Sep 21 07:38:48.253706: started thread for crypto helper 3 Sep 21 07:38:48.253728: started thread for crypto helper 4 Sep 21 07:38:48.253750: started thread for crypto helper 5 Sep 21 07:38:48.253776: started thread for crypto helper 6 Sep 21 07:38:48.253788: | checking IKEv1 state table Sep 21 07:38:48.253800: | MAIN_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:48.253803: | -> MAIN_R1 EVENT_SO_DISCARD Sep 21 07:38:48.253806: | MAIN_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:48.253808: | -> MAIN_I2 EVENT_RETRANSMIT Sep 21 07:38:48.253811: | MAIN_R1: category: open IKE SA flags: 200: Sep 21 07:38:48.253814: | -> MAIN_R2 EVENT_RETRANSMIT Sep 21 07:38:48.253817: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:48.253819: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:48.253822: | MAIN_I2: category: open IKE SA flags: 0: Sep 21 07:38:48.253824: | -> MAIN_I3 EVENT_RETRANSMIT Sep 21 07:38:48.253826: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:48.253828: | -> UNDEFINED EVENT_RETRANSMIT Sep 21 07:38:48.253831: | MAIN_R2: category: open IKE SA flags: 0: Sep 21 07:38:48.253833: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:48.253835: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:48.253837: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:48.253840: | MAIN_I3: category: open IKE SA flags: 0: Sep 21 07:38:48.253842: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:48.253844: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:48.253846: | -> UNDEFINED EVENT_SA_REPLACE Sep 21 07:38:48.253849: | MAIN_R3: category: established IKE SA flags: 200: Sep 21 07:38:48.253851: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253853: | MAIN_I4: category: established IKE SA flags: 0: Sep 21 07:38:48.253855: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253857: | AGGR_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:48.253859: | -> AGGR_R1 EVENT_SO_DISCARD Sep 21 07:38:48.253862: | AGGR_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:48.253864: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:48.253866: | -> AGGR_I2 EVENT_SA_REPLACE Sep 21 07:38:48.253868: | AGGR_R1: category: open IKE SA flags: 200: Sep 21 07:38:48.253870: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:48.253872: | -> AGGR_R2 EVENT_SA_REPLACE Sep 21 07:38:48.253875: | AGGR_I2: category: established IKE SA flags: 200: Sep 21 07:38:48.253877: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253879: | AGGR_R2: category: established IKE SA flags: 0: Sep 21 07:38:48.253882: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253884: | QUICK_R0: category: established CHILD SA flags: 0: Sep 21 07:38:48.253886: | -> QUICK_R1 EVENT_RETRANSMIT Sep 21 07:38:48.253889: | QUICK_I1: category: established CHILD SA flags: 0: Sep 21 07:38:48.253891: | -> QUICK_I2 EVENT_SA_REPLACE Sep 21 07:38:48.253894: | QUICK_R1: category: established CHILD SA flags: 0: Sep 21 07:38:48.253896: | -> QUICK_R2 EVENT_SA_REPLACE Sep 21 07:38:48.253899: | QUICK_I2: category: established CHILD SA flags: 200: Sep 21 07:38:48.253901: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253904: | QUICK_R2: category: established CHILD SA flags: 0: Sep 21 07:38:48.253906: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253909: | INFO: category: informational flags: 0: Sep 21 07:38:48.253911: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253913: | INFO_PROTECTED: category: informational flags: 0: Sep 21 07:38:48.253916: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253918: | XAUTH_R0: category: established IKE SA flags: 0: Sep 21 07:38:48.253920: | -> XAUTH_R1 EVENT_NULL Sep 21 07:38:48.253923: | XAUTH_R1: category: established IKE SA flags: 0: Sep 21 07:38:48.253925: | -> MAIN_R3 EVENT_SA_REPLACE Sep 21 07:38:48.253927: | MODE_CFG_R0: category: informational flags: 0: Sep 21 07:38:48.253930: | -> MODE_CFG_R1 EVENT_SA_REPLACE Sep 21 07:38:48.253932: | MODE_CFG_R1: category: established IKE SA flags: 0: Sep 21 07:38:48.253934: | -> MODE_CFG_R2 EVENT_SA_REPLACE Sep 21 07:38:48.253937: | MODE_CFG_R2: category: established IKE SA flags: 0: Sep 21 07:38:48.253939: | -> UNDEFINED EVENT_NULL Sep 21 07:38:48.253942: | MODE_CFG_I1: category: established IKE SA flags: 0: Sep 21 07:38:48.253947: | -> MAIN_I4 EVENT_SA_REPLACE Sep 21 07:38:48.253950: | XAUTH_I0: category: established IKE SA flags: 0: Sep 21 07:38:48.253952: | -> XAUTH_I1 EVENT_RETRANSMIT Sep 21 07:38:48.253955: | XAUTH_I1: category: established IKE SA flags: 0: Sep 21 07:38:48.253957: | -> MAIN_I4 EVENT_RETRANSMIT Sep 21 07:38:48.253963: | checking IKEv2 state table Sep 21 07:38:48.253969: | PARENT_I0: category: ignore flags: 0: Sep 21 07:38:48.253972: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Sep 21 07:38:48.253974: | PARENT_I1: category: half-open IKE SA flags: 0: Sep 21 07:38:48.253977: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) Sep 21 07:38:48.253980: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) Sep 21 07:38:48.253983: | PARENT_I2: category: open IKE SA flags: 0: Sep 21 07:38:48.253986: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Sep 21 07:38:48.253988: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Sep 21 07:38:48.253991: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Sep 21 07:38:48.253994: | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Sep 21 07:38:48.253996: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Sep 21 07:38:48.253999: | PARENT_I3: category: established IKE SA flags: 0: Sep 21 07:38:48.254001: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) Sep 21 07:38:48.254004: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) Sep 21 07:38:48.254006: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) Sep 21 07:38:48.254009: | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) Sep 21 07:38:48.254011: | PARENT_R0: category: half-open IKE SA flags: 0: Sep 21 07:38:48.254014: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) Sep 21 07:38:48.254017: | PARENT_R1: category: half-open IKE SA flags: 0: Sep 21 07:38:48.254019: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) Sep 21 07:38:48.254022: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) Sep 21 07:38:48.254025: | PARENT_R2: category: established IKE SA flags: 0: Sep 21 07:38:48.254027: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) Sep 21 07:38:48.254029: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) Sep 21 07:38:48.254031: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) Sep 21 07:38:48.254034: | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) Sep 21 07:38:48.254036: | V2_CREATE_I0: category: established IKE SA flags: 0: Sep 21 07:38:48.254039: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Sep 21 07:38:48.254041: | V2_CREATE_I: category: established IKE SA flags: 0: Sep 21 07:38:48.254044: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Sep 21 07:38:48.254046: | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: Sep 21 07:38:48.254048: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:48.254050: | V2_REKEY_IKE_I: category: established IKE SA flags: 0: Sep 21 07:38:48.254053: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Sep 21 07:38:48.254055: | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: Sep 21 07:38:48.254058: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Sep 21 07:38:48.254060: | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: Sep 21 07:38:48.254063: | V2_CREATE_R: category: established IKE SA flags: 0: Sep 21 07:38:48.254065: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) Sep 21 07:38:48.254070: | V2_REKEY_IKE_R: category: established IKE SA flags: 0: Sep 21 07:38:48.254073: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) Sep 21 07:38:48.254076: | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: Sep 21 07:38:48.254079: | V2_IPSEC_I: category: established CHILD SA flags: 0: Sep 21 07:38:48.254082: | V2_IPSEC_R: category: established CHILD SA flags: 0: Sep 21 07:38:48.254084: | IKESA_DEL: category: established IKE SA flags: 0: Sep 21 07:38:48.254087: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Sep 21 07:38:48.254090: | CHILDSA_DEL: category: informational flags: 0: Sep 21 07:38:48.254134: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ Sep 21 07:38:48.254204: | Hard-wiring algorithms Sep 21 07:38:48.254209: | adding AES_CCM_16 to kernel algorithm db Sep 21 07:38:48.254213: | adding AES_CCM_12 to kernel algorithm db Sep 21 07:38:48.254215: | adding AES_CCM_8 to kernel algorithm db Sep 21 07:38:48.254218: | adding 3DES_CBC to kernel algorithm db Sep 21 07:38:48.254220: | adding CAMELLIA_CBC to kernel algorithm db Sep 21 07:38:48.254223: | adding AES_GCM_16 to kernel algorithm db Sep 21 07:38:48.254225: | adding AES_GCM_12 to kernel algorithm db Sep 21 07:38:48.254227: | adding AES_GCM_8 to kernel algorithm db Sep 21 07:38:48.254229: | adding AES_CTR to kernel algorithm db Sep 21 07:38:48.254232: | adding AES_CBC to kernel algorithm db Sep 21 07:38:48.254234: | adding SERPENT_CBC to kernel algorithm db Sep 21 07:38:48.254236: | adding TWOFISH_CBC to kernel algorithm db Sep 21 07:38:48.254239: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Sep 21 07:38:48.254241: | adding NULL to kernel algorithm db Sep 21 07:38:48.254244: | adding CHACHA20_POLY1305 to kernel algorithm db Sep 21 07:38:48.254246: | adding HMAC_MD5_96 to kernel algorithm db Sep 21 07:38:48.254249: | adding HMAC_SHA1_96 to kernel algorithm db Sep 21 07:38:48.254251: | adding HMAC_SHA2_512_256 to kernel algorithm db Sep 21 07:38:48.254254: | adding HMAC_SHA2_384_192 to kernel algorithm db Sep 21 07:38:48.254256: | adding HMAC_SHA2_256_128 to kernel algorithm db Sep 21 07:38:48.254259: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Sep 21 07:38:48.254262: | adding AES_XCBC_96 to kernel algorithm db Sep 21 07:38:48.254264: | adding AES_CMAC_96 to kernel algorithm db Sep 21 07:38:48.254267: | adding NONE to kernel algorithm db Sep 21 07:38:48.254291: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Sep 21 07:38:48.254298: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Sep 21 07:38:48.254301: | setup kernel fd callback Sep 21 07:38:48.254305: | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55c59fd32f10 Sep 21 07:38:48.254308: | libevent_malloc: new ptr-libevent@0x55c59fd3a3e0 size 128 Sep 21 07:38:48.254312: | libevent_malloc: new ptr-libevent@0x55c59fd28ca0 size 16 Sep 21 07:38:48.254319: | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55c59fd2d7b0 Sep 21 07:38:48.254322: | libevent_malloc: new ptr-libevent@0x55c59fd3a470 size 128 Sep 21 07:38:48.254325: | libevent_malloc: new ptr-libevent@0x55c59fd2d700 size 16 Sep 21 07:38:48.254562: | global one-shot timer EVENT_CHECK_CRLS initialized Sep 21 07:38:48.254571: selinux support is enabled. Sep 21 07:38:48.254651: systemd watchdog not enabled - not sending watchdog keepalives Sep 21 07:38:48.254843: | unbound context created - setting debug level to 5 Sep 21 07:38:48.254880: | /etc/hosts lookups activated Sep 21 07:38:48.254900: | /etc/resolv.conf usage activated Sep 21 07:38:48.254957: | outgoing-port-avoid set 0-65535 Sep 21 07:38:48.254983: | outgoing-port-permit set 32768-60999 Sep 21 07:38:48.254987: | Loading dnssec root key from:/var/lib/unbound/root.key Sep 21 07:38:48.254990: | No additional dnssec trust anchors defined via dnssec-trusted= option Sep 21 07:38:48.254993: | Setting up events, loop start Sep 21 07:38:48.254996: | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55c59fd2d500 Sep 21 07:38:48.255003: | libevent_malloc: new ptr-libevent@0x55c59fd449e0 size 128 Sep 21 07:38:48.255007: | libevent_malloc: new ptr-libevent@0x55c59fd44a70 size 16 Sep 21 07:38:48.255013: | libevent_realloc: new ptr-libevent@0x55c59fcaa5b0 size 256 Sep 21 07:38:48.255016: | libevent_malloc: new ptr-libevent@0x55c59fd44a90 size 8 Sep 21 07:38:48.255020: | libevent_realloc: new ptr-libevent@0x55c59fd396e0 size 144 Sep 21 07:38:48.255022: | libevent_malloc: new ptr-libevent@0x55c59fd44ab0 size 152 Sep 21 07:38:48.255026: | libevent_malloc: new ptr-libevent@0x55c59fd44b50 size 16 Sep 21 07:38:48.255030: | signal event handler PLUTO_SIGCHLD installed Sep 21 07:38:48.255033: | libevent_malloc: new ptr-libevent@0x55c59fd44b70 size 8 Sep 21 07:38:48.255036: | libevent_malloc: new ptr-libevent@0x55c59fd44b90 size 152 Sep 21 07:38:48.255039: | signal event handler PLUTO_SIGTERM installed Sep 21 07:38:48.255042: | libevent_malloc: new ptr-libevent@0x55c59fd44c30 size 8 Sep 21 07:38:48.255045: | libevent_malloc: new ptr-libevent@0x55c59fd44c50 size 152 Sep 21 07:38:48.255048: | signal event handler PLUTO_SIGHUP installed Sep 21 07:38:48.255050: | libevent_malloc: new ptr-libevent@0x55c59fd44cf0 size 8 Sep 21 07:38:48.255054: | libevent_realloc: release ptr-libevent@0x55c59fd396e0 Sep 21 07:38:48.255057: | libevent_realloc: new ptr-libevent@0x55c59fd44d10 size 256 Sep 21 07:38:48.255059: | libevent_malloc: new ptr-libevent@0x55c59fd396e0 size 152 Sep 21 07:38:48.255062: | signal event handler PLUTO_SIGSYS installed Sep 21 07:38:48.255493: | created addconn helper (pid:29452) using fork+execve Sep 21 07:38:48.255505: | forked child 29452 Sep 21 07:38:48.255544: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:48.255563: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:48.255571: listening for IKE messages Sep 21 07:38:48.255615: | Inspecting interface lo Sep 21 07:38:48.255622: | found lo with address 127.0.0.1 Sep 21 07:38:48.255625: | Inspecting interface eth0 Sep 21 07:38:48.255629: | found eth0 with address 192.0.2.254 Sep 21 07:38:48.255632: | Inspecting interface eth1 Sep 21 07:38:48.255636: | found eth1 with address 192.1.2.23 Sep 21 07:38:48.255684: Kernel supports NIC esp-hw-offload Sep 21 07:38:48.255696: adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 Sep 21 07:38:48.255722: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:48.255728: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:48.255731: adding interface eth1/eth1 192.1.2.23:4500 Sep 21 07:38:48.255761: adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 Sep 21 07:38:48.255789: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:48.255796: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:48.255800: adding interface eth0/eth0 192.0.2.254:4500 Sep 21 07:38:48.255829: adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 Sep 21 07:38:48.255851: | NAT-Traversal: Trying sockopt style NAT-T Sep 21 07:38:48.255855: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Sep 21 07:38:48.255859: adding interface lo/lo 127.0.0.1:4500 Sep 21 07:38:48.255898: | starting up helper thread 0 Sep 21 07:38:48.255915: | status value returned by setting the priority of this thread (crypto helper 0) 22 Sep 21 07:38:48.255926: | crypto helper 0 waiting (nothing to do) Sep 21 07:38:48.255935: | no interfaces to sort Sep 21 07:38:48.255942: | starting up helper thread 3 Sep 21 07:38:48.255953: | status value returned by setting the priority of this thread (crypto helper 3) 22 Sep 21 07:38:48.255959: | crypto helper 3 waiting (nothing to do) Sep 21 07:38:48.255943: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:38:48.255975: | starting up helper thread 5 Sep 21 07:38:48.255979: | add_fd_read_event_handler: new ethX-pe@0x55c59fd2e280 Sep 21 07:38:48.255980: | status value returned by setting the priority of this thread (crypto helper 5) 22 Sep 21 07:38:48.256000: | crypto helper 5 waiting (nothing to do) Sep 21 07:38:48.255994: | libevent_malloc: new ptr-libevent@0x55c59fd45080 size 128 Sep 21 07:38:48.256011: | libevent_malloc: new ptr-libevent@0x55c59fd45110 size 16 Sep 21 07:38:48.256022: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:48.256025: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45130 Sep 21 07:38:48.256028: | libevent_malloc: new ptr-libevent@0x55c59fd45170 size 128 Sep 21 07:38:48.256032: | libevent_malloc: new ptr-libevent@0x55c59fd45200 size 16 Sep 21 07:38:48.256037: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:48.256040: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45220 Sep 21 07:38:48.256042: | libevent_malloc: new ptr-libevent@0x55c59fd45260 size 128 Sep 21 07:38:48.256045: | libevent_malloc: new ptr-libevent@0x55c59fd452f0 size 16 Sep 21 07:38:48.256050: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:48.256053: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45310 Sep 21 07:38:48.256056: | libevent_malloc: new ptr-libevent@0x55c59fd45350 size 128 Sep 21 07:38:48.256059: | libevent_malloc: new ptr-libevent@0x55c59fd453e0 size 16 Sep 21 07:38:48.256064: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:48.256067: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45400 Sep 21 07:38:48.256070: | libevent_malloc: new ptr-libevent@0x55c59fd45440 size 128 Sep 21 07:38:48.256073: | libevent_malloc: new ptr-libevent@0x55c59fd454d0 size 16 Sep 21 07:38:48.256078: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:48.256081: | add_fd_read_event_handler: new ethX-pe@0x55c59fd454f0 Sep 21 07:38:48.256084: | libevent_malloc: new ptr-libevent@0x55c59fd45530 size 128 Sep 21 07:38:48.256086: | libevent_malloc: new ptr-libevent@0x55c59fd455c0 size 16 Sep 21 07:38:48.256092: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:48.256098: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:48.256101: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:48.256122: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:48.256137: | Processing PSK at line 1: passed Sep 21 07:38:48.256141: | certs and keys locked by 'process_secret' Sep 21 07:38:48.256144: | certs and keys unlocked by 'process_secret' Sep 21 07:38:48.256149: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:48.256159: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:48.256167: | spent 0.611 milliseconds in whack Sep 21 07:38:48.256823: | starting up helper thread 1 Sep 21 07:38:48.256837: | status value returned by setting the priority of this thread (crypto helper 1) 22 Sep 21 07:38:48.256840: | crypto helper 1 waiting (nothing to do) Sep 21 07:38:48.261896: | starting up helper thread 4 Sep 21 07:38:48.261914: | status value returned by setting the priority of this thread (crypto helper 4) 22 Sep 21 07:38:48.261918: | crypto helper 4 waiting (nothing to do) Sep 21 07:38:48.267134: | starting up helper thread 2 Sep 21 07:38:48.267151: | status value returned by setting the priority of this thread (crypto helper 2) 22 Sep 21 07:38:48.267155: | crypto helper 2 waiting (nothing to do) Sep 21 07:38:48.267165: | starting up helper thread 6 Sep 21 07:38:48.267170: | status value returned by setting the priority of this thread (crypto helper 6) 22 Sep 21 07:38:48.267172: | crypto helper 6 waiting (nothing to do) Sep 21 07:38:48.299823: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:48.299852: | pluto_sd: executing action action: reloading(4), status 0 Sep 21 07:38:48.299857: listening for IKE messages Sep 21 07:38:48.299891: | Inspecting interface lo Sep 21 07:38:48.299897: | found lo with address 127.0.0.1 Sep 21 07:38:48.299900: | Inspecting interface eth0 Sep 21 07:38:48.299904: | found eth0 with address 192.0.2.254 Sep 21 07:38:48.299912: | Inspecting