FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:6628 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55b06856d240 size 40 | libevent_malloc: new ptr-libevent@0x55b06856d270 size 40 | libevent_malloc: new ptr-libevent@0x55b06856e9d0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55b06856e990 size 56 | libevent_malloc: new ptr-libevent@0x55b06856ea00 size 664 | libevent_malloc: new ptr-libevent@0x55b06856eca0 size 24 | libevent_malloc: new ptr-libevent@0x55b068528230 size 384 | libevent_malloc: new ptr-libevent@0x55b06856ecc0 size 16 | libevent_malloc: new ptr-libevent@0x55b06856ece0 size 40 | libevent_malloc: new ptr-libevent@0x55b06856ed10 size 48 | libevent_realloc: new ptr-libevent@0x55b06856ed50 size 256 | libevent_malloc: new ptr-libevent@0x55b06856ee60 size 16 | libevent_free: release ptr-libevent@0x55b06856e990 | libevent initialized | libevent_realloc: new ptr-libevent@0x55b06856ee80 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55b068579640 | libevent_malloc: new ptr-libevent@0x55b068580710 size 128 | libevent_malloc: new ptr-libevent@0x55b0685795a0 size 16 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55b068573af0 | starting up helper thread 1 | libevent_malloc: new ptr-libevent@0x55b0685807a0 size 128 | starting up helper thread 2 | libevent_malloc: new ptr-libevent@0x55b068579580 size 16 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 4 waiting (nothing to do) | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55b0685738b0 | libevent_malloc: new ptr-libevent@0x55b06858ad20 size 128 | libevent_malloc: new ptr-libevent@0x55b06858adb0 size 16 | libevent_realloc: new ptr-libevent@0x55b06858add0 size 256 | libevent_malloc: new ptr-libevent@0x55b06858aee0 size 8 | libevent_realloc: new ptr-libevent@0x55b06857fa10 size 144 | libevent_malloc: new ptr-libevent@0x55b06858af00 size 152 | libevent_malloc: new ptr-libevent@0x55b06858afa0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55b06858afc0 size 8 | libevent_malloc: new ptr-libevent@0x55b06858afe0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55b06858b080 size 8 | libevent_malloc: new ptr-libevent@0x55b06858b0a0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55b06858b140 size 8 | libevent_realloc: release ptr-libevent@0x55b06857fa10 | libevent_realloc: new ptr-libevent@0x55b06858b160 size 256 | libevent_malloc: new ptr-libevent@0x55b06857fa10 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:6751) using fork+execve | forked child 6751 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55b0685749b0 | libevent_malloc: new ptr-libevent@0x55b06858b540 size 128 | libevent_malloc: new ptr-libevent@0x55b06858b5d0 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55b06858b5f0 | libevent_malloc: new ptr-libevent@0x55b06858b630 size 128 | libevent_malloc: new ptr-libevent@0x55b06858b6c0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55b06858b6e0 | libevent_malloc: new ptr-libevent@0x55b06858b720 size 128 | libevent_malloc: new ptr-libevent@0x55b06858b7b0 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55b06858b7d0 | libevent_malloc: new ptr-libevent@0x55b06858b810 size 128 | libevent_malloc: new ptr-libevent@0x55b06858b8a0 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55b06858b8c0 | libevent_malloc: new ptr-libevent@0x55b06858b900 size 128 | libevent_malloc: new ptr-libevent@0x55b06858b990 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55b06858b9b0 | libevent_malloc: new ptr-libevent@0x55b06858b9f0 size 128 | libevent_malloc: new ptr-libevent@0x55b06858ba80 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.571 milliseconds in whack | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55b06858b540 | free_event_entry: release EVENT_NULL-pe@0x55b0685749b0 | add_fd_read_event_handler: new ethX-pe@0x55b0685749b0 | libevent_malloc: new ptr-libevent@0x55b06858b540 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55b06858b630 | free_event_entry: release EVENT_NULL-pe@0x55b06858b5f0 | add_fd_read_event_handler: new ethX-pe@0x55b06858b5f0 | libevent_malloc: new ptr-libevent@0x55b06858b630 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55b06858b720 | free_event_entry: release EVENT_NULL-pe@0x55b06858b6e0 | add_fd_read_event_handler: new ethX-pe@0x55b06858b6e0 | libevent_malloc: new ptr-libevent@0x55b06858b720 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55b06858b810 | free_event_entry: release EVENT_NULL-pe@0x55b06858b7d0 | add_fd_read_event_handler: new ethX-pe@0x55b06858b7d0 | libevent_malloc: new ptr-libevent@0x55b06858b810 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x55b06858b900 | free_event_entry: release EVENT_NULL-pe@0x55b06858b8c0 | add_fd_read_event_handler: new ethX-pe@0x55b06858b8c0 | libevent_malloc: new ptr-libevent@0x55b06858b900 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55b06858b9f0 | free_event_entry: release EVENT_NULL-pe@0x55b06858b9b0 | add_fd_read_event_handler: new ethX-pe@0x55b06858b9b0 | libevent_malloc: new ptr-libevent@0x55b06858b9f0 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.36 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 6751 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0156 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | setting ID to ID_DER_ASN1_DN: 'E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading left certificate 'west' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b0685901d0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b0685900e0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858c790 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858c7c0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858ca30 | unreference key: 0x55b068590f00 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | warning: no secret key loaded for left certificate with nickname west: NSS: cert private key not found | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b0685901d0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858c790 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858c7c0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b06858ca30 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55b068591700 | unreference key: 0x55b0685909b0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x55b068591780 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org,+S-C]...192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org,+S-C]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.46 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.312 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0471 milliseconds in whack | spent 0.00318 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 54 0c 1c cb 69 d4 cc 3e 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x55b068595e40 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ICOOKIE-DUMP: 54 0c 1c cb 69 d4 cc 3e "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55b068590080 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b068590140 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.646 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00252 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 44 c6 c0 4c 8a a0 b8 b2 13 e5 75 5f af b6 95 a4 | a2 df 02 63 22 1b ff a2 d6 63 35 80 77 8b 4b 65 | 5a b3 52 82 9e 1c 53 13 35 ee 31 b6 6d 20 fd 