interface eth1 Sep 21 07:38:48.299916: | found eth1 with address 192.1.2.23 Sep 21 07:38:48.299983: | no interfaces to sort Sep 21 07:38:48.299991: | libevent_free: release ptr-libevent@0x55c59fd45080 Sep 21 07:38:48.299994: | free_event_entry: release EVENT_NULL-pe@0x55c59fd2e280 Sep 21 07:38:48.299997: | add_fd_read_event_handler: new ethX-pe@0x55c59fd2e280 Sep 21 07:38:48.300000: | libevent_malloc: new ptr-libevent@0x55c59fd45080 size 128 Sep 21 07:38:48.300008: | setup callback for interface lo 127.0.0.1:4500 fd 22 Sep 21 07:38:48.300011: | libevent_free: release ptr-libevent@0x55c59fd45170 Sep 21 07:38:48.300014: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45130 Sep 21 07:38:48.300017: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45130 Sep 21 07:38:48.300019: | libevent_malloc: new ptr-libevent@0x55c59fd45170 size 128 Sep 21 07:38:48.300024: | setup callback for interface lo 127.0.0.1:500 fd 21 Sep 21 07:38:48.300027: | libevent_free: release ptr-libevent@0x55c59fd45260 Sep 21 07:38:48.300030: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45220 Sep 21 07:38:48.300032: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45220 Sep 21 07:38:48.300035: | libevent_malloc: new ptr-libevent@0x55c59fd45260 size 128 Sep 21 07:38:48.300039: | setup callback for interface eth0 192.0.2.254:4500 fd 20 Sep 21 07:38:48.300043: | libevent_free: release ptr-libevent@0x55c59fd45350 Sep 21 07:38:48.300045: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45310 Sep 21 07:38:48.300048: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45310 Sep 21 07:38:48.300050: | libevent_malloc: new ptr-libevent@0x55c59fd45350 size 128 Sep 21 07:38:48.300055: | setup callback for interface eth0 192.0.2.254:500 fd 19 Sep 21 07:38:48.300058: | libevent_free: release ptr-libevent@0x55c59fd45440 Sep 21 07:38:48.300060: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45400 Sep 21 07:38:48.300063: | add_fd_read_event_handler: new ethX-pe@0x55c59fd45400 Sep 21 07:38:48.300065: | libevent_malloc: new ptr-libevent@0x55c59fd45440 size 128 Sep 21 07:38:48.300070: | setup callback for interface eth1 192.1.2.23:4500 fd 18 Sep 21 07:38:48.300073: | libevent_free: release ptr-libevent@0x55c59fd45530 Sep 21 07:38:48.300076: | free_event_entry: release EVENT_NULL-pe@0x55c59fd454f0 Sep 21 07:38:48.300078: | add_fd_read_event_handler: new ethX-pe@0x55c59fd454f0 Sep 21 07:38:48.300081: | libevent_malloc: new ptr-libevent@0x55c59fd45530 size 128 Sep 21 07:38:48.300085: | setup callback for interface eth1 192.1.2.23:500 fd 17 Sep 21 07:38:48.300088: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:38:48.300091: forgetting secrets Sep 21 07:38:48.300096: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:38:48.300109: loading secrets from "/etc/ipsec.secrets" Sep 21 07:38:48.300116: | Processing PSK at line 1: passed Sep 21 07:38:48.300118: | certs and keys locked by 'process_secret' Sep 21 07:38:48.300121: | certs and keys unlocked by 'process_secret' Sep 21 07:38:48.300125: | pluto_sd: executing action action: ready(5), status 0 Sep 21 07:38:48.300132: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:48.300138: | spent 0.317 milliseconds in whack Sep 21 07:38:48.300567: | processing signal PLUTO_SIGCHLD Sep 21 07:38:48.300577: | waitpid returned pid 29452 (exited with status 0) Sep 21 07:38:48.300581: | reaped addconn helper child (status 0) Sep 21 07:38:48.300585: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:48.300589: | spent 0.0153 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:48.422823: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:38:48.422856: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:48.422861: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:48.422864: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:48.422867: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Sep 21 07:38:48.422873: | FOR_EACH_CONNECTION_... in conn_by_name Sep 21 07:38:48.422921: | Added new connection eastnet-northnet with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:48.422979: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Sep 21 07:38:48.422986: | from whack: got --esp=aes_gcm Sep 21 07:38:48.422992: | ESP/AH string values: AES_GCM_16-NONE Sep 21 07:38:48.422995: | counting wild cards for (none) is 15 Sep 21 07:38:48.423001: | counting wild cards for 192.1.2.23 is 0 Sep 21 07:38:48.423006: | based upon policy, the connection is a template. Sep 21 07:38:48.423013: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none Sep 21 07:38:48.423017: | new hp@0x55c59fd11a10 Sep 21 07:38:48.423021: added connection description "eastnet-northnet" Sep 21 07:38:48.423030: | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO Sep 21 07:38:48.423039: | 192.0.2.0/24===192.1.2.23<192.1.2.23>...%any===192.0.3.0/24 Sep 21 07:38:48.423044: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:38:48.423051: | spent 0.229 milliseconds in whack Sep 21 07:38:50.504549: | spent 0.00338 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:50.504584: | *received 828 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:50.504587: | 92 d2 04 c7 e8 d2 e6 7f 00 00 00 00 00 00 00 00 Sep 21 07:38:50.504590: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Sep 21 07:38:50.504592: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Sep 21 07:38:50.504594: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Sep 21 07:38:50.504596: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Sep 21 07:38:50.504598: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Sep 21 07:38:50.504600: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Sep 21 07:38:50.504602: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Sep 21 07:38:50.504605: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Sep 21 07:38:50.504607: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Sep 21 07:38:50.504609: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Sep 21 07:38:50.504611: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Sep 21 07:38:50.504613: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Sep 21 07:38:50.504615: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Sep 21 07:38:50.504617: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Sep 21 07:38:50.504619: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Sep 21 07:38:50.504621: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Sep 21 07:38:50.504623: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Sep 21 07:38:50.504625: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Sep 21 07:38:50.504626: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Sep 21 07:38:50.504628: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Sep 21 07:38:50.504631: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Sep 21 07:38:50.504633: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Sep 21 07:38:50.504635: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Sep 21 07:38:50.504638: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Sep 21 07:38:50.504640: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Sep 21 07:38:50.504642: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Sep 21 07:38:50.504644: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Sep 21 07:38:50.504647: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Sep 21 07:38:50.504653: | 28 00 01 08 00 0e 00 00 e5 6b 81 2e a4 c7 ab 81 Sep 21 07:38:50.504655: | 21 c0 ec 7a 82 86 33 92 aa 4d 67 05 39 63 7c 80 Sep 21 07:38:50.504657: | 37 65 4f ca 36 b4 a4 46 28 fb c6 30 96 c5 13 45 Sep 21 07:38:50.504659: | 64 26 69 59 2b c1 3a 86 fe 27 9e 67 fa 38 40 fc Sep 21 07:38:50.504661: | 2d 31 af 76 a8 07 fa 5f 5b e3 2b ac af 7a 0f 98 Sep 21 07:38:50.504663: | de 24 30 b0 7a 5e b5 44 fc d8 04 e9 95 5d ac ab Sep 21 07:38:50.504666: | 00 15 de 51 19 98 7a ed 3b 4a 75 95 d7 72 8d d4 Sep 21 07:38:50.504668: | 4d 54 7a c8 4a 9e c3 fd 9c 68 d3 f2 73 b0 be 73 Sep 21 07:38:50.504670: | d3 9e e9 fe 7b b1 8a aa c7 6a 31 b6 6b fc fc 27 Sep 21 07:38:50.504672: | eb e5 10 54 1e f4 a9 23 f3 ad 8e 20 25 eb eb 2e Sep 21 07:38:50.504675: | dc 8e 03 e2 4a b4 99 bd ac d4 e0 f2 42 ef d1 a8 Sep 21 07:38:50.504677: | 4b bc c1 a6 5c c8 59 d6 f0 85 65 2d 61 89 4b 1a Sep 21 07:38:50.504679: | 5a 7d cc e2 4f ae 1a 45 f1 84 bd ba ef 74 ac f2 Sep 21 07:38:50.504681: | 82 74 fc 72 d0 04 ce ab 6a 90 4e 86 87 ab 23 79 Sep 21 07:38:50.504683: | e6 ce 40 bf 25 5d b9 c7 ed 53 23 30 c6 27 3f d3 Sep 21 07:38:50.504685: | 29 22 70 f2 05 a3 41 f2 d0 ce d5 a6 96 c4 ee cf Sep 21 07:38:50.504687: | c6 73 6c d1 05 46 d9 1d 29 00 00 24 8f 78 8f 93 Sep 21 07:38:50.504689: | 22 e8 a1 87 8e 58 05 01 bd 7b 59 7d 7f b3 df 60 Sep 21 07:38:50.504692: | f6 d4 14 ae 5d b4 4d 2d 6d c0 77 8a 29 00 00 08 Sep 21 07:38:50.504694: | 00 00 40 2e 29 00 00 1c 00 00 40 04 aa 33 c4 c6 Sep 21 07:38:50.504697: | 18 a3 69 81 63 25 c3 c3 bb 88 f7 af 49 c2 6f ac Sep 21 07:38:50.504699: | 00 00 00 1c 00 00 40 05 d9 33 ef 71 75 c7 3d cd Sep 21 07:38:50.504701: | 2b e8 3c 47 af 25 ad 4e dc 65 4e f1 Sep 21 07:38:50.504709: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:50.504713: | **parse ISAKMP Message: Sep 21 07:38:50.504716: | initiator cookie: Sep 21 07:38:50.504718: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.504720: | responder cookie: Sep 21 07:38:50.504722: | 00 00 00 00 00 00 00 00 Sep 21 07:38:50.504725: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:50.504728: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:50.504730: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:50.504733: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:50.504735: | Message ID: 0 (0x0) Sep 21 07:38:50.504738: | length: 828 (0x33c) Sep 21 07:38:50.504741: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Sep 21 07:38:50.504745: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Sep 21 07:38:50.504749: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Sep 21 07:38:50.504752: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:50.504756: | ***parse IKEv2 Security Association Payload: Sep 21 07:38:50.504758: | next payload type: ISAKMP_NEXT_v2KE (0x22) Sep 21 07:38:50.504760: | flags: none (0x0) Sep 21 07:38:50.504763: | length: 436 (0x1b4) Sep 21 07:38:50.504765: | processing payload: ISAKMP_NEXT_v2SA (len=432) Sep 21 07:38:50.504768: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Sep 21 07:38:50.504770: | ***parse IKEv2 Key Exchange Payload: Sep 21 07:38:50.504773: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Sep 21 07:38:50.504775: | flags: none (0x0) Sep 21 07:38:50.504777: | length: 264 (0x108) Sep 21 07:38:50.504778: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.504780: | processing payload: ISAKMP_NEXT_v2KE (len=256) Sep 21 07:38:50.504781: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Sep 21 07:38:50.504790: | ***parse IKEv2 Nonce Payload: Sep 21 07:38:50.504795: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:50.504797: | flags: none (0x0) Sep 21 07:38:50.504798: | length: 36 (0x24) Sep 21 07:38:50.504800: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Sep 21 07:38:50.504801: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:50.504806: | ***parse IKEv2 Notify Payload: Sep 21 07:38:50.504807: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:50.504809: | flags: none (0x0) Sep 21 07:38:50.504810: | length: 8 (0x8) Sep 21 07:38:50.504812: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.504813: | SPI size: 0 (0x0) Sep 21 07:38:50.504815: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:50.504817: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:50.504818: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:50.504820: | ***parse IKEv2 Notify Payload: Sep 21 07:38:50.504821: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:50.504823: | flags: none (0x0) Sep 21 07:38:50.504824: | length: 28 (0x1c) Sep 21 07:38:50.504826: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.504827: | SPI size: 0 (0x0) Sep 21 07:38:50.504828: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:50.504830: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:50.504831: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:50.504833: | ***parse IKEv2 Notify Payload: Sep 21 07:38:50.504834: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.504836: | flags: none (0x0) Sep 21 07:38:50.504837: | length: 28 (0x1c) Sep 21 07:38:50.504839: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.504840: | SPI size: 0 (0x0) Sep 21 07:38:50.504842: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:50.504843: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:50.504845: | DDOS disabled and no cookie sent, continuing Sep 21 07:38:50.504849: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504851: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:50.504853: | find_next_host_connection returns empty Sep 21 07:38:50.504855: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504858: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:50.504860: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Sep 21 07:38:50.504863: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:50.504864: | find_next_host_connection returns empty Sep 21 07:38:50.504867: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Sep 21 07:38:50.504869: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504871: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:50.504873: | find_next_host_connection returns empty Sep 21 07:38:50.504875: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504877: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:50.504879: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Sep 21 07:38:50.504881: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:50.504882: | find_next_host_connection returns empty Sep 21 07:38:50.504885: | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Sep 21 07:38:50.504887: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504889: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:50.504890: | find_next_host_connection returns empty Sep 21 07:38:50.504893: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Sep 21 07:38:50.504895: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:50.504898: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:50.504900: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO (eastnet-northnet) Sep 21 07:38:50.504902: | find_next_host_connection returns eastnet-northnet Sep 21 07:38:50.504903: | find_next_host_connection policy=PSK+IKEV2_ALLOW Sep 21 07:38:50.504905: | find_next_host_connection returns empty Sep 21 07:38:50.504906: | rw_instantiate Sep 21 07:38:50.504912: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Sep 21 07:38:50.504916: | new hp@0x55c59fcd7e70 Sep 21 07:38:50.504922: | rw_instantiate() instantiated "eastnet-northnet"[1] 192.1.3.33 for 192.1.3.33 Sep 21 07:38:50.504926: | found connection: eastnet-northnet[1] 192.1.3.33 with policy PSK+IKEV2_ALLOW Sep 21 07:38:50.504931: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Sep 21 07:38:50.504961: | creating state object #1 at 0x55c59fd48af0 Sep 21 07:38:50.504964: | State DB: adding IKEv2 state #1 in UNDEFINED Sep 21 07:38:50.504972: | pstats #1 ikev2.ike started Sep 21 07:38:50.504976: | Message ID: init #1: msgid=0 lastack=4294967295 nextuse=0 lastrecv=4294967295 lastreplied=0 Sep 21 07:38:50.504979: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Sep 21 07:38:50.504985: | Message ID: init_ike #1; ike: initiator.sent=0->-1 initiator.recv=0->-1 responder.sent=0->-1 responder.recv=0->-1 wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:50.504996: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:50.505000: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:50.505005: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:50.505008: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Sep 21 07:38:50.505012: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 Sep 21 07:38:50.505017: | Message ID: start-responder #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1 wip.initiator=-1 wip.responder=-1->0 Sep 21 07:38:50.505020: | #1 in state PARENT_R0: processing SA_INIT request Sep 21 07:38:50.505023: | selected state microcode Respond to IKE_SA_INIT Sep 21 07:38:50.505026: | Now let's proceed with state specific processing Sep 21 07:38:50.505028: | calling processor Respond to IKE_SA_INIT Sep 21 07:38:50.505034: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:50.505037: | constructing local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals) Sep 21 07:38:50.505046: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:50.505054: | ... ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:50.505058: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:50.505062: | ... ikev2_proposal: 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:50.505065: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:50.505069: | ... ikev2_proposal: 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:50.505071: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Sep 21 07:38:50.505076: | ... ikev2_proposal: 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:50.505083: "eastnet-northnet"[1] 192.1.3.33: constructed local IKE proposals for eastnet-northnet (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 Sep 21 07:38:50.505086: | Comparing remote proposals against IKE responder 4 local proposals Sep 21 07:38:50.505088: | local proposal 1 type ENCR has 1 transforms Sep 21 07:38:50.505090: | local proposal 1 type PRF has 2 transforms Sep 21 07:38:50.505092: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:50.505095: | local proposal 1 type DH has 8 transforms Sep 21 07:38:50.505097: | local proposal 1 type ESN has 0 transforms Sep 21 07:38:50.505100: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:50.505102: | local proposal 2 type ENCR has 1 transforms Sep 21 07:38:50.505104: | local proposal 2 type PRF has 2 transforms Sep 21 07:38:50.505106: | local proposal 2 type INTEG has 1 transforms Sep 21 07:38:50.505109: | local proposal 2 type DH has 8 transforms Sep 21 07:38:50.505111: | local proposal 2 type ESN has 0 transforms Sep 21 07:38:50.505113: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Sep 21 07:38:50.505116: | local proposal 3 type ENCR has 1 transforms Sep 21 07:38:50.505118: | local proposal 3 type PRF has 2 transforms Sep 21 07:38:50.505120: | local proposal 3 type INTEG has 2 transforms Sep 21 07:38:50.505122: | local proposal 3 type DH has 8 transforms Sep 21 07:38:50.505125: | local proposal 3 type ESN has 0 transforms Sep 21 07:38:50.505128: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:50.505131: | local proposal 4 type ENCR has 1 transforms Sep 21 07:38:50.505133: | local proposal 4 type PRF has 2 transforms Sep 21 07:38:50.505136: | local proposal 4 type INTEG has 2 transforms Sep 21 07:38:50.505138: | local proposal 4 type DH has 8 transforms Sep 21 07:38:50.505141: | local proposal 4 type ESN has 0 transforms Sep 21 07:38:50.505144: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Sep 21 07:38:50.505147: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.505150: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:50.505153: | length: 100 (0x64) Sep 21 07:38:50.505155: | prop #: 1 (0x1) Sep 21 07:38:50.505158: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:50.505160: | spi size: 0 (0x0) Sep 21 07:38:50.505162: | # transforms: 11 (0xb) Sep 21 07:38:50.505166: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Sep 21 07:38:50.505169: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505172: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505174: | length: 12 (0xc) Sep 21 07:38:50.505177: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.505179: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.505182: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.505185: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.505187: | length/value: 256 (0x100) Sep 21 07:38:50.505192: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:50.505197: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505200: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505202: | length: 8 (0x8) Sep 21 07:38:50.505205: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505207: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:50.505211: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Sep 21 07:38:50.505214: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Sep 21 07:38:50.505217: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Sep 21 07:38:50.505220: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Sep 21 07:38:50.505223: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505225: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505227: | length: 8 (0x8) Sep 21 07:38:50.505229: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505231: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:50.505234: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505236: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505238: | length: 8 (0x8) Sep 21 07:38:50.505240: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505242: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.505245: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Sep 21 07:38:50.505247: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Sep 21 07:38:50.505250: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Sep 21 07:38:50.505253: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Sep 21 07:38:50.505255: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505257: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505259: | length: 8 (0x8) Sep 21 07:38:50.505261: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505263: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:50.505265: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505267: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505270: | length: 8 (0x8) Sep 21 07:38:50.505272: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505274: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:50.505276: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505278: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505280: | length: 8 (0x8) Sep 21 07:38:50.505283: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505285: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:50.505288: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505290: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505292: | length: 8 (0x8) Sep 21 07:38:50.505295: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505297: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:50.505300: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505302: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505304: | length: 8 (0x8) Sep 21 07:38:50.505307: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505309: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:50.505312: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505314: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505317: | length: 8 (0x8) Sep 21 07:38:50.505319: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505322: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:50.505325: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505330: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.505332: | length: 8 (0x8) Sep 21 07:38:50.505334: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505337: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:50.505340: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Sep 21 07:38:50.505345: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Sep 21 07:38:50.505347: | remote proposal 1 matches local proposal 1 Sep 21 07:38:50.505350: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.505353: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:50.505355: | length: 100 (0x64) Sep 21 07:38:50.505357: | prop #: 2 (0x2) Sep 21 07:38:50.505359: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:50.505361: | spi size: 0 (0x0) Sep 21 07:38:50.505363: | # transforms: 11 (0xb) Sep 21 07:38:50.505367: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:50.505369: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505372: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505374: | length: 12 (0xc) Sep 21 07:38:50.505377: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.505379: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.505382: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.505384: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.505387: | length/value: 128 (0x80) Sep 21 07:38:50.505390: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505392: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505395: | length: 8 (0x8) Sep 21 07:38:50.505397: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505399: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:50.505401: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505404: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505406: | length: 8 (0x8) Sep 21 07:38:50.505408: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505410: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:50.505412: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505415: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505417: | length: 8 (0x8) Sep 21 07:38:50.505419: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505421: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.505424: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505427: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505429: | length: 8 (0x8) Sep 21 07:38:50.505431: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505434: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:50.505436: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505439: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505440: | length: 8 (0x8) Sep 21 07:38:50.505443: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505445: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:50.505448: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505450: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505453: | length: 8 (0x8) Sep 21 07:38:50.505455: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505457: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:50.505460: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505462: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505465: | length: 8 (0x8) Sep 21 07:38:50.505467: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505470: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:50.505477: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505480: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505482: | length: 8 (0x8) Sep 21 07:38:50.505484: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505486: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:50.505489: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505491: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505493: | length: 8 (0x8) Sep 21 07:38:50.505495: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505497: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:50.505499: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505501: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.505504: | length: 8 (0x8) Sep 21 07:38:50.505506: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505508: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:50.505512: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Sep 21 07:38:50.505514: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Sep 21 07:38:50.505517: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.505519: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Sep 21 07:38:50.505521: | length: 116 (0x74) Sep 21 07:38:50.505523: | prop #: 3 (0x3) Sep 21 07:38:50.505525: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:50.505527: | spi size: 0 (0x0) Sep 21 07:38:50.505529: | # transforms: 13 (0xd) Sep 21 07:38:50.505532: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:50.505534: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505536: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505538: | length: 12 (0xc) Sep 21 07:38:50.505540: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.505543: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:50.505545: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.505547: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.505549: | length/value: 256 (0x100) Sep 21 07:38:50.505552: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505554: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505556: | length: 8 (0x8) Sep 21 07:38:50.505558: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505561: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:50.505563: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505565: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505567: | length: 8 (0x8) Sep 21 07:38:50.505569: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505571: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:50.505574: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505577: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505579: | length: 8 (0x8) Sep 21 07:38:50.505581: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:50.505583: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:50.505586: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505588: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505590: | length: 8 (0x8) Sep 21 07:38:50.505593: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:50.505595: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:50.505598: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505601: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505603: | length: 8 (0x8) Sep 21 07:38:50.505605: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505607: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.505610: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505614: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505617: | length: 8 (0x8) Sep 21 07:38:50.505619: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505621: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:50.505624: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505627: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505629: | length: 8 (0x8) Sep 21 07:38:50.505631: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505634: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:50.505637: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505639: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505641: | length: 8 (0x8) Sep 21 07:38:50.505643: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505646: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:50.505648: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505650: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505653: | length: 8 (0x8) Sep 21 07:38:50.505655: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505657: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:50.505660: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505662: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505664: | length: 8 (0x8) Sep 21 07:38:50.505666: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505668: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:50.505671: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505673: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505675: | length: 8 (0x8) Sep 21 07:38:50.505677: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505679: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:50.505682: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505684: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.505686: | length: 8 (0x8) Sep 21 07:38:50.505688: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505691: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:50.505695: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:50.505698: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:50.505700: | ****parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.505703: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:50.505705: | length: 116 (0x74) Sep 21 07:38:50.505707: | prop #: 4 (0x4) Sep 21 07:38:50.505709: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:50.505712: | spi size: 0 (0x0) Sep 21 07:38:50.505714: | # transforms: 13 (0xd) Sep 21 07:38:50.505717: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Sep 21 07:38:50.505719: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505722: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505724: | length: 12 (0xc) Sep 21 07:38:50.505727: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.505729: | IKEv2 transform ID: AES_CBC (0xc) Sep 21 07:38:50.505731: | ******parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.505733: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.505736: | length/value: 128 (0x80) Sep 21 07:38:50.505738: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505741: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505743: | length: 8 (0x8) Sep 21 07:38:50.505745: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505748: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:50.505750: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505753: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505757: | length: 8 (0x8) Sep 21 07:38:50.505759: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.505762: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Sep 21 07:38:50.505764: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505767: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505769: | length: 8 (0x8) Sep 21 07:38:50.505772: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:50.505774: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Sep 21 07:38:50.505777: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505779: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505782: | length: 8 (0x8) Sep 21 07:38:50.505791: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Sep 21 07:38:50.505794: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Sep 21 07:38:50.505797: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505799: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505801: | length: 8 (0x8) Sep 21 07:38:50.505803: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505806: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.505808: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505810: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505813: | length: 8 (0x8) Sep 21 07:38:50.505815: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505818: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Sep 21 07:38:50.505820: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505823: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505825: | length: 8 (0x8) Sep 21 07:38:50.505827: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505829: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Sep 21 07:38:50.505832: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505834: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505836: | length: 8 (0x8) Sep 21 07:38:50.505839: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505841: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Sep 21 07:38:50.505844: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505846: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505848: | length: 8 (0x8) Sep 21 07:38:50.505851: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505853: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Sep 21 07:38:50.505856: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505858: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505861: | length: 8 (0x8) Sep 21 07:38:50.505863: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505865: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Sep 21 07:38:50.505868: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505870: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.505873: | length: 8 (0x8) Sep 21 07:38:50.505875: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505877: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Sep 21 07:38:50.505880: | *****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.505883: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.505885: | length: 8 (0x8) Sep 21 07:38:50.505887: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.505890: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Sep 21 07:38:50.505894: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Sep 21 07:38:50.505897: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Sep 21 07:38:50.505903: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Sep 21 07:38:50.505912: | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 Sep 21 07:38:50.505915: | converting proposal to internal trans attrs Sep 21 07:38:50.505919: | natd_hash: rcookie is zero Sep 21 07:38:50.505938: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:50.505941: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.505943: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:50.505945: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:50.505946: | natd_hash: port= 01 f4 Sep 21 07:38:50.505949: | natd_hash: hash= d9 33 ef 71 75 c7 3d cd 2b e8 3c 47 af 25 ad 4e Sep 21 07:38:50.505950: | natd_hash: hash= dc 65 4e f1 Sep 21 07:38:50.505952: | natd_hash: rcookie is zero Sep 21 07:38:50.505959: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:50.505961: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.505963: | natd_hash: rcookie= 00 00 00 00 00 00 00 00 Sep 21 07:38:50.505965: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:50.505967: | natd_hash: port= 01 f4 Sep 21 07:38:50.505969: | natd_hash: hash= aa 33 c4 c6 18 a3 69 81 63 25 c3 c3 bb 88 f7 af Sep 21 07:38:50.505971: | natd_hash: hash= 49 c2 6f ac Sep 21 07:38:50.505973: | NAT_TRAVERSAL encaps using auto-detect Sep 21 07:38:50.505975: | NAT_TRAVERSAL this end is NOT behind NAT Sep 21 07:38:50.505977: | NAT_TRAVERSAL that end is NOT behind NAT Sep 21 07:38:50.505980: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Sep 21 07:38:50.505985: | adding ikev2_inI1outR1 KE work-order 1 for state #1 Sep 21 07:38:50.505989: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c59fd4ac60 Sep 21 07:38:50.505992: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:50.505996: | libevent_malloc: new ptr-libevent@0x55c59fd4aca0 size 128 Sep 21 07:38:50.506008: | #1 spent 0.972 milliseconds in processing: Respond to IKE_SA_INIT in ikev2_process_state_packet() Sep 21 07:38:50.506016: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:50.506019: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:50.506022: | suspending state #1 and saving MD Sep 21 07:38:50.506024: | #1 is busy; has a suspended MD Sep 21 07:38:50.506029: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:50.506033: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:50.506039: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:50.506043: | #1 spent 1.47 milliseconds in ikev2_process_packet() Sep 21 07:38:50.506047: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:50.506049: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:50.506051: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:50.506055: | spent 1.48 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:50.506066: | crypto helper 0 resuming Sep 21 07:38:50.506070: | crypto helper 0 starting work-order 1 for state #1 Sep 21 07:38:50.506074: | crypto helper 0 doing build KE and nonce (ikev2_inI1outR1 KE); request ID 1 Sep 21 07:38:50.507094: | crypto helper 0 finished build KE and nonce (ikev2_inI1outR1 KE); request ID 1 time elapsed 0.001018 seconds Sep 21 07:38:50.507108: | (#1) spent 0.998 milliseconds in crypto helper computing work-order 1: ikev2_inI1outR1 KE (pcr) Sep 21 07:38:50.507111: | crypto helper 0 sending results from work-order 1 for state #1 to event queue Sep 21 07:38:50.507115: | scheduling resume sending helper answer for #1 Sep 21 07:38:50.507118: | libevent_malloc: new ptr-libevent@0x7f82f0006900 size 128 Sep 21 07:38:50.507127: | crypto helper 0 waiting (nothing to do) Sep 21 07:38:50.507137: | processing resume sending helper answer for #1 Sep 21 07:38:50.507148: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:50.507153: | crypto helper 0 replies to request ID 1 Sep 21 07:38:50.507155: | calling continuation function 0x55c59e3bf630 Sep 21 07:38:50.507158: | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 Sep 21 07:38:50.507189: | **emit ISAKMP Message: Sep 21 07:38:50.507192: | initiator cookie: Sep 21 07:38:50.507194: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.507197: | responder cookie: Sep 21 07:38:50.507199: | c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.507202: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:50.507204: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:50.507207: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Sep 21 07:38:50.507210: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:50.507212: | Message ID: 0 (0x0) Sep 21 07:38:50.507215: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:50.507218: | Emitting ikev2_proposal ... Sep 21 07:38:50.507221: | ***emit IKEv2 Security Association Payload: Sep 21 07:38:50.507223: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.507226: | flags: none (0x0) Sep 21 07:38:50.507229: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:50.507232: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507235: | ****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.507237: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:50.507240: | prop #: 1 (0x1) Sep 21 07:38:50.507242: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Sep 21 07:38:50.507245: | spi size: 0 (0x0) Sep 21 07:38:50.507247: | # transforms: 3 (0x3) Sep 21 07:38:50.507250: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:50.507253: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:50.507255: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.507258: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.507260: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.507263: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:50.507266: | ******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.507268: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.507271: | length/value: 256 (0x100) Sep 21 07:38:50.507274: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:50.507276: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:50.507278: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.507281: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Sep 21 07:38:50.507283: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Sep 21 07:38:50.507287: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.507289: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:50.507294: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:50.507297: | *****emit IKEv2 Transform Substructure Payload: Sep 21 07:38:50.507299: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.507302: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Sep 21 07:38:50.507304: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.507307: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.507310: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:50.507312: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:50.507315: | emitting length of IKEv2 Proposal Substructure Payload: 36 Sep 21 07:38:50.507317: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:50.507320: | emitting length of IKEv2 Security Association Payload: 40 Sep 21 07:38:50.507322: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:50.507326: | ***emit IKEv2 Key Exchange Payload: Sep 21 07:38:50.507328: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.507331: | flags: none (0x0) Sep 21 07:38:50.507333: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Sep 21 07:38:50.507336: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Sep 21 07:38:50.507339: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507342: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Sep 21 07:38:50.507345: | ikev2 g^x cf 60 6d dc 0a 51 f6 15 f2 f6 91 ca 03 81 05 f9 Sep 21 07:38:50.507347: | ikev2 g^x 81 f2 8a b7 68 09 84 36 c8 98 59 1f 0a 4a 71 27 Sep 21 07:38:50.507349: | ikev2 g^x ac 9a ae 7b 19 75 42 9f 30 7b ed 62 61 ac 2a 89 Sep 21 07:38:50.507352: | ikev2 g^x c8 20 b7 43 c9 b0 8f 83 f7 dc 59 dd 84 f4 b1 f3 Sep 21 07:38:50.507354: | ikev2 g^x 9d c8 a8 d1 d6 d6 7e ba 5b e4 66 23 0b a2 21 b1 Sep 21 07:38:50.507356: | ikev2 g^x 1d a2 7f 96 d7 40 16 a4 25 1d 80 22 d6 42 b1 3b Sep 21 07:38:50.507359: | ikev2 g^x 6b 18 54 bd a0 94 cf 88 3b 78 e3 3e ad 0d 1a 58 Sep 21 07:38:50.507361: | ikev2 g^x 94 ec 0d 35 29 57 81 9f 7f 3f cd c5 3b 7b a1 3a Sep 21 07:38:50.507363: | ikev2 g^x d2 b9 17 1a cd 22 45 54 ab 59 81 24 ef 47 19 e0 Sep 21 07:38:50.507366: | ikev2 g^x ab cb 75 f3 72 9e 11 c2 d7 2e 62 09 02 93 01 4e Sep 21 07:38:50.507368: | ikev2 g^x 8a c1 d4 e3 0f 37 c3 2e 28 51 ae 81 0a 0d e9 52 Sep 21 07:38:50.507370: | ikev2 g^x 18 2f 42 16 d3 a9 92 37 a8 7c e0 98 ff 1d 82 2d Sep 21 07:38:50.507372: | ikev2 g^x 25 06 af 14 35 43 76 6c 52 e4 d3 e9 17 6f 00 55 Sep 21 07:38:50.507375: | ikev2 g^x eb e9 ea 65 ac 64 b6 b3 dd 89 2f 4d 9a 31 e4 78 Sep 21 07:38:50.507377: | ikev2 g^x e0 99 fe 27 ca db eb f1 73 e1 3d 51 3e ba 1f 3a Sep 21 07:38:50.507379: | ikev2 g^x 32 5b de e7 22 02 03 1f 9b 1b 0f 6e c8 2a b5 ce Sep 21 07:38:50.507382: | emitting length of IKEv2 Key Exchange Payload: 264 Sep 21 07:38:50.507384: | ***emit IKEv2 Nonce Payload: Sep 21 07:38:50.507387: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:50.507389: | flags: none (0x0) Sep 21 07:38:50.507392: | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N Sep 21 07:38:50.507395: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Sep 21 07:38:50.507397: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507402: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Sep 21 07:38:50.507404: | IKEv2 nonce 45 d2 45 a2 a1 81 de 83 85 53 20 52 b2 29 2c 42 Sep 21 07:38:50.507406: | IKEv2 nonce 5b 77 68 15 c7 21 9b ed a4 90 f0 c3 5c 92 60 d4 Sep 21 07:38:50.507409: | emitting length of IKEv2 Nonce Payload: 36 Sep 21 07:38:50.507412: | Adding a v2N Payload Sep 21 07:38:50.507414: | ***emit IKEv2 Notify Payload: Sep 21 07:38:50.507417: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.507419: | flags: none (0x0) Sep 21 07:38:50.507421: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.507424: | SPI size: 0 (0x0) Sep 21 07:38:50.507426: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Sep 21 07:38:50.507429: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:50.507432: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507434: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:50.507438: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:50.507449: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:50.507451: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.507454: | natd_hash: rcookie= c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.507456: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:50.507458: | natd_hash: port= 01 f4 Sep 21 07:38:50.507461: | natd_hash: hash= 2f 82 aa 10 5b 33 48 ff e7 ad 2e 3e 3e 4d b4 7e Sep 21 07:38:50.507463: | natd_hash: hash= ee c7 2a db Sep 21 07:38:50.507465: | Adding a v2N Payload Sep 21 07:38:50.507467: | ***emit IKEv2 Notify Payload: Sep 21 07:38:50.507470: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.507472: | flags: none (0x0) Sep 21 07:38:50.507475: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.507477: | SPI size: 0 (0x0) Sep 21 07:38:50.507480: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:50.507482: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:50.507485: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507488: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:50.507490: | Notify data 2f 82 aa 10 5b 33 48 ff e7 ad 2e 3e 3e 4d b4 7e Sep 21 07:38:50.507493: | Notify data ee c7 2a db Sep 21 07:38:50.507495: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:50.507501: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:50.507503: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.507505: | natd_hash: rcookie= c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.507508: | natd_hash: ip= c0 01 03 21 Sep 21 07:38:50.507510: | natd_hash: port= 01 f4 Sep 21 07:38:50.507512: | natd_hash: hash= ba fb b2 ba 3d a1 2a a9 1b 83 da 7c c0 9c 89 e3 Sep 21 07:38:50.507514: | natd_hash: hash= 93 74 0c bb Sep 21 07:38:50.507516: | Adding a v2N Payload Sep 21 07:38:50.507519: | ***emit IKEv2 Notify Payload: Sep 21 07:38:50.507521: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.507523: | flags: none (0x0) Sep 21 07:38:50.507526: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.507528: | SPI size: 0 (0x0) Sep 21 07:38:50.507531: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:50.507533: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:50.507536: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.507539: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:50.507542: | Notify data ba fb b2 ba 3d a1 2a a9 1b 83 da 7c c0 9c 89 e3 Sep 21 07:38:50.507544: | Notify data 93 74 0c bb Sep 21 07:38:50.507546: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:50.507550: | emitting length of ISAKMP Message: 432 Sep 21 07:38:50.507558: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:50.507562: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Sep 21 07:38:50.507564: | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 Sep 21 07:38:50.507568: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Sep 21 07:38:50.507571: | Message ID: updating counters for #1 to 0 after switching state Sep 21 07:38:50.507576: | Message ID: recv #1 request 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1 responder.recv=-1->0 wip.initiator=-1 wip.responder=0->-1 Sep 21 07:38:50.507580: | Message ID: sent #1 response 0; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=-1->0 responder.recv=0 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:50.507586: "eastnet-northnet"[1] 192.1.3.33 #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Sep 21 07:38:50.507591: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:50.507599: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:50.507602: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.507604: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Sep 21 07:38:50.507607: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Sep 21 07:38:50.507609: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Sep 21 07:38:50.507611: | 04 00 00 0e 28 00 01 08 00 0e 00 00 cf 60 6d dc Sep 21 07:38:50.507613: | 0a 51 f6 15 f2 f6 91 ca 03 81 05 f9 81 f2 8a b7 Sep 21 07:38:50.507616: | 68 09 84 36 c8 98 59 1f 0a 4a 71 27 ac 9a ae 7b Sep 21 07:38:50.507618: | 19 75 42 9f 30 7b ed 62 61 ac 2a 89 c8 20 b7 43 Sep 21 07:38:50.507620: | c9 b0 8f 83 f7 dc 59 dd 84 f4 b1 f3 9d c8 a8 d1 Sep 21 07:38:50.507622: | d6 d6 7e ba 5b e4 66 23 0b a2 21 b1 1d a2 7f 96 Sep 21 07:38:50.507625: | d7 40 16 a4 25 1d 80 22 d6 42 b1 3b 6b 18 54 bd Sep 21 07:38:50.507627: | a0 94 cf 88 3b 78 e3 3e ad 0d 1a 58 94 ec 0d 35 Sep 21 07:38:50.507629: | 29 57 81 9f 7f 3f cd c5 3b 7b a1 3a d2 b9 17 1a Sep 21 07:38:50.507631: | cd 22 45 54 ab 59 81 24 ef 47 19 e0 ab cb 75 f3 Sep 21 07:38:50.507634: | 72 9e 11 c2 d7 2e 62 09 02 93 01 4e 8a c1 d4 e3 Sep 21 07:38:50.507636: | 0f 37 c3 2e 28 51 ae 81 0a 0d e9 52 18 2f 42 16 Sep 21 07:38:50.507638: | d3 a9 92 37 a8 7c e0 98 ff 1d 82 2d 25 06 af 14 Sep 21 07:38:50.507640: | 35 43 76 6c 52 e4 d3 e9 17 6f 00 55 eb e9 ea 65 Sep 21 07:38:50.507643: | ac 64 b6 b3 dd 89 2f 4d 9a 31 e4 78 e0 99 fe 27 Sep 21 07:38:50.507645: | ca db eb f1 73 e1 3d 51 3e ba 1f 3a 32 5b de e7 Sep 21 07:38:50.507647: | 22 02 03 1f 9b 1b 0f 6e c8 2a b5 ce 29 00 00 24 Sep 21 07:38:50.507649: | 45 d2 45 a2 a1 81 de 83 85 53 20 52 b2 29 2c 42 Sep 21 07:38:50.507652: | 5b 77 68 15 c7 21 9b ed a4 90 f0 c3 5c 92 60 d4 Sep 21 07:38:50.507654: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Sep 21 07:38:50.507656: | 2f 82 aa 10 5b 33 48 ff e7 ad 2e 3e 3e 4d b4 7e Sep 21 07:38:50.507658: | ee c7 2a db 00 00 00 1c 00 00 40 05 ba fb b2 ba Sep 21 07:38:50.507661: | 3d a1 2a a9 1b 83 da 7c c0 9c 89 e3 93 74 0c bb Sep 21 07:38:50.507720: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:50.507725: | libevent_free: release ptr-libevent@0x55c59fd4aca0 Sep 21 07:38:50.507728: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c59fd4ac60 Sep 21 07:38:50.507731: | event_schedule: new EVENT_SO_DISCARD-pe@0x55c59fd4ac60 Sep 21 07:38:50.507735: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Sep 21 07:38:50.507738: | libevent_malloc: new ptr-libevent@0x55c59fd4aca0 size 128 Sep 21 07:38:50.507741: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:50.507749: | #1 spent 0.561 milliseconds in resume sending helper answer Sep 21 07:38:50.507755: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:50.507758: | libevent_free: release ptr-libevent@0x7f82f0006900 Sep 21 07:38:50.510595: | spent 0.00251 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:50.510613: | *received 245 bytes from 192.1.3.33:500 on eth1 (192.1.2.23:500) Sep 21 07:38:50.510617: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.510619: | 2e 20 23 08 00 00 00 01 00 00 00 f5 23 00 00 d9 Sep 21 07:38:50.510621: | ea cd ae 37 61 f0 31 d2 80 b6 b2 6e cb 32 f0 f9 Sep 21 07:38:50.510624: | e7 b2 79 28 ac 09 e4 55 91 e7 f3 75 3d 5e ab e5 Sep 21 07:38:50.510626: | dd 4d 4f e3 7f de ba 19 87 db 06 6e 72 4a 41 42 Sep 21 07:38:50.510628: | 0d 86 00 45 f9 49 14 89 fc 26 5b 0b 88 7f d8 3f Sep 21 07:38:50.510630: | c1 83 15 c2 50 3b 6e 4e 89 53 9b 0f 38 a2 b7 32 Sep 21 07:38:50.510633: | 2e 9b 36 f3 e9 7d 48 76 92 72 57 f9 f4 5e 4b 3e Sep 21 07:38:50.510635: | 22 29 66 41 ab d7 0e de 1b 29 92 36 4d 0a e8 ea Sep 21 07:38:50.510637: | ad 18 f7 67 41 0a 50 7a 04 06 24 8d 5c dd 87 62 Sep 21 07:38:50.510639: | fc 86 b5 be 16 7e b8 58 02 98 e3 39 61 a4 3d 32 Sep 21 07:38:50.510642: | 65 e8 25 ff 2a 85 65 60 20 67 86 3a 34 c1 9c 2f Sep 21 07:38:50.510644: | 3a 18 47 f4 13 05 d4 6f 45 4f 78 a1 45 c1 05 42 Sep 21 07:38:50.510646: | cd c9 8e 58 79 86 34 34 19 82 d0 d0 e3 c2 90 df Sep 21 07:38:50.510648: | d4 5c 86 9d d9 77 e4 8c 0a 2c 86 a5 52 16 72 ac Sep 21 07:38:50.510650: | 8a 66 68 50 9a Sep 21 07:38:50.510655: | start processing: from 192.1.3.33:500 (in process_md() at demux.c:378) Sep 21 07:38:50.510659: | **parse ISAKMP Message: Sep 21 07:38:50.510662: | initiator cookie: Sep 21 07:38:50.510664: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.510666: | responder cookie: Sep 21 07:38:50.510669: | c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.510671: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:50.510674: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:50.510676: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:50.510679: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:50.510681: | Message ID: 1 (0x1) Sep 21 07:38:50.510684: | length: 245 (0xf5) Sep 21 07:38:50.510687: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Sep 21 07:38:50.510690: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Sep 21 07:38:50.510693: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Sep 21 07:38:50.510701: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:50.510704: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:50.510709: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:50.510712: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Sep 21 07:38:50.510716: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 Sep 21 07:38:50.510719: | unpacking clear payload Sep 21 07:38:50.510721: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:50.510724: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:50.510727: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Sep 21 07:38:50.510729: | flags: none (0x0) Sep 21 07:38:50.510731: | length: 217 (0xd9) Sep 21 07:38:50.510734: | processing payload: ISAKMP_NEXT_v2SK (len=213) Sep 21 07:38:50.510738: | Message ID: start-responder #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:50.510741: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:50.510747: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:50.510749: | Now let's proceed with state specific processing Sep 21 07:38:50.510752: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Sep 21 07:38:50.510755: | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 Sep 21 07:38:50.510759: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Sep 21 07:38:50.510762: | adding ikev2_inI2outR2 KE work-order 2 for state #1 Sep 21 07:38:50.510765: | state #1 requesting EVENT_SO_DISCARD to be deleted Sep 21 07:38:50.510768: | libevent_free: release ptr-libevent@0x55c59fd4aca0 Sep 21 07:38:50.510771: | free_event_entry: release EVENT_SO_DISCARD-pe@0x55c59fd4ac60 Sep 21 07:38:50.510774: | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c59fd4ac60 Sep 21 07:38:50.510777: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Sep 21 07:38:50.510780: | libevent_malloc: new ptr-libevent@0x55c59fd4aca0 size 128 Sep 21 07:38:50.510812: | #1 spent 0.0413 milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in ikev2_process_state_packet() Sep 21 07:38:50.510813: | crypto helper 3 resuming Sep 21 07:38:50.510822: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:50.510830: | crypto helper 3 starting work-order 2 for state #1 Sep 21 07:38:50.510832: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND Sep 21 07:38:50.510841: | crypto helper 3 doing compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 Sep 21 07:38:50.510880: | suspending state #1 and saving MD Sep 21 07:38:50.510886: | #1 is busy; has a suspended MD Sep 21 07:38:50.510892: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in log_stf_suspend() at ikev2.c:3266) Sep 21 07:38:50.510897: | "eastnet-northnet"[1] 192.1.3.33 #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3448 Sep 21 07:38:50.510904: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:50.510909: | #1 spent 0.248 milliseconds in ikev2_process_packet() Sep 21 07:38:50.510913: | stop processing: from 192.1.3.33:500 (in process_md() at demux.c:380) Sep 21 07:38:50.510916: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:50.510919: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:50.510923: | spent 0.263 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:38:50.511754: | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 Sep 21 07:38:50.512202: | crypto helper 3 finished compute dh (V2) (ikev2_inI2outR2 KE); request ID 2 time elapsed 0.001366 seconds Sep 21 07:38:50.512215: | (#1) spent 1.36 milliseconds in crypto helper computing work-order 2: ikev2_inI2outR2 KE (pcr) Sep 21 07:38:50.512218: | crypto helper 3 sending results from work-order 2 for state #1 to event queue Sep 21 07:38:50.512220: | scheduling resume sending helper answer for #1 Sep 21 07:38:50.512223: | libevent_malloc: new ptr-libevent@0x7f82e8006b90 size 128 Sep 21 07:38:50.512232: | crypto helper 3 waiting (nothing to do) Sep 21 07:38:50.512243: | processing resume sending helper answer for #1 Sep 21 07:38:50.512257: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:797) Sep 21 07:38:50.512263: | crypto helper 3 replies to request ID 2 Sep 21 07:38:50.512266: | calling continuation function 0x55c59e3bf630 Sep 21 07:38:50.512269: | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 Sep 21 07:38:50.512273: | #1 in state PARENT_R1: received v2I1, sent v2R1 Sep 21 07:38:50.512288: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Sep 21 07:38:50.512296: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Sep 21 07:38:50.512300: | **parse IKEv2 Identification - Initiator - Payload: Sep 21 07:38:50.512303: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Sep 21 07:38:50.512306: | flags: none (0x0) Sep 21 07:38:50.512308: | length: 12 (0xc) Sep 21 07:38:50.512311: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:50.512314: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Sep 21 07:38:50.512316: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Sep 21 07:38:50.512319: | **parse IKEv2 Authentication Payload: Sep 21 07:38:50.512322: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:50.512324: | flags: none (0x0) Sep 21 07:38:50.512327: | length: 72 (0x48) Sep 21 07:38:50.512329: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:50.512332: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Sep 21 07:38:50.512334: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Sep 21 07:38:50.512337: | **parse IKEv2 Security Association Payload: Sep 21 07:38:50.512339: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Sep 21 07:38:50.512342: | flags: none (0x0) Sep 21 07:38:50.512345: | length: 48 (0x30) Sep 21 07:38:50.512347: | processing payload: ISAKMP_NEXT_v2SA (len=44) Sep 21 07:38:50.512349: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Sep 21 07:38:50.512352: | **parse IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:50.512355: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Sep 21 07:38:50.512357: | flags: none (0x0) Sep 21 07:38:50.512360: | length: 24 (0x18) Sep 21 07:38:50.512362: | number of TS: 1 (0x1) Sep 21 07:38:50.512365: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Sep 21 07:38:50.512367: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Sep 21 07:38:50.512370: | **parse IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:50.512373: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:50.512375: | flags: none (0x0) Sep 21 07:38:50.512377: | length: 24 (0x18) Sep 21 07:38:50.512379: | number of TS: 1 (0x1) Sep 21 07:38:50.512382: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Sep 21 07:38:50.512384: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:50.512386: | **parse IKEv2 Notify Payload: Sep 21 07:38:50.512389: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.512391: | flags: none (0x0) Sep 21 07:38:50.512394: | length: 8 (0x8) Sep 21 07:38:50.512396: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.512398: | SPI size: 0 (0x0) Sep 21 07:38:50.512401: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:50.512404: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:50.512406: | selected state microcode Responder: process IKE_AUTH request Sep 21 07:38:50.512408: | Now let's proceed with state specific processing Sep 21 07:38:50.512411: | calling processor Responder: process IKE_AUTH request Sep 21 07:38:50.512418: "eastnet-northnet"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,AUTH,SA,TSi,TSr,N} Sep 21 07:38:50.512424: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:50.512428: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Sep 21 07:38:50.512431: | peer ID c0 01 03 21 Sep 21 07:38:50.512436: | refine_host_connection for IKEv2: starting with "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:50.512441: | match_id a=192.1.3.33 Sep 21 07:38:50.512444: | b=192.1.3.33 Sep 21 07:38:50.512446: | results matched Sep 21 07:38:50.512452: | refine_host_connection: checking "eastnet-northnet"[1] 192.1.3.33 against "eastnet-northnet"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Sep 21 07:38:50.512454: | Warning: not switching back to template of current instance Sep 21 07:38:50.512457: | No IDr payload received from peer Sep 21 07:38:50.512460: | refine_host_connection: checked eastnet-northnet[1] 192.1.3.33 against eastnet-northnet[1] 192.1.3.33, now for see if best Sep 21 07:38:50.512465: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512467: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512470: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:50.512473: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512476: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512477: | line 1: match=002 Sep 21 07:38:50.512479: | match 002 beats previous best_match 000 match=0x55c59fd3a5c0 (line=1) Sep 21 07:38:50.512481: | concluding with best_match=002 best=0x55c59fd3a5c0 (lineno=1) Sep 21 07:38:50.512482: | returning because exact peer id match Sep 21 07:38:50.512484: | offered CA: '%none' Sep 21 07:38:50.512487: "eastnet-northnet"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.3.33' Sep 21 07:38:50.512489: | received v2N_MOBIKE_SUPPORTED while it did not sent Sep 21 07:38:50.512504: | verifying AUTH payload Sep 21 07:38:50.512507: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Sep 21 07:38:50.512510: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512512: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512514: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:50.512516: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512519: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512520: | line 1: match=002 Sep 21 07:38:50.512522: | match 002 beats previous best_match 000 match=0x55c59fd3a5c0 (line=1) Sep 21 07:38:50.512523: | concluding with best_match=002 best=0x55c59fd3a5c0 (lineno=1) Sep 21 07:38:50.512565: "eastnet-northnet"[1] 192.1.3.33 #1: Authenticated using authby=secret Sep 21 07:38:50.512568: | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) Sep 21 07:38:50.512572: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:50.512574: | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted Sep 21 07:38:50.512576: | libevent_free: release ptr-libevent@0x55c59fd4aca0 Sep 21 07:38:50.512578: | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c59fd4ac60 Sep 21 07:38:50.512580: | event_schedule: new EVENT_SA_REKEY-pe@0x55c59fd4ac60 Sep 21 07:38:50.512582: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Sep 21 07:38:50.512584: | libevent_malloc: new ptr-libevent@0x55c59fd4aca0 size 128 Sep 21 07:38:50.512667: | pstats #1 ikev2.ike established Sep 21 07:38:50.512675: | **emit ISAKMP Message: Sep 21 07:38:50.512678: | initiator cookie: Sep 21 07:38:50.512681: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:50.512683: | responder cookie: Sep 21 07:38:50.512685: | c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.512688: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:50.512692: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:50.512695: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Sep 21 07:38:50.512698: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:50.512700: | Message ID: 1 (0x1) Sep 21 07:38:50.512704: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:50.512707: | IKEv2 CERT: send a certificate? Sep 21 07:38:50.512711: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Sep 21 07:38:50.512713: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:50.512716: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.512719: | flags: none (0x0) Sep 21 07:38:50.512722: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:50.512726: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.512730: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:50.512740: | Adding a v2N Payload Sep 21 07:38:50.512744: | ****emit IKEv2 Notify Payload: Sep 21 07:38:50.512746: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.512749: | flags: none (0x0) Sep 21 07:38:50.512752: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:50.512754: | SPI size: 0 (0x0) Sep 21 07:38:50.512757: | Notify Message Type: v2N_MOBIKE_SUPPORTED (0x400c) Sep 21 07:38:50.512761: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:50.512765: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.512767: | emitting length of IKEv2 Notify Payload: 8 Sep 21 07:38:50.512770: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:50.512813: | ****emit IKEv2 Identification - Responder - Payload: Sep 21 07:38:50.512820: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.512822: | flags: none (0x0) Sep 21 07:38:50.512824: | ID type: ID_IPV4_ADDR (0x1) Sep 21 07:38:50.512826: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Sep 21 07:38:50.512828: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.512830: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Sep 21 07:38:50.512832: | my identity c0 01 02 17 Sep 21 07:38:50.512833: | emitting length of IKEv2 Identification - Responder - Payload: 12 Sep 21 07:38:50.512840: | assembled IDr payload Sep 21 07:38:50.512842: | CHILD SA proposals received Sep 21 07:38:50.512847: | going to assemble AUTH payload Sep 21 07:38:50.512850: | ****emit IKEv2 Authentication Payload: Sep 21 07:38:50.512853: | next payload type: ISAKMP_NEXT_v2SA (0x21) Sep 21 07:38:50.512856: | flags: none (0x0) Sep 21 07:38:50.512858: | auth method: IKEv2_AUTH_SHARED (0x2) Sep 21 07:38:50.512861: | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA Sep 21 07:38:50.512865: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Sep 21 07:38:50.512867: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.512871: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R2 to create PSK with authby=secret Sep 21 07:38:50.512876: | started looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512879: | actually looking for secret for 192.1.2.23->192.1.3.33 of kind PKK_PSK Sep 21 07:38:50.512883: | line 1: key type PKK_PSK(192.1.2.23) to type PKK_PSK Sep 21 07:38:50.512888: | 1: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512892: | 2: compared key (none) to 192.1.2.23 / 192.1.3.33 -> 002 Sep 21 07:38:50.512895: | line 1: match=002 Sep 21 07:38:50.512897: | match 002 beats previous best_match 000 match=0x55c59fd3a5c0 (line=1) Sep 21 07:38:50.512900: | concluding with best_match=002 best=0x55c59fd3a5c0 (lineno=1) Sep 21 07:38:50.512964: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Sep 21 07:38:50.512968: | PSK auth 24 fe 99 5b fb 8d 86 70 50 0e 2b 58 04 cb e5 37 Sep 21 07:38:50.512970: | PSK auth 3e 31 41 ef d1 f8 d1 5a f0 55 a1 2a cf e6 3a fd Sep 21 07:38:50.512973: | PSK auth 35 3c 02 c8 a4 c2 d0 6c 49 31 7e a2 8b 4c 82 1f Sep 21 07:38:50.512975: | PSK auth f7 61 58 b0 c5 e3 6f 4f 48 5b 8b 28 8b 99 fd 31 Sep 21 07:38:50.512978: | emitting length of IKEv2 Authentication Payload: 72 Sep 21 07:38:50.512982: | creating state object #2 at 0x55c59fd4c1c0 Sep 21 07:38:50.512985: | State DB: adding IKEv2 state #2 in UNDEFINED Sep 21 07:38:50.512989: | pstats #2 ikev2.child started Sep 21 07:38:50.512996: | duplicating state object #1 "eastnet-northnet"[1] 192.1.3.33 as #2 for IPSEC SA Sep 21 07:38:50.513001: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) Sep 21 07:38:50.513008: | Message ID: init_child #1.#2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=0->-1 wip.responder=0->-1 Sep 21 07:38:50.513013: | Message ID: switch-from #1 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0 wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:50.513018: | Message ID: switch-to #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0; child: wip.initiator=-1 wip.responder=-1->1 Sep 21 07:38:50.513021: | Child SA TS Request has ike->sa == md->st; so using parent connection Sep 21 07:38:50.513024: | TSi: parsing 1 traffic selectors Sep 21 07:38:50.513027: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:50.513030: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:50.513033: | IP Protocol ID: 0 (0x0) Sep 21 07:38:50.513036: | length: 16 (0x10) Sep 21 07:38:50.513038: | start port: 0 (0x0) Sep 21 07:38:50.513041: | end port: 65535 (0xffff) Sep 21 07:38:50.513044: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:50.513046: | TS low c0 00 03 00 Sep 21 07:38:50.513049: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:50.513051: | TS high c0 00 03 ff Sep 21 07:38:50.513054: | TSi: parsed 1 traffic selectors Sep 21 07:38:50.513056: | TSr: parsing 1 traffic selectors Sep 21 07:38:50.513059: | ***parse IKEv2 Traffic Selector: Sep 21 07:38:50.513061: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:50.513064: | IP Protocol ID: 0 (0x0) Sep 21 07:38:50.513066: | length: 16 (0x10) Sep 21 07:38:50.513068: | start port: 0 (0x0) Sep 21 07:38:50.513071: | end port: 65535 (0xffff) Sep 21 07:38:50.513073: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Sep 21 07:38:50.513076: | TS low c0 00 02 00 Sep 21 07:38:50.513078: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Sep 21 07:38:50.513081: | TS high c0 00 02 ff Sep 21 07:38:50.513083: | TSr: parsed 1 traffic selectors Sep 21 07:38:50.513085: | looking for best SPD in current connection Sep 21 07:38:50.513093: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:50.513098: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:50.513105: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:50.513108: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:50.513111: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:50.513114: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:50.513117: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:50.513122: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:50.513127: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:50.513130: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:50.513133: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:50.513136: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:50.513139: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:50.513141: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:50.513143: | found better spd route for TSi[0],TSr[0] Sep 21 07:38:50.513145: | looking for better host pair Sep 21 07:38:50.513150: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Sep 21 07:38:50.513156: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Sep 21 07:38:50.513158: | investigating connection "eastnet-northnet" as a better match Sep 21 07:38:50.513161: | match_id a=192.1.3.33 Sep 21 07:38:50.513166: | b=192.1.3.33 Sep 21 07:38:50.513168: | results matched Sep 21 07:38:50.513175: | evaluating our conn="eastnet-northnet"[1] 192.1.3.33 I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Sep 21 07:38:50.513179: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:50.513185: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Sep 21 07:38:50.513188: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Sep 21 07:38:50.513190: | TSi[0] port match: YES fitness 65536 Sep 21 07:38:50.513193: | narrow protocol end=*0 == TSi[0]=*0: 0 Sep 21 07:38:50.513196: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:50.513200: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Sep 21 07:38:50.513206: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Sep 21 07:38:50.513209: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Sep 21 07:38:50.513211: | TSr[0] port match: YES fitness 65536 Sep 21 07:38:50.513214: | narrow protocol end=*0 == TSr[0]=*0: 0 Sep 21 07:38:50.513217: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Sep 21 07:38:50.513219: | best fit so far: TSi[0] TSr[0] Sep 21 07:38:50.513222: | did not find a better connection using host pair Sep 21 07:38:50.513224: | printing contents struct traffic_selector Sep 21 07:38:50.513227: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:50.513229: | ipprotoid: 0 Sep 21 07:38:50.513231: | port range: 0-65535 Sep 21 07:38:50.513235: | ip range: 192.0.2.0-192.0.2.255 Sep 21 07:38:50.513237: | printing contents struct traffic_selector Sep 21 07:38:50.513239: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Sep 21 07:38:50.513242: | ipprotoid: 0 Sep 21 07:38:50.513244: | port range: 0-65535 Sep 21 07:38:50.513248: | ip range: 192.0.3.0-192.0.3.255 Sep 21 07:38:50.513252: | constructing ESP/AH proposals with all DH removed for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals) Sep 21 07:38:50.513259: | converting proposal AES_GCM_16-NONE to ikev2 ... Sep 21 07:38:50.513263: | forcing IKEv2 PROTO_v2_ESP aes_gcm_16 ENCRYPT transform low-to-high key lengths: 128 256 Sep 21 07:38:50.513269: | ... ikev2_proposal: 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:38:50.513275: "eastnet-northnet"[1] 192.1.3.33: constructed local ESP/AH proposals for eastnet-northnet (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_128,AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED Sep 21 07:38:50.513279: | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 1 local proposals Sep 21 07:38:50.513282: | local proposal 1 type ENCR has 2 transforms Sep 21 07:38:50.513284: | local proposal 1 type PRF has 0 transforms Sep 21 07:38:50.513287: | local proposal 1 type INTEG has 1 transforms Sep 21 07:38:50.513290: | local proposal 1 type DH has 1 transforms Sep 21 07:38:50.513292: | local proposal 1 type ESN has 1 transforms Sep 21 07:38:50.513296: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Sep 21 07:38:50.513299: | ***parse IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.513302: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:50.513305: | length: 44 (0x2c) Sep 21 07:38:50.513307: | prop #: 1 (0x1) Sep 21 07:38:50.513309: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:50.513312: | spi size: 4 (0x4) Sep 21 07:38:50.513315: | # transforms: 3 (0x3) Sep 21 07:38:50.513318: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Sep 21 07:38:50.513320: | remote SPI b9 e1 c8 f7 Sep 21 07:38:50.513324: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Sep 21 07:38:50.513327: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.513330: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.513334: | length: 12 (0xc) Sep 21 07:38:50.513337: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.513339: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.513342: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.513345: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.513348: | length/value: 128 (0x80) Sep 21 07:38:50.513352: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_128) matches local proposal 1 type 1 (ENCR) transform 0 Sep 21 07:38:50.513355: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.513358: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.513360: | length: 12 (0xc) Sep 21 07:38:50.513363: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.513365: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.513368: | *****parse IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.513370: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.513373: | length/value: 256 (0x100) Sep 21 07:38:50.513376: | ****parse IKEv2 Transform Substructure Payload: Sep 21 07:38:50.513378: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.513381: | length: 8 (0x8) Sep 21 07:38:50.513383: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:50.513386: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:50.513390: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Sep 21 07:38:50.513393: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Sep 21 07:38:50.513397: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Sep 21 07:38:50.513400: | remote proposal 1 matches local proposal 1 Sep 21 07:38:50.513407: "eastnet-northnet"[1] 192.1.3.33 #1: proposal 1:ESP:SPI=b9e1c8f7;ENCR=AES_GCM_C_128;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_128;ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] Sep 21 07:38:50.513412: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=b9e1c8f7;ENCR=AES_GCM_C_128;ESN=DISABLED Sep 21 07:38:50.513415: | converting proposal to internal trans attrs Sep 21 07:38:50.513434: | netlink_get_spi: allocated 0x9734d62c for esp.0@192.1.2.23 Sep 21 07:38:50.513437: | Emitting ikev2_proposal ... Sep 21 07:38:50.513440: | ****emit IKEv2 Security Association Payload: Sep 21 07:38:50.513442: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.513444: | flags: none (0x0) Sep 21 07:38:50.513446: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Sep 21 07:38:50.513449: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.513451: | *****emit IKEv2 Proposal Substructure Payload: Sep 21 07:38:50.513453: | last proposal: v2_PROPOSAL_LAST (0x0) Sep 21 07:38:50.513455: | prop #: 1 (0x1) Sep 21 07:38:50.513457: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Sep 21 07:38:50.513459: | spi size: 4 (0x4) Sep 21 07:38:50.513461: | # transforms: 2 (0x2) Sep 21 07:38:50.513464: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Sep 21 07:38:50.513467: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Sep 21 07:38:50.513469: | our spi 97 34 d6 2c Sep 21 07:38:50.513471: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:50.513474: | last transform: v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.513476: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Sep 21 07:38:50.513478: | IKEv2 transform ID: AES_GCM_C (0x14) Sep 21 07:38:50.513481: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:50.513484: | *******emit IKEv2 Attribute Substructure Payload: Sep 21 07:38:50.513489: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Sep 21 07:38:50.513492: | length/value: 128 (0x80) Sep 21 07:38:50.513494: | emitting length of IKEv2 Transform Substructure Payload: 12 Sep 21 07:38:50.513497: | ******emit IKEv2 Transform Substructure Payload: Sep 21 07:38:50.513499: | last transform: v2_TRANSFORM_LAST (0x0) Sep 21 07:38:50.513501: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Sep 21 07:38:50.513504: | IKEv2 transform ID: ESN_DISABLED (0x0) Sep 21 07:38:50.513507: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) Sep 21 07:38:50.513509: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Sep 21 07:38:50.513512: | emitting length of IKEv2 Transform Substructure Payload: 8 Sep 21 07:38:50.513514: | emitting length of IKEv2 Proposal Substructure Payload: 32 Sep 21 07:38:50.513516: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Sep 21 07:38:50.513518: | emitting length of IKEv2 Security Association Payload: 36 Sep 21 07:38:50.513521: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Sep 21 07:38:50.513523: | received v2N_MOBIKE_SUPPORTED Sep 21 07:38:50.513526: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Sep 21 07:38:50.513528: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.513530: | flags: none (0x0) Sep 21 07:38:50.513532: | number of TS: 1 (0x1) Sep 21 07:38:50.513535: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Sep 21 07:38:50.513537: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.513540: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:50.513542: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:50.513544: | IP Protocol ID: 0 (0x0) Sep 21 07:38:50.513546: | start port: 0 (0x0) Sep 21 07:38:50.513548: | end port: 65535 (0xffff) Sep 21 07:38:50.513550: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:50.513553: | IP start c0 00 03 00 Sep 21 07:38:50.513555: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:50.513557: | IP end c0 00 03 ff Sep 21 07:38:50.513559: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:50.513561: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Sep 21 07:38:50.513564: | ****emit IKEv2 Traffic Selector - Responder - Payload: Sep 21 07:38:50.513566: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:50.513568: | flags: none (0x0) Sep 21 07:38:50.513570: | number of TS: 1 (0x1) Sep 21 07:38:50.513572: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Sep 21 07:38:50.513575: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Sep 21 07:38:50.513577: | *****emit IKEv2 Traffic Selector: Sep 21 07:38:50.513579: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Sep 21 07:38:50.513581: | IP Protocol ID: 0 (0x0) Sep 21 07:38:50.513583: | start port: 0 (0x0) Sep 21 07:38:50.513585: | end port: 65535 (0xffff) Sep 21 07:38:50.513587: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Sep 21 07:38:50.513589: | IP start c0 00 02 00 Sep 21 07:38:50.513591: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Sep 21 07:38:50.513593: | IP end c0 00 02 ff Sep 21 07:38:50.513595: | emitting length of IKEv2 Traffic Selector: 16 Sep 21 07:38:50.513598: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Sep 21 07:38:50.513602: | Initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Sep 21 07:38:50.513605: | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=16 .salt_size=4 keymat_len=20 Sep 21 07:38:50.513711: | FOR_EACH_CONNECTION_... in ISAKMP_SA_established Sep 21 07:38:50.513720: | #1 spent 1.27 milliseconds Sep 21 07:38:50.513724: | install_ipsec_sa() for #2: inbound and outbound Sep 21 07:38:50.513727: | could_route called for eastnet-northnet (kind=CK_INSTANCE) Sep 21 07:38:50.513729: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:50.513732: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:50.513735: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:50.513737: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:50.513740: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:50.513747: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:50.513751: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Sep 21 07:38:50.513753: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Sep 21 07:38:50.513755: | AES_GCM_16 requires 4 salt bytes Sep 21 07:38:50.513757: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Sep 21 07:38:50.513759: | setting IPsec SA replay-window to 32 Sep 21 07:38:50.513761: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:50.513763: | netlink: enabling tunnel mode Sep 21 07:38:50.513765: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:50.513767: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:50.513852: | netlink response for Add SA esp.b9e1c8f7@192.1.3.33 included non-error error Sep 21 07:38:50.513860: | set up outgoing SA, ref=0/0 Sep 21 07:38:50.513863: | looking for alg with encrypt: AES_GCM_16 keylen: 128 integ: NONE Sep 21 07:38:50.513866: | encrypt AES_GCM_16 keylen=128 transid=20, key_size=16, encryptalg=20 Sep 21 07:38:50.513868: | AES_GCM_16 requires 4 salt bytes Sep 21 07:38:50.513870: | st->st_esp.keymat_len=20 is encrypt_keymat_size=20 + integ_keymat_size=0 Sep 21 07:38:50.513873: | setting IPsec SA replay-window to 32 Sep 21 07:38:50.513876: | NIC esp-hw-offload not for connection 'eastnet-northnet' not available on interface eth1 Sep 21 07:38:50.513878: | netlink: enabling tunnel mode Sep 21 07:38:50.513881: | netlink: setting IPsec SA replay-window to 32 using old-style req Sep 21 07:38:50.513883: | netlink: esp-hw-offload not set for IPsec SA Sep 21 07:38:50.513934: | netlink response for Add SA esp.9734d62c@192.1.2.23 included non-error error Sep 21 07:38:50.513938: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:50.513946: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) Sep 21 07:38:50.513949: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:50.513998: | raw_eroute result=success Sep 21 07:38:50.514001: | set up incoming SA, ref=0/0 Sep 21 07:38:50.514004: | sr for #2: unrouted Sep 21 07:38:50.514007: | route_and_eroute() for proto 0, and source port 0 dest port 0 Sep 21 07:38:50.514009: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:38:50.514012: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:50.514016: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:50.514018: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:38:50.514021: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:38:50.514026: | route owner of "eastnet-northnet"[1] 192.1.3.33 unrouted: NULL; eroute owner: NULL Sep 21 07:38:50.514029: | route_and_eroute with c: eastnet-northnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Sep 21 07:38:50.514033: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:38:50.514040: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 (raw_eroute) Sep 21 07:38:50.514045: | IPsec Sa SPD priority set to 1042407 Sep 21 07:38:50.514072: | raw_eroute result=success Sep 21 07:38:50.514076: | running updown command "ipsec _updown" for verb up Sep 21 07:38:50.514079: | command executing up-client Sep 21 07:38:50.514108: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI Sep 21 07:38:50.514113: | popen cmd is 1048 chars long Sep 21 07:38:50.514116: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' P: Sep 21 07:38:50.514118: | cmd( 80):LUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY: Sep 21 07:38:50.514121: | cmd( 160):_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' : Sep 21 07:38:50.514124: | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLU: Sep 21 07:38:50.514127: | cmd( 320):TO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='1: Sep 21 07:38:50.514129: | cmd( 400):92.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PL: Sep 21 07:38:50.514132: | cmd( 480):UTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0': Sep 21 07:38:50.514135: | cmd( 560): PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+: Sep 21 07:38:50.514137: | cmd( 640):ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_C: Sep 21 07:38:50.514140: | cmd( 720):ONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER: Sep 21 07:38:50.514143: | cmd( 800):_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='': Sep 21 07:38:50.514145: | cmd( 880): PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' : Sep 21 07:38:50.514148: | cmd( 960):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb9e1c8f7 SPI_OUT=0x9734d62c ipsec _upd: Sep 21 07:38:50.514150: | cmd(1040):own 2>&1: Sep 21 07:38:50.525267: | route_and_eroute: firewall_notified: true Sep 21 07:38:50.525279: | running updown command "ipsec _updown" for verb prepare Sep 21 07:38:50.525282: | command executing prepare-client Sep 21 07:38:50.525313: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE Sep 21 07:38:50.525319: | popen cmd is 1053 chars long Sep 21 07:38:50.525323: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:38:50.525325: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:38:50.525328: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:38:50.525331: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:38:50.525333: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_: Sep 21 07:38:50.525336: | cmd( 400):ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.: Sep 21 07:38:50.525338: | cmd( 480):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: Sep 21 07:38:50.525341: | cmd( 560):L='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=: Sep 21 07:38:50.525343: | cmd( 640):'PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PL: Sep 21 07:38:50.525346: | cmd( 720):UTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS: Sep 21 07:38:50.525348: | cmd( 800):_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANN: Sep 21 07:38:50.525351: | cmd( 880):ER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC: Sep 21 07:38:50.525353: | cmd( 960):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb9e1c8f7 SPI_OUT=0x9734d62c ipsec: Sep 21 07:38:50.525356: | cmd(1040): _updown 2>&1: Sep 21 07:38:50.536278: | running updown command "ipsec _updown" for verb route Sep 21 07:38:50.536292: | command executing route-client Sep 21 07:38:50.536325: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='n Sep 21 07:38:50.536329: | popen cmd is 1051 chars long Sep 21 07:38:50.536332: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet: Sep 21 07:38:50.536334: | cmd( 80):' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO: Sep 21 07:38:50.536337: | cmd( 160):_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: Sep 21 07:38:50.536340: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : Sep 21 07:38:50.536342: | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID: Sep 21 07:38:50.536345: | cmd( 400):='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0': Sep 21 07:38:50.536347: | cmd( 480): PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=: Sep 21 07:38:50.536349: | cmd( 560):'0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='P: Sep 21 07:38:50.536351: | cmd( 640):SK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUT: Sep 21 07:38:50.536354: | cmd( 720):O_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_P: Sep 21 07:38:50.536360: | cmd( 800):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: Sep 21 07:38:50.536362: | cmd( 880):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE=: Sep 21 07:38:50.536365: | cmd( 960):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb9e1c8f7 SPI_OUT=0x9734d62c ipsec _: Sep 21 07:38:50.536367: | cmd(1040):updown 2>&1: Sep 21 07:38:50.551036: | route_and_eroute: instance "eastnet-northnet"[1] 192.1.3.33, setting eroute_owner {spd=0x55c59fd483d0,sr=0x55c59fd483d0} to #2 (was #0) (newest_ipsec_sa=#0) Sep 21 07:38:50.551131: | #1 spent 0.933 milliseconds in install_ipsec_sa() Sep 21 07:38:50.551139: | ISAKMP_v2_IKE_AUTH: instance eastnet-northnet[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Sep 21 07:38:50.551142: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:50.551146: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:50.551149: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:50.551152: | emitting length of IKEv2 Encryption Payload: 205 Sep 21 07:38:50.551155: | emitting length of ISAKMP Message: 233 Sep 21 07:38:50.551178: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Sep 21 07:38:50.551184: | #1 spent 2.26 milliseconds in processing: Responder: process IKE_AUTH request in ikev2_process_state_packet() Sep 21 07:38:50.551192: | suspend processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:50.551199: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:50.551203: | #2 complete_v2_state_transition() md.from_state=PARENT_R1 md.svm.state[from]=PARENT_R1 UNDEFINED->V2_IPSEC_R with status STF_OK Sep 21 07:38:50.551207: | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R Sep 21 07:38:50.551210: | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) Sep 21 07:38:50.551213: | Message ID: updating counters for #2 to 1 after switching state Sep 21 07:38:50.551219: | Message ID: recv #1.#2 request 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0 responder.recv=0->1; child: wip.initiator=-1 wip.responder=1->-1 Sep 21 07:38:50.551223: | Message ID: sent #1.