34 | 9b a2 e7 17 fe 0b 63 78 87 51 ad a3 6f d1 72 cc | 46 44 c4 8c a3 39 b7 26 65 a5 97 02 a9 9c 4f 94 | 22 7c 48 3f 40 2f 28 03 ad c0 92 14 97 e9 8e 51 | f8 5d 68 5d 4c 82 70 69 d2 4d 3a 23 c5 64 02 2e | 33 a4 d5 0f 68 33 16 c5 82 70 c1 18 14 24 c7 ac | 86 d2 19 bd 24 32 7d 94 41 f3 fe 8a 5f 2c a2 7a | 42 2d fa 94 e7 93 b6 7b 12 f9 93 7c a6 54 80 4b | 96 b1 3d 1e 54 90 9f e4 5f bc 9b 06 95 18 15 cc | 8e d4 dd bf 21 5e 3b 60 20 a5 57 b2 bd 2b 5a 59 | 6c c6 bb 7c 49 d7 6e 43 73 cc 8b 5d ba 37 3b f2 | 60 8f cf 8b 77 99 fc 26 fc 77 3e bf 0d 78 3a 94 | e1 a2 8e 3b d7 7c 6b 60 f0 21 c6 82 72 42 60 b0 | 11 6b d5 68 23 b7 08 3b 9d 16 2a 37 a7 68 ba 60 | 14 00 00 24 7b 16 a5 56 75 a0 7e aa fc 4e f4 bd | ec dd e8 24 57 ff 29 83 84 50 96 17 bd b1 fc 77 | db b1 4a 6d 14 00 00 24 58 51 96 05 c2 90 31 78 | 0e 54 32 8f 83 7b 9f 43 d0 25 b0 9a be 43 d1 ab | 42 53 2f 54 bb 8a 27 43 00 00 00 24 8e a8 7e 86 | 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 5b 07 f5 37 | 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55b06703ac40(32) | natd_hash: icookie= 54 0c 1c cb 69 d4 cc 3e | natd_hash: rcookie= b5 ef 21 16 49 70 eb 4a | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | natd_hash: hash= d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | natd_hash: hasher=0x55b06703ac40(32) | natd_hash: icookie= 54 0c 1c cb 69 d4 cc 3e | natd_hash: rcookie= b5 ef 21 16 49 70 eb 4a | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 8e a8 7e 86 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 | natd_hash: hash= 5b 07 f5 37 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | expected NAT-D(me): 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | expected NAT-D(me): d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | expected NAT-D(him): | 8e a8 7e 86 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 | 5b 07 f5 37 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | received NAT-D: 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | received NAT-D: d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | received NAT-D: 8e a8 7e 86 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 | received NAT-D: 5b 07 f5 37 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55b068590140 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55b068590080 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b068590080 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b068590140 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.117 milliseconds in process_packet_tail() | crypto helper 3 resuming | crypto helper 3 starting work-order 1 for state #1 | crypto helper 3 doing build KE and nonce (inI2_outR2 KE); request ID 1 | crypto helper 3 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.000944 seconds | (#1) spent 0.949 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 3 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fb7f4006900 size 128 | crypto helper 3 waiting (nothing to do) | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.28 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 1 | calling continuation function 0x55b066f64630 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value bd 2b 2a 85 2c c1 54 d0 dc aa 1b 0f 38 1d 92 43 | keyex value 08 36 e7 74 09 d1 f7 ba af c4 23 5a de ef c0 eb | keyex value e6 27 8e 54 7d e7 86 73 a6 ed fa 1c f1 a0 39 6c | keyex value 24 81 b3 7d 29 a9 04 2d 9d 78 c9 a5 17 d7 e7 df | keyex value c0 b9 97 9b 9d 3b d0 3c 7f df 1a f1 72 08 e1 96 | keyex value 1c cb 11 2c 61 99 82 78 fb f3 5c bc a8 cf fd 89 | keyex value 0b 37 ff c9 b8 50 50 c6 da b8 20 83 b0 50 62 dd | keyex value 1c 9c 78 b8 cf 8b 6f 9a b5 24 91 4d 84 63 af 