#2 response 1; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=0->1 responder.recv=1; child: wip.initiator=-1 wip.responder=-1 Sep 21 07:38:50.551227: | pstats #2 ikev2.child established Sep 21 07:38:50.551235: "eastnet-northnet"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Sep 21 07:38:50.551241: | NAT-T: encaps is 'auto' Sep 21 07:38:50.551246: "eastnet-northnet"[1] 192.1.3.33 #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0xb9e1c8f7 <0x9734d62c xfrm=AES_GCM_16_128-NONE NATOA=none NATD=none DPD=passive} Sep 21 07:38:50.551251: | sending V2 new request packet to 192.1.3.33:500 (from 192.1.2.23:500) Sep 21 07:38:50.551257: | sending 233 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 (using #1) Sep 21 07:38:50.551260: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:38:50.551267: | 2e 20 23 20 00 00 00 01 00 00 00 e9 29 00 00 cd Sep 21 07:38:50.551269: | a2 d5 0e e6 fb a7 3b 7c 44 e0 0b f2 0d 55 ba 56 Sep 21 07:38:50.551271: | 93 85 ad 2d 08 95 bf 84 54 00 bf 8b 0d 98 06 69 Sep 21 07:38:50.551273: | c2 68 c0 48 0f 41 7b 07 d3 6e 63 41 c9 a3 6c 10 Sep 21 07:38:50.551276: | 08 79 d2 f7 6d 3f 09 71 f0 05 fd dc 6e 9b a6 c9 Sep 21 07:38:50.551278: | ae 24 e4 5e 29 d8 4c 00 4e 41 63 fe 03 66 49 1f Sep 21 07:38:50.551280: | ef b7 d3 4f 3e 0c 9f ea e7 3b a5 c2 c6 01 92 4c Sep 21 07:38:50.551282: | 8e c7 de 47 4b df 63 81 0b 7d 6c 41 73 81 8f 5e Sep 21 07:38:50.551284: | 25 5d db 88 c3 58 2a ae 75 23 aa c8 11 88 9c ca Sep 21 07:38:50.551290: | d0 8a b1 a4 8d 18 15 fb 95 1e 08 d2 16 f7 03 a4 Sep 21 07:38:50.551292: | 0b 1c 88 b5 e7 f9 60 7a 40 12 80 3f 1d be 92 10 Sep 21 07:38:50.551294: | de 85 12 6f ce 1d dd 65 9d 78 e8 c9 b7 e1 3f 1f Sep 21 07:38:50.551296: | 23 5b 66 02 1d 12 a7 30 8f c0 3a 80 0f 7e 61 c3 Sep 21 07:38:50.551299: | b7 92 7c 88 76 62 3c 65 ae Sep 21 07:38:50.551356: | releasing whack for #2 (sock=fd@-1) Sep 21 07:38:50.551360: | releasing whack and unpending for parent #1 Sep 21 07:38:50.551364: | unpending state #1 connection "eastnet-northnet"[1] 192.1.3.33 Sep 21 07:38:50.551369: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Sep 21 07:38:50.551372: | event_schedule: new EVENT_SA_REKEY-pe@0x7f82f0002b20 Sep 21 07:38:50.551376: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Sep 21 07:38:50.551380: | libevent_malloc: new ptr-libevent@0x55c59fd4d900 size 128 Sep 21 07:38:50.551386: | resume sending helper answer for #1 suppresed complete_v2_state_transition() Sep 21 07:38:50.551392: | #1 spent 2.59 milliseconds in resume sending helper answer Sep 21 07:38:50.551398: | stop processing: state #2 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:833) Sep 21 07:38:50.551402: | libevent_free: release ptr-libevent@0x7f82e8006b90 Sep 21 07:38:50.551414: | processing signal PLUTO_SIGCHLD Sep 21 07:38:50.551420: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:50.551424: | spent 0.00573 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:50.551427: | processing signal PLUTO_SIGCHLD Sep 21 07:38:50.551430: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:50.551433: | spent 0.00344 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:50.551436: | processing signal PLUTO_SIGCHLD Sep 21 07:38:50.551439: | waitpid returned ECHILD (no child processes left) Sep 21 07:38:50.551442: | spent 0.00332 milliseconds in signal handler PLUTO_SIGCHLD Sep 21 07:38:57.222956: | spent 0.00303 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() Sep 21 07:38:57.222973: | *received 121 bytes from 192.1.8.22:500 on eth1 (192.1.2.23:500) Sep 21 07:38:57.222976: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.222978: | 2e 20 25 08 00 00 00 02 00 00 00 79 29 00 00 5d Sep 21 07:38:57.222979: | 0a e4 81 74 e3 4e 2a e4 93 20 e6 bc fd 26 28 0a Sep 21 07:38:57.222981: | d8 bc 7a fd c2 94 21 e1 57 b6 81 24 26 53 8e 03 Sep 21 07:38:57.222982: | 68 3c 06 4b e1 92 15 15 8d ad 30 5f 5a c8 79 0c Sep 21 07:38:57.222984: | ac a0 bc 6b 24 cc 5e 8d 10 7d 86 92 18 8d 34 2b Sep 21 07:38:57.222985: | ff ca 1d 2e 0f 28 b0 4b e9 90 29 02 14 22 26 86 Sep 21 07:38:57.222987: | 56 f5 af bb 48 5c f2 fe b5 Sep 21 07:38:57.222990: | start processing: from 192.1.8.22:500 (in process_md() at demux.c:378) Sep 21 07:38:57.222992: | **parse ISAKMP Message: Sep 21 07:38:57.222994: | initiator cookie: Sep 21 07:38:57.222995: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:57.222997: | responder cookie: Sep 21 07:38:57.222998: | c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.223000: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Sep 21 07:38:57.223001: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:57.223003: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:57.223005: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Sep 21 07:38:57.223006: | Message ID: 2 (0x2) Sep 21 07:38:57.223008: | length: 121 (0x79) Sep 21 07:38:57.223010: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Sep 21 07:38:57.223012: | I am the IKE SA Original Responder receiving an IKEv2 INFORMATIONAL request Sep 21 07:38:57.223016: | State DB: found IKEv2 state #1 in PARENT_R2 (find_v2_ike_sa) Sep 21 07:38:57.223021: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:2016) Sep 21 07:38:57.223025: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Sep 21 07:38:57.223029: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:2064) Sep 21 07:38:57.223031: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Sep 21 07:38:57.223033: | Message ID: #1 not a duplicate - message is new; initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 Sep 21 07:38:57.223035: | unpacking clear payload Sep 21 07:38:57.223037: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Sep 21 07:38:57.223039: | ***parse IKEv2 Encryption Payload: Sep 21 07:38:57.223040: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:57.223042: | flags: none (0x0) Sep 21 07:38:57.223044: | length: 93 (0x5d) Sep 21 07:38:57.223045: | processing payload: ISAKMP_NEXT_v2SK (len=89) Sep 21 07:38:57.223048: | Message ID: start-responder #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=-1->2 Sep 21 07:38:57.223050: | #1 in state PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:57.223062: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Sep 21 07:38:57.223064: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:57.223066: | **parse IKEv2 Notify Payload: Sep 21 07:38:57.223067: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:57.223069: | flags: none (0x0) Sep 21 07:38:57.223071: | length: 8 (0x8) Sep 21 07:38:57.223072: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:57.223074: | SPI size: 0 (0x0) Sep 21 07:38:57.223076: | Notify Message Type: v2N_UPDATE_SA_ADDRESSES (0x4010) Sep 21 07:38:57.223077: | processing payload: ISAKMP_NEXT_v2N (len=0) Sep 21 07:38:57.223079: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:57.223080: | **parse IKEv2 Notify Payload: Sep 21 07:38:57.223082: | next payload type: ISAKMP_NEXT_v2N (0x29) Sep 21 07:38:57.223083: | flags: none (0x0) Sep 21 07:38:57.223085: | length: 28 (0x1c) Sep 21 07:38:57.223086: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:57.223088: | SPI size: 0 (0x0) Sep 21 07:38:57.223089: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:57.223091: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:57.223092: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Sep 21 07:38:57.223094: | **parse IKEv2 Notify Payload: Sep 21 07:38:57.223096: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:57.223097: | flags: none (0x0) Sep 21 07:38:57.223099: | length: 28 (0x1c) Sep 21 07:38:57.223100: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:57.223102: | SPI size: 0 (0x0) Sep 21 07:38:57.223103: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:57.223105: | processing payload: ISAKMP_NEXT_v2N (len=20) Sep 21 07:38:57.223106: | selected state microcode R2: process Informational Request Sep 21 07:38:57.223108: | Now let's proceed with state specific processing Sep 21 07:38:57.223110: | calling processor R2: process Informational Request Sep 21 07:38:57.223112: | an informational request should send a response Sep 21 07:38:57.223115: | Need to process v2N_UPDATE_SA_ADDRESSES Sep 21 07:38:57.223116: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:57.223118: | TODO: Need to process NAT DETECTION payload if we are initiator Sep 21 07:38:57.223122: | #2 pst=#1 MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:57.223126: | responder migrate kernel SA esp.b9e1c8f7@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_OUT Sep 21 07:38:57.223197: | responder migrate kernel SA esp.9734d62c@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_IN Sep 21 07:38:57.223226: | responder migrate kernel SA esp.9734d62c@192.1.3.33:500 to 192.1.8.22:500 reqid=16393 XFRM_FWD Sep 21 07:38:57.223236: "eastnet-northnet"[1] 192.1.3.33 #1: success MOBIKE update remote address 192.1.3.33:500 -> 192.1.8.22:500 Sep 21 07:38:57.223240: | free hp@0x55c59fcd7e70 Sep 21 07:38:57.223244: | connect_to_host_pair: 192.1.2.23:500 192.1.8.22:500 -> hp@(nil): none Sep 21 07:38:57.223246: | new hp@0x55c59fd48a20 Sep 21 07:38:57.223249: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) Sep 21 07:38:57.223252: "eastnet-northnet"[1] 192.1.8.22 #1: MOBIKE request: updating IPsec SA by request Sep 21 07:38:57.223255: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Sep 21 07:38:57.223258: | **emit ISAKMP Message: Sep 21 07:38:57.223259: | initiator cookie: Sep 21 07:38:57.223261: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:57.223262: | responder cookie: Sep 21 07:38:57.223264: | c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.223265: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:38:57.223267: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:38:57.223269: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:38:57.223270: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Sep 21 07:38:57.223272: | Message ID: 2 (0x2) Sep 21 07:38:57.223274: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:38:57.223276: | ***emit IKEv2 Encryption Payload: Sep 21 07:38:57.223277: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:57.223279: | flags: none (0x0) Sep 21 07:38:57.223281: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:38:57.223283: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:57.223285: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:38:57.223289: | adding NATD payloads to MOBIKE response Sep 21 07:38:57.223291: | NAT-Traversal support [enabled] add v2N payloads. Sep 21 07:38:57.223297: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:57.223299: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:57.223301: | natd_hash: rcookie= c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.223302: | natd_hash: ip= c0 01 02 17 Sep 21 07:38:57.223303: | natd_hash: port= 01 f4 Sep 21 07:38:57.223305: | natd_hash: hash= 2f 82 aa 10 5b 33 48 ff e7 ad 2e 3e 3e 4d b4 7e Sep 21 07:38:57.223306: | natd_hash: hash= ee c7 2a db Sep 21 07:38:57.223308: | Adding a v2N Payload Sep 21 07:38:57.223309: | ****emit IKEv2 Notify Payload: Sep 21 07:38:57.223311: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:57.223312: | flags: none (0x0) Sep 21 07:38:57.223314: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:57.223315: | SPI size: 0 (0x0) Sep 21 07:38:57.223317: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Sep 21 07:38:57.223319: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:57.223320: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:57.223322: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:57.223324: | Notify data 2f 82 aa 10 5b 33 48 ff e7 ad 2e 3e 3e 4d b4 7e Sep 21 07:38:57.223325: | Notify data ee c7 2a db Sep 21 07:38:57.223327: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:57.223330: | natd_hash: hasher=0x55c59e4957a0(20) Sep 21 07:38:57.223332: | natd_hash: icookie= 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:38:57.223333: | natd_hash: rcookie= c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.223334: | natd_hash: ip= c0 01 08 16 Sep 21 07:38:57.223336: | natd_hash: port= 01 f4 Sep 21 07:38:57.223337: | natd_hash: hash= fc ac 60 66 09 b6 d7 8f 45 53 ea d6 ce b9 db 7b Sep 21 07:38:57.223339: | natd_hash: hash= d7 87 76 86 Sep 21 07:38:57.223340: | Adding a v2N Payload Sep 21 07:38:57.223341: | ****emit IKEv2 Notify Payload: Sep 21 07:38:57.223343: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:38:57.223345: | flags: none (0x0) Sep 21 07:38:57.223347: | Protocol ID: PROTO_v2_RESERVED (0x0) Sep 21 07:38:57.223348: | SPI size: 0 (0x0) Sep 21 07:38:57.223350: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Sep 21 07:38:57.223352: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Sep 21 07:38:57.223354: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'information exchange reply packet' Sep 21 07:38:57.223355: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Sep 21 07:38:57.223357: | Notify data fc ac 60 66 09 b6 d7 8f 45 53 ea d6 ce b9 db 7b Sep 21 07:38:57.223358: | Notify data d7 87 76 86 Sep 21 07:38:57.223360: | emitting length of IKEv2 Notify Payload: 28 Sep 21 07:38:57.223361: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:38:57.223363: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:38:57.223365: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:38:57.223367: | emitting length of IKEv2 Encryption Payload: 85 Sep 21 07:38:57.223368: | emitting length of ISAKMP Message: 113 Sep 21 07:38:57.223376: | sending 113 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:38:57.223378: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:38:57.223379: | 2e 20 25 20 00 00 00 02 00 00 00 71 29 00 00 55 Sep 21 07:38:57.223381: | 4c 42 68 cc 87 85 02 da 3e 4b 09 08 53 24 b2 58 Sep 21 07:38:57.223382: | 40 a9 fc e8 65 78 b0 44 ea d8 4f 01 25 4b 8e 85 Sep 21 07:38:57.223383: | ae ee a1 b0 ca 22 27 46 e7 26 94 5e 49 72 81 8f Sep 21 07:38:57.223385: | 3a cd 2a 9f 62 11 86 b6 3b 2a 5c 46 0d 37 6c 74 Sep 21 07:38:57.223386: | f8 8b a7 f4 09 5a 3a 74 62 c5 cf 8d 9f 82 06 77 Sep 21 07:38:57.223387: | 44 Sep 21 07:38:57.223413: | Message ID: #1 XXX: in process_encrypted_informational_ikev2() hacking around record'n'send bypassing send queue hacking around delete_my_family(); initiator.sent=-1 initiator.recv=-1 responder.sent=1 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:57.223417: | Message ID: sent #1 response 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=1->2 responder.recv=1 wip.initiator=-1 wip.responder=2 Sep 21 07:38:57.223421: | #1 spent 0.283 milliseconds in processing: R2: process Informational Request in ikev2_process_state_packet() Sep 21 07:38:57.223425: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in complete_v2_state_transition() at ikev2.c:3376) Sep 21 07:38:57.223428: | #1 complete_v2_state_transition() PARENT_R2->PARENT_R2 with status STF_OK Sep 21 07:38:57.223430: | Message ID: updating counters for #1 to 2 after switching state Sep 21 07:38:57.223432: | Message ID: recv #1 request 2; ike: initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=1->2 wip.initiator=-1 wip.responder=2->-1 Sep 21 07:38:57.223435: | Message ID: #1 skipping update_send as nothing to send; initiator.sent=-1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1 wip.responder=-1 Sep 21 07:38:57.223437: | STATE_PARENT_R2: received v2I2, PARENT SA established Sep 21 07:38:57.223440: | stop processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in ikev2_process_packet() at ikev2.c:2018) Sep 21 07:38:57.223443: | #1 spent 0.452 milliseconds in ikev2_process_packet() Sep 21 07:38:57.223445: | stop processing: from 192.1.8.22:500 (in process_md() at demux.c:380) Sep 21 07:38:57.223447: | processing: STOP state #0 (in process_md() at demux.c:382) Sep 21 07:38:57.223449: | processing: STOP connection NULL (in process_md() at demux.c:383) Sep 21 07:38:57.223451: | spent 0.461 milliseconds in comm_handle_cb() reading and processing packet Sep 21 07:39:08.266822: | processing global timer EVENT_SHUNT_SCAN Sep 21 07:39:08.266920: | expiring aged bare shunts from shunt table Sep 21 07:39:08.266955: | spent 0.0318 milliseconds in global timer EVENT_SHUNT_SCAN Sep 21 07:39:10.689746: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:10.689839: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Sep 21 07:39:10.689858: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:10.689883: | get_sa_info esp.9734d62c@192.1.2.23 Sep 21 07:39:10.689928: | get_sa_info esp.b9e1c8f7@192.1.8.22 Sep 21 07:39:10.689990: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:10.690012: | spent 0.281 milliseconds in whack Sep 21 07:39:10.918680: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:10.918855: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:10.918862: | FOR_EACH_CONNECTION_... in show_connections_status Sep 21 07:39:10.918944: | FOR_EACH_STATE_... in show_states_status (sort_states) Sep 21 07:39:10.918946: | FOR_EACH_STATE_... in sort_states Sep 21 07:39:10.918956: | get_sa_info esp.9734d62c@192.1.2.23 Sep 21 07:39:10.918969: | get_sa_info esp.b9e1c8f7@192.1.8.22 Sep 21 07:39:10.918985: | close_any(fd@16) (in whack_process() at rcv_whack.c:700) Sep 21 07:39:10.918990: | spent 0.302 milliseconds in whack Sep 21 07:39:12.307662: | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) Sep 21 07:39:12.307683: shutting down Sep 21 07:39:12.307690: | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) Sep 21 07:39:12.307693: | pluto_sd: executing action action: stopping(6), status 0 Sep 21 07:39:12.307698: | certs and keys locked by 'free_preshared_secrets' Sep 21 07:39:12.307699: forgetting secrets Sep 21 07:39:12.307701: | certs and keys unlocked by 'free_preshared_secrets' Sep 21 07:39:12.307706: | start processing: connection "eastnet-northnet"[1] 192.1.8.22 (in delete_connection() at connections.c:189) Sep 21 07:39:12.307710: "eastnet-northnet"[1] 192.1.8.22: deleting connection "eastnet-northnet"[1] 192.1.8.22 instance with peer 192.1.8.22 {isakmp=#1/ipsec=#2} Sep 21 07:39:12.307712: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:12.307713: | pass 0 Sep 21 07:39:12.307715: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:12.307716: | state #2 Sep 21 07:39:12.307719: | suspend processing: connection "eastnet-northnet"[1] 192.1.8.22 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:12.307723: | start processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:12.307725: | pstats #2 ikev2.child deleted completed Sep 21 07:39:12.307728: | [RE]START processing: state #2 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:12.307732: "eastnet-northnet"[1] 192.1.8.22 #2: deleting state (STATE_V2_IPSEC_R) aged 21.794s and sending notification Sep 21 07:39:12.307734: | child state #2: V2_IPSEC_R(established CHILD SA) => delete Sep 21 07:39:12.307737: | get_sa_info esp.b9e1c8f7@192.1.8.22 Sep 21 07:39:12.307747: | get_sa_info esp.9734d62c@192.1.2.23 Sep 21 07:39:12.307753: "eastnet-northnet"[1] 192.1.8.22 #2: ESP traffic information: in=336B out=336B Sep 21 07:39:12.307755: | #2 send IKEv2 delete notification for STATE_V2_IPSEC_R Sep 21 07:39:12.307757: | Opening output PBS informational exchange delete request Sep 21 07:39:12.307760: | **emit ISAKMP Message: Sep 21 07:39:12.307761: | initiator cookie: Sep 21 07:39:12.307763: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:39:12.307764: | responder cookie: Sep 21 07:39:12.307766: | c2 98 6b ed 60 95 74 82 Sep 21 07:39:12.307768: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:12.307769: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:12.307774: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:12.307777: | flags: none (0x0) Sep 21 07:39:12.307778: | Message ID: 0 (0x0) Sep 21 07:39:12.307780: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:12.307782: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:12.307819: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:12.307821: | flags: none (0x0) Sep 21 07:39:12.307823: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:12.307825: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:12.307840: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:12.307847: | ****emit IKEv2 Delete Payload: Sep 21 07:39:12.307849: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:12.307850: | flags: none (0x0) Sep 21 07:39:12.307852: | protocol ID: PROTO_v2_ESP (0x3) Sep 21 07:39:12.307854: | SPI size: 4 (0x4) Sep 21 07:39:12.307855: | number of SPIs: 1 (0x1) Sep 21 07:39:12.307857: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:12.307859: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:12.307861: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Sep 21 07:39:12.307862: | local spis 97 34 d6 2c Sep 21 07:39:12.307864: | emitting length of IKEv2 Delete Payload: 12 Sep 21 07:39:12.307865: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:12.307867: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:12.307869: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:12.307871: | emitting length of IKEv2 Encryption Payload: 41 Sep 21 07:39:12.307872: | emitting length of ISAKMP Message: 69 Sep 21 07:39:12.307891: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #2) Sep 21 07:39:12.307893: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:39:12.307895: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Sep 21 07:39:12.307896: | d0 31 b6 73 5f 89 