27 | keyex value d4 97 38 5b 5a 84 96 a5 69 31 71 50 0d df 41 51 | keyex value f4 9d d3 df 0a 34 6d cc 4e 68 a1 d2 7a fd 05 06 | keyex value 5f 01 b8 f1 9b 1e 0f 03 42 e1 db 10 ed a2 21 d5 | keyex value a0 ad 59 6b 54 ff 11 56 3d 8e 2c 85 53 f4 dc 35 | keyex value 31 7b 62 0e 66 00 bc e2 91 ce b4 a2 23 f6 30 72 | keyex value ce a2 ac 6c d8 01 9c 66 58 01 f5 ee 61 98 f5 e9 | keyex value 73 94 3a 9b 44 5a f6 88 60 86 fb 11 5e 7f c0 e7 | keyex value 35 d6 9d ec 4b f7 9f 63 9f 15 f6 88 39 68 9f 43 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 30 1f 80 82 10 ce 4e 55 aa d5 a1 5c cf 82 dd e5 | Nr 6a da 7b a8 66 58 f6 ea 8e db c7 ce c2 b1 06 e3 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_NONE (0x0) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting 175 raw bytes of CA into ISAKMP Certificate RequestPayload | CA 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | CA 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | CA 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | CA 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | CA 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | CA 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | CA 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | CA 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | CA 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | CA 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | CA 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Certificate RequestPayload: 180 | sending NAT-D payloads | natd_hash: hasher=0x55b06703ac40(32) | natd_hash: icookie= 54 0c 1c cb 69 d4 cc 3e | natd_hash: rcookie= b5 ef 21 16 49 70 eb 4a | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 8e a8 7e 86 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 | natd_hash: hash= 5b 07 f5 37 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 8e a8 7e 86 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 | NAT-D 5b 07 f5 37 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55b06703ac40(32) | natd_hash: icookie= 54 0c 1c cb 69 d4 cc 3e | natd_hash: rcookie= b5 ef 21 16 49 70 eb 4a | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | natd_hash: hash= d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | NAT-D d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 576 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55b068590140 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b068590080 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b068590080 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b068590140 size 128 | #1 main_inI2_outR2_continue1_tail:1158 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55b068590140 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b068590080 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 576 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 04 10 02 00 00 00 00 00 00 00 02 40 0a 00 01 04 | bd 2b 2a 85 2c c1 54 d0 dc aa 1b 0f 38 1d 92 43 | 08 36 e7 74 09 d1 f7 ba af c4 23 5a de ef c0 eb | e6 27 8e 54 7d e7 86 73 a6 ed fa 1c f1 a0 39 6c | 24 81 b3 7d 29 a9 04 2d 9d 78 c9 a5 17 d7 e7 df | c0 b9 97 9b 9d 3b d0 3c 7f df 1a f1 72 08 e1 96 | 1c cb 11 2c 61 99 82 78 fb f3 5c bc a8 cf fd 89 | 0b 37 ff c9 b8 50 50 c6 da b8 20 83 b0 50 62 dd | 1c 9c 78 b8 cf 8b 6f 9a b5 24 91 4d 84 63 af 27 | d4 97 38 5b 5a 84 96 a5 69 31 71 50 0d df 41 51 | f4 9d d3 df 0a 34 6d cc 4e 68 a1 d2 7a fd 05 06 | 5f 01 b8 f1 9b 1e 0f 03 42 e1 db 10 ed a2 21 d5 | a0 ad 59 6b 54 ff 11 56 3d 8e 2c 85 53 f4 dc 35 | 31 7b 62 0e 66 00 bc e2 91 ce b4 a2 23 f6 30 72 | ce a2 ac 6c d8 01 9c 66 58 01 f5 ee 61 98 f5 e9 | 73 94 3a 9b 44 5a f6 88 60 86 fb 11 5e 7f c0 e7 | 35 d6 9d ec 4b f7 9f 63 9f 15 f6 88 39 68 9f 43 | 07 00 00 24 30 1f 80 82 10 ce 4e 55 aa d5 a1 5c | cf 82 dd e5 6a da 7b a8 66 58 f6 ea 8e db c7 ce | c2 b1 06 e3 14 00 00 b4 04 30 81 ac 31 0b 30 09 | 06 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 | 04 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 | 03 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 | 10 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 | 6e 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 | 20 44 65 70 61 72 74 6d 65 6e 74 31 25 30 23 06 | 03 55 04 03 0c 1c 4c 69 62 72 65 73 77 61 6e 20 | 74 65 73 74 20 43 41 20 66 6f 72 20 6d 61 69 6e | 63 61 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 | 01 16 15 74 65 73 74 69 6e 67 40 6c 69 62 72 65 | 73 77 61 6e 2e 6f 72 67 14 00 00 24 8e a8 7e 86 | 4e 42 16 7a 38 47 1f 54 b7 7f 7b 50 5b 07 f5 37 | 38 d6 28 1b 8b 9e 82 42 2b 13 c9 b3 00 00 00 24 | 58 51 96 05 c2 90 31 78 0e 54 32 8f 83 7b 9f 43 | d0 25 b0 9a be 43 d1 ab 42 53 2f 54 bb 8a 27 43 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b068590080 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b068590140 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50109.164411 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.393 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb7f4006900 | crypto helper 5 resuming | crypto helper 5 starting work-order 2 for state #1 | crypto helper 5 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 5 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.000952 seconds | (#1) spent 0.957 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 5 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fb7ec004f00 size 128 | crypto helper 5 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 2 | calling continuation function 0x55b066f64630 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1008) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1021) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0187 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb7ec004f00 | spent 0.00395 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 620 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 05 10 02 01 00 00 00 00 00 00 02 6c f2 53 3f f4 | a4 d8 b7 c8 53 d9 49 1e 5e bf cf 40 8d 10 d8 59 | c1 17 0c 22 48 46 fe 61 9e f5 59 1c 9a dd af 1a | 20 1f 54 3f 33 fc e3 37 df 6c 38 64 25 77 1b 7e | 57 09 6f 17 c7 a2 d1 56 cc 07 35 14 71 59 01 01 | 2d 1b 24 51 8f 87 3a 1b a7 93 59 a1 fb 6c 2f 35 | 25 96 83 56 d0 fa 70 a6 ee 42 ec a2 d3 5c 2a 30 | d6 80 23 da ed d9 97 b4 1e 8f 4d 55 a8 61 2e c4 | 2b 51 36 ac 30 3a 10 d6 a8 34 e5 0d e8 d4 44 0f | 4c 07 68 90 84 44 30 d6 2f 77 d8 e1 2e 5e 98 ea | 6f a8 62 fe 9c 2c b2 4c 0e 43 53 ca 9d e4 a6 86 | df 49 46 66 92 5c e3 b2 d2 39 a5 4f d9 36 76 be | 56 a0 15 39 0e 07 ab 96 d7 d7 59 2f 43 2d 0d de | ce 51 99 2e b8 b0 da fc f5 20 09 9d 01 bb 69 55 | ac c4 47 a5 d3 e3 c3 77 25 1d 9d 9f 1c b4 b9 b4 | cc ba d6 0f c9 00 fb a9 13 e2 4f 49 19 fe 67 bc | 1a 15 ea 90 1e fc cd 39 2e 00 d0 05 58 4b 47 d5 | b4 06 6f c0 7d f5 96 62 31 68 b4 88 94 4a 59 b6 | 0f b0 f9 77 a7 aa 7b cd db d7 3d 59 54 ad 1b 85 | 0c a4 d1 41 44 30 a7 b3 3a 34 65 f3 91 a7 d2 d9 | 60 8f 96 0b 0b ee 0b a3 56 08 77 b8 37 b5 4d 87 | 43 23 28 b9 91 f0 08 99 d5 9c de f5 ee a6 46 07 | 82 53 4c 1a d7 fb 82 fe f4 6d c8 cc 61 f0 87 b0 | 83 60 8c dd d2 55 84 97 60 50 5a cb 72 1d 8a 0e | 0e 20 ca 76 d5 d1 ee 37 f9 0b e7 83 e1 cd 17 79 | de 0c 04 dd 30 85 2e 57 7b 65 08 0f b9 77 25 95 | 21 23 fb 4c 5a f9 cd 2c cd 2e 7a dd 4b ba d9 20 | 43 35 1d 92 14 1c 7a d3 61 25 b6 d0 0f b7 b8 cd | 3d 13 e0 5e d5 cd 8b df 8b 30 c5 84 11 fb de cb | b0 c7 a6 64 7b fc 44 d9 99 6b 09 f5 a1 62 a7 86 | 5d b3 ec 22 40 b4 f0 3a 94 e2 98 35 f3 28 e6 7d | 80 2a 38 48 37 e3 f7 7d 73 fc 34 6c e9 a0 2b d6 | 57 67 52 6c c7 3a 91 cd 70 15 de 94 87 45 b7 42 | b5 7e 1f 73 f4 39 4c ec 5b 37 dd c7 93 aa 2f 99 | 5c 15 2c 14 3d fb 9e 0a 2f 85 e2 c4 d0 02 77 92 | 49 a8 26 35 03 0b 52 e0 1c e8 89 99 0b 9d 09 98 | 77 c3 ba 70 15 ec d8 fc f3 75 a9 90 c9 ad 4a 27 | 29 2a fb 3b 79 b4 9b ce 29 9c 04 81 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 620 (0x26c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | obj: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 13 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | X509: no CERT payloads to process | refine_host_connection for IKEv1: starting with "nss-cert" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: happy with starting point: "nss-cert" | The remote did not specify an IDr and our current connection is good enough | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '@east.testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid '192.1.2.23' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | RSA key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAa0Pt [preloaded keys] | #1 spent 0.203 milliseconds in try_all_keys() trying a pubkey "nss-cert" #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_NEVERSEND and I did not get a certificate request | so do not send cert. | INVALID AUTH SETTING: 3 | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_SIG (0x9) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAbANn vs PKK_RSA:AwEAAbANn | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R ac 56 97 75 61 a8 76 27 e6 b5 d7 0f cc b5 ca 1b | SIG_R d4 df 3c 30 e9 dd d8 5f 8d a3 e1 10 c8 70 f9 63 | SIG_R 79 cf 6a 4a 8f ee fe 51 58 e1 65 d0 df 02 e3 10 | SIG_R 03 a8 17 a7 ab 64 19 4b c9 9b 42 a6 b0 ff 4c 20 | SIG_R 7b b4 4f 75 b8 9d 56 1f 56 69 cc dc db 8f 48 ad | SIG_R eb 54 19 8c d4 e6 18 eb 15 4b 52 62 d0 0f 3d 79 | SIG_R 4c 01 a4 a6 ee 55 20 4a 58 fc 67 0d d8 60 05 8f | SIG_R ad 83 36 a0 80 9c 06 97 3b 4f 84 ba 97 90 ba 6a | SIG_R 22 d3 0b 02 3b 80 fa 96 15 28 fd dd 51 b9 31 8a | SIG_R b0 c6 33 84 36 35 fd 23 7a 2c 5a 37 b0 f2 4c 9a | SIG_R 2a b1 17 e8 c5 a5 f7 24 78 73 08 60 a4 c0 f1 05 | SIG_R 9b 49 ee 31 6b ee e2 e0 d5 b9 d1 fd e3 07 07 ca | SIG_R 16 99 8e e1 e9 be f6 b7 3d dc 94 57 20 65 49 85 | SIG_R 0d d4 8a 80 dd da 64 38 f4 80 1c 9d 58 d6 02 a2 | SIG_R 08 4c f2 67 16 e9 a8 a4 ff 74 34 9a be ae 4b 25 | SIG_R 36 a7 26 45 fc 89 3a 98 f1 82 6d 45 c7 15 54 bf | SIG_R ee 3b 54 f1 e9 84 1c 96 d2 d4 9a ca cf 52 28 47 | SIG_R 51 b8 7b a7 57 74 28 c2 63 e8 13 c4 dc 22 1f 6b | SIG_R ce 71 20 17 97 36 76 27 a0 5c cf ad 98 da e2 f2 | SIG_R 71 e3 1c ff 61 7b 42 8b a2 e7 72 1b a0 c7 e8 da | SIG_R b5 1a fe 1b 34 51 3a 98 64 71 63 d3 4c fa 50 ff | SIG_R 24 94 bb 19 69 cd 1f 51 11 7a 57 4d 50 f7 2f 44 | SIG_R 1c 9c e0 66 90 9a c2 2c 50 db 26 c2 70 e1 cc e1 | SIG_R 72 73 ee dc 16 9f 19 bb 2f e6 f3 00 b7 0d c8 da | emitting length of ISAKMP Signature Payload: 388 | emitting 13 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 620 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x55b068590140 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55b068590080 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 620 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 05 10 02 01 00 00 00 00 00 00 02 6c 58 5d 72 ea | e9 4a d3 ab 5e 9e ce 0c 14 3b 6c e4 67 d7 83 19 | 49 32 85 cd ca 6b f1 1a 65 f4 78 73 f2 e3 54 87 | db 04 25 a7 80 2a 67 80 95 28 b5 35 25 b8 03 c1 | ba fd 27 ad 7e 2d ea e5 64 20 03 40 42 96 19 c6 | f0 e5 df 44 6f 1a 5e 1b f7 d8 b3 8c 93 12 a1 d9 | ae 54 75 fc f3 0e