a5 e7 cb 7b 6e 08 06 b2 13 26 Sep 21 07:39:12.307897: | f6 11 68 13 46 63 34 5b 73 f7 37 74 fa fa f8 e6 Sep 21 07:39:12.307899: | 2f 00 12 2c ce Sep 21 07:39:12.307941: | Message ID: IKE #1 sender #2 in send_delete record 'n' sending delete request so forcing IKE nextuse=0->1 and sender msgid=0->0 Sep 21 07:39:12.307944: | Message ID: IKE #1 sender #2 in send_delete hacking around record ' send Sep 21 07:39:12.307948: | Message ID: sent #1 request 0; ike: initiator.sent=-1->0 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=-1->0 wip.responder=-1 Sep 21 07:39:12.307951: | state #2 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:12.307955: | libevent_free: release ptr-libevent@0x55c59fd4d900 Sep 21 07:39:12.307958: | free_event_entry: release EVENT_SA_REKEY-pe@0x7f82f0002b20 Sep 21 07:39:12.308018: | running updown command "ipsec _updown" for verb down Sep 21 07:39:12.308022: | command executing down-client Sep 21 07:39:12.308049: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051530' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_ Sep 21 07:39:12.308055: | popen cmd is 1061 chars long Sep 21 07:39:12.308057: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet': Sep 21 07:39:12.308060: | cmd( 80): PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_: Sep 21 07:39:12.308063: | cmd( 160):MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0: Sep 21 07:39:12.308065: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: Sep 21 07:39:12.308068: | cmd( 320):LUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID=: Sep 21 07:39:12.308071: | cmd( 400):'192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' : Sep 21 07:39:12.308073: | cmd( 480):PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': Sep 21 07:39:12.308076: | cmd( 560):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051530' PLUTO_CONN_P: Sep 21 07:39:12.308078: | cmd( 640):OLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_: Sep 21 07:39:12.308081: | cmd( 720):NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : Sep 21 07:39:12.308083: | cmd( 800):PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_P: Sep 21 07:39:12.308085: | cmd( 880):EER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' : Sep 21 07:39:12.308087: | cmd( 960):VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xb9e1c8f7 SPI_OUT=0x9734d6: Sep 21 07:39:12.308090: | cmd(1040):2c ipsec _updown 2>&1: Sep 21 07:39:12.314537: | shunt_eroute() called for connection 'eastnet-northnet' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:12.314549: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:12.314552: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:12.314554: | IPsec Sa SPD priority set to 1042407 Sep 21 07:39:12.314588: | delete esp.b9e1c8f7@192.1.8.22 Sep 21 07:39:12.314614: | netlink response for Del SA esp.b9e1c8f7@192.1.8.22 included non-error error Sep 21 07:39:12.314616: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:12.314635: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) Sep 21 07:39:12.314670: | raw_eroute result=success Sep 21 07:39:12.314673: | delete esp.9734d62c@192.1.2.23 Sep 21 07:39:12.314693: | netlink response for Del SA esp.9734d62c@192.1.2.23 included non-error error Sep 21 07:39:12.314699: | stop processing: connection "eastnet-northnet"[1] 192.1.8.22 (BACKGROUND) (in update_state_connection() at connections.c:4037) Sep 21 07:39:12.314701: | start processing: connection NULL (in update_state_connection() at connections.c:4038) Sep 21 07:39:12.314702: | in connection_discard for connection eastnet-northnet Sep 21 07:39:12.314704: | State DB: deleting IKEv2 state #2 in V2_IPSEC_R Sep 21 07:39:12.314707: | child state #2: V2_IPSEC_R(established CHILD SA) => UNDEFINED(ignore) Sep 21 07:39:12.314711: | stop processing: state #2 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:12.314715: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:12.314717: | state #1 Sep 21 07:39:12.314718: | pass 1 Sep 21 07:39:12.314720: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:12.314721: | state #1 Sep 21 07:39:12.314725: | start processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in foreach_state_by_connection_func_delete() at state.c:1310) Sep 21 07:39:12.314729: | pstats #1 ikev2.ike deleted completed Sep 21 07:39:12.314732: | #1 spent 7.67 milliseconds in total Sep 21 07:39:12.314735: | [RE]START processing: state #1 connection "eastnet-northnet"[1] 192.1.8.22 from 192.1.8.22:500 (in delete_state() at state.c:879) Sep 21 07:39:12.314738: "eastnet-northnet"[1] 192.1.8.22 #1: deleting state (STATE_PARENT_R2) aged 21.809s and sending notification Sep 21 07:39:12.314740: | parent state #1: PARENT_R2(established IKE SA) => delete Sep 21 07:39:12.314782: | #1 send IKEv2 delete notification for STATE_PARENT_R2 Sep 21 07:39:12.314793: | Opening output PBS informational exchange delete request Sep 21 07:39:12.314795: | **emit ISAKMP Message: Sep 21 07:39:12.314797: | initiator cookie: Sep 21 07:39:12.314798: | 92 d2 04 c7 e8 d2 e6 7f Sep 21 07:39:12.314800: | responder cookie: Sep 21 07:39:12.314801: | c2 98 6b ed 60 95 74 82 Sep 21 07:39:12.314803: | next payload type: ISAKMP_NEXT_NONE (0x0) Sep 21 07:39:12.314805: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Sep 21 07:39:12.314807: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Sep 21 07:39:12.314808: | flags: none (0x0) Sep 21 07:39:12.314810: | Message ID: 1 (0x1) Sep 21 07:39:12.314812: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Sep 21 07:39:12.314814: | ***emit IKEv2 Encryption Payload: Sep 21 07:39:12.314815: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:12.314817: | flags: none (0x0) Sep 21 07:39:12.314819: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Sep 21 07:39:12.314821: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:12.314823: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Sep 21 07:39:12.314829: | ****emit IKEv2 Delete Payload: Sep 21 07:39:12.314830: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Sep 21 07:39:12.314832: | flags: none (0x0) Sep 21 07:39:12.314834: | protocol ID: PROTO_v2_IKE (0x1) Sep 21 07:39:12.314835: | SPI size: 0 (0x0) Sep 21 07:39:12.314837: | number of SPIs: 0 (0x0) Sep 21 07:39:12.314839: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Sep 21 07:39:12.314840: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Sep 21 07:39:12.314842: | emitting length of IKEv2 Delete Payload: 8 Sep 21 07:39:12.314844: | adding 1 bytes of padding (including 1 byte padding-length) Sep 21 07:39:12.314846: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Sep 21 07:39:12.314848: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Sep 21 07:39:12.314850: | emitting length of IKEv2 Encryption Payload: 37 Sep 21 07:39:12.314851: | emitting length of ISAKMP Message: 65 Sep 21 07:39:12.314864: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.8.22:500 (using #1) Sep 21 07:39:12.314866: | 92 d2 04 c7 e8 d2 e6 7f c2 98 6b ed 60 95 74 82 Sep 21 07:39:12.314868: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Sep 21 07:39:12.314869: | fc 03 06 f5 09 80 8c 4c 67 ce 6d b1 80 46 e0 c0 Sep 21 07:39:12.314871: | ec a5 ce 22 b0 24 41 eb 80 32 df 34 3e 8b 3a 07 Sep 21 07:39:12.314872: | ab Sep 21 07:39:12.314918: | Message ID: IKE #1 sender #1 in send_delete record 'n' sending delete request so forcing IKE nextuse=1->2 and sender msgid=0->1 Sep 21 07:39:12.314920: | Message ID: IKE #1 sender #1 in send_delete hacking around record ' send Sep 21 07:39:12.314923: | Message ID: #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?); initiator.sent=1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=1 wip.responder=-1 Sep 21 07:39:12.314928: | Message ID: sent #1 request 1; ike: initiator.sent=0->1 initiator.recv=-1 responder.sent=2 responder.recv=2 wip.initiator=0->1 wip.responder=-1 Sep 21 07:39:12.314930: | state #1 requesting EVENT_SA_REKEY to be deleted Sep 21 07:39:12.314933: | libevent_free: release ptr-libevent@0x55c59fd4aca0 Sep 21 07:39:12.314935: | free_event_entry: release EVENT_SA_REKEY-pe@0x55c59fd4ac60 Sep 21 07:39:12.314938: | State DB: IKEv2 state not found (flush_incomplete_children) Sep 21 07:39:12.314941: | in connection_discard for connection eastnet-northnet Sep 21 07:39:12.314943: | State DB: deleting IKEv2 state #1 in PARENT_R2 Sep 21 07:39:12.314946: | parent state #1: PARENT_R2(established IKE SA) => UNDEFINED(ignore) Sep 21 07:39:12.314964: | stop processing: state #1 from 192.1.8.22:500 (in delete_state() at state.c:1143) Sep 21 07:39:12.314979: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) Sep 21 07:39:12.314985: | shunt_eroute() called for connection 'eastnet-northnet' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Sep 21 07:39:12.314990: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Sep 21 07:39:12.314993: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:12.315018: | priority calculation of connection "eastnet-northnet" is 0xfe7e7 Sep 21 07:39:12.315029: | FOR_EACH_CONNECTION_... in route_owner Sep 21 07:39:12.315032: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:12.315035: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:12.315037: | conn eastnet-northnet mark 0/00000000, 0/00000000 vs Sep 21 07:39:12.315040: | conn eastnet-northnet mark 0/00000000, 0/00000000 Sep 21 07:39:12.315043: | route owner of "eastnet-northnet" unrouted: NULL Sep 21 07:39:12.315045: | running updown command "ipsec _updown" for verb unroute Sep 21 07:39:12.315048: | command executing unroute-client Sep 21 07:39:12.315070: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northnet' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SH Sep 21 07:39:12.315073: | popen cmd is 1042 chars long Sep 21 07:39:12.315075: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-northn: Sep 21 07:39:12.315077: | cmd( 80):et' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLU: Sep 21 07:39:12.315078: | cmd( 160):TO_MY_ID='192.1.2.23' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.: Sep 21 07:39:12.315080: | cmd( 240):2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0: Sep 21 07:39:12.315081: | cmd( 320):' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.8.22' PLUTO_PEER: Sep 21 07:39:12.315083: | cmd( 400):_ID='192.1.3.33' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3: Sep 21 07:39:12.315084: | cmd( 480):.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOC: Sep 21 07:39:12.315086: | cmd( 560):OL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY: Sep 21 07:39:12.315089: | cmd( 640):='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+MOBIKE+ESN_NO' P: Sep 21 07:39:12.315091: | cmd( 720):LUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: Sep 21 07:39:12.315092: | cmd( 800):_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_B: Sep 21 07:39:12.315094: | cmd( 880):ANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_I: Sep 21 07:39:12.315095: | cmd( 960):FACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>: Sep 21 07:39:12.315097: | cmd(1040):&1: Sep 21 07:39:12.323004: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323019: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323024: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323038: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323051: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323065: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323080: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323093: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323107: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323119: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323131: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323145: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323159: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323173: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323185: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323198: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323212: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323224: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323237: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323249: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323262: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323276: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323289: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323407: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323419: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.323432: unroute-client output: Error: Peer netns reference is invalid. Sep 21 07:39:12.327107: | free hp@0x55c59fd48a20 Sep 21 07:39:12.327117: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:12.327120: | processing: STOP connection NULL (in discard_connection() at connections.c:249) Sep 21 07:39:12.327125: | start processing: connection "eastnet-northnet" (in delete_connection() at connections.c:189) Sep 21 07:39:12.327128: | Deleting states for connection - including all other IPsec SA's of this IKE SA Sep 21 07:39:12.327129: | pass 0 Sep 21 07:39:12.327131: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:12.327132: | pass 1 Sep 21 07:39:12.327134: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Sep 21 07:39:12.327136: | free hp@0x55c59fd11a10 Sep 21 07:39:12.327137: | flush revival: connection 'eastnet-northnet' wasn't on the list Sep 21 07:39:12.327139: | stop processing: connection "eastnet-northnet" (in discard_connection() at connections.c:249) Sep 21 07:39:12.327143: | crl fetch request list locked by 'free_crl_fetch' Sep 21 07:39:12.327144: | crl fetch request list unlocked by 'free_crl_fetch' Sep 21 07:39:12.327153: shutting down interface lo/lo 127.0.0.1:4500 Sep 21 07:39:12.327158: shutting down interface lo/lo 127.0.0.1:500 Sep 21 07:39:12.327160: shutting down interface eth0/eth0 192.0.2.254:4500 Sep 21 07:39:12.327162: shutting down interface eth0/eth0 192.0.2.254:500 Sep 21 07:39:12.327164: shutting down interface eth1/eth1 192.1.2.23:4500 Sep 21 07:39:12.327166: shutting down interface eth1/eth1 192.1.2.23:500 Sep 21 07:39:12.327168: | FOR_EACH_STATE_... in delete_states_dead_interfaces Sep 21 07:39:12.327175: | libevent_free: release ptr-libevent@0x55c59fd45080 Sep 21 07:39:12.327177: | free_event_entry: release EVENT_NULL-pe@0x55c59fd2e280 Sep 21 07:39:12.327184: | libevent_free: release ptr-libevent@0x55c59fd45170 Sep 21 07:39:12.327186: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45130 Sep 21 07:39:12.327191: | libevent_free: release ptr-libevent@0x55c59fd45260 Sep 21 07:39:12.327192: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45220 Sep 21 07:39:12.327197: | libevent_free: release ptr-libevent@0x55c59fd45350 Sep 21 07:39:12.327198: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45310 Sep 21 07:39:12.327203: | libevent_free: release ptr-libevent@0x55c59fd45440 Sep 21 07:39:12.327204: | free_event_entry: release EVENT_NULL-pe@0x55c59fd45400 Sep 21 07:39:12.327208: | libevent_free: release ptr-libevent@0x55c59fd45530 Sep 21 07:39:12.327210: | free_event_entry: release EVENT_NULL-pe@0x55c59fd454f0 Sep 21 07:39:12.327213: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Sep 21 07:39:12.327593: | libevent_free: release ptr-libevent@0x55c59fd449e0 Sep 21 07:39:12.327598: | free_event_entry: release EVENT_NULL-pe@0x55c59fd2d500 Sep 21 07:39:12.327601: | libevent_free: release ptr-libevent@0x55c59fd3a470 Sep 21 07:39:12.327603: | free_event_entry: release EVENT_NULL-pe@0x55c59fd2d7b0 Sep 21 07:39:12.327606: | libevent_free: release ptr-libevent@0x55c59fd3a3e0 Sep 21 07:39:12.327607: | free_event_entry: release EVENT_NULL-pe@0x55c59fd32f10 Sep 21 07:39:12.327610: | global timer EVENT_REINIT_SECRET uninitialized Sep 21 07:39:12.327611: | global timer EVENT_SHUNT_SCAN uninitialized Sep 21 07:39:12.327613: | global timer EVENT_PENDING_DDNS uninitialized Sep 21 07:39:12.327614: | global timer EVENT_PENDING_PHASE2 uninitialized Sep 21 07:39:12.327616: | global timer EVENT_CHECK_CRLS uninitialized Sep 21 07:39:12.327617: | global timer EVENT_REVIVE_CONNS uninitialized Sep 21 07:39:12.327619: | global timer EVENT_FREE_ROOT_CERTS uninitialized Sep 21 07:39:12.327620: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Sep 21 07:39:12.327622: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Sep 21 07:39:12.327625: | libevent_free: release ptr-libevent@0x55c59fd44ab0 Sep 21 07:39:12.327627: | signal event handler PLUTO_SIGCHLD uninstalled Sep 21 07:39:12.327629: | libevent_free: release ptr-libevent@0x55c59fd44b90 Sep 21 07:39:12.327630: | signal event handler PLUTO_SIGTERM uninstalled Sep 21 07:39:12.327632: | libevent_free: release ptr-libevent@0x55c59fd44c50 Sep 21 07:39:12.327634: | signal event handler PLUTO_SIGHUP uninstalled Sep 21 07:39:12.327636: | libevent_free: release ptr-libevent@0x55c59fd396e0 Sep 21 07:39:12.327637: | signal event handler PLUTO_SIGSYS uninstalled Sep 21 07:39:12.327639: | releasing event base Sep 21 07:39:12.327648: | libevent_free: release ptr-libevent@0x55c59fd44d10 Sep 21 07:39:12.327650: | libevent_free: release ptr-libevent@0x55c59fd1a250 Sep 21 07:39:12.327652: | libevent_free: release ptr-libevent@0x55c59fd28a90 Sep 21 07:39:12.327654: | libevent_free: release ptr-libevent@0x55c59fd28b60 Sep 21 07:39:12.327655: | libevent_free: release ptr-libevent@0x55c59fd28ab0 Sep 21 07:39:12.327657: | libevent_free: release ptr-libevent@0x55c59fd44a70 Sep 21 07:39:12.327658: | libevent_free: release ptr-libevent@0x55c59fd44b50 Sep 21 07:39:12.327660: | libevent_free: release ptr-libevent@0x55c59fd28b40 Sep 21 07:39:12.327661: | libevent_free: release ptr-libevent@0x55c59fd28ca0 Sep 21 07:39:12.327663: | libevent_free: release ptr-libevent@0x55c59fd2d700 Sep 21 07:39:12.327664: | libevent_free: release ptr-libevent@0x55c59fd455c0 Sep 21 07:39:12.327669: | libevent_free: release ptr-libevent@0x55c59fd454d0 Sep 21 07:39:12.327670: | libevent_free: release ptr-libevent@0x55c59fd453e0 Sep 21 07:39:12.327672: | libevent_free: release ptr-libevent@0x55c59fd452f0 Sep 21 07:39:12.327675: | libevent_free: release ptr-libevent@0x55c59fd45200 Sep 21 07:39:12.327677: | libevent_free: release ptr-libevent@0x55c59fd45110 Sep 21 07:39:12.327679: | libevent_free: release ptr-libevent@0x55c59fcac370 Sep 21 07:39:12.327681: | libevent_free: release ptr-libevent@0x55c59fd44c30 Sep 21 07:39:12.327683: | libevent_free: release ptr-libevent@0x55c59fd44b70 Sep 21 07:39:12.327685: | libevent_free: release ptr-libevent@0x55c59fd44a90 Sep 21 07:39:12.327687: | libevent_free: release ptr-libevent@0x55c59fd44cf0 Sep 21 07:39:12.327689: | libevent_free: release ptr-libevent@0x55c59fcaa5b0 Sep 21 07:39:12.327691: | libevent_free: release ptr-libevent@0x55c59fd28ad0 Sep 21 07:39:12.327693: | libevent_free: release ptr-libevent@0x55c59fd28b00 Sep 21 07:39:12.327695: | libevent_free: release ptr-libevent@0x55c59fd287f0 Sep 21 07:39:12.327697: | releasing global libevent data Sep 21 07:39:12.327700: | libevent_free: release ptr-libevent@0x55c59fd274e0 Sep 21 07:39:12.327703: | libevent_free: release ptr-libevent@0x55c59fd28790 Sep 21 07:39:12.327705: | libevent_free: release ptr-libevent@0x55c59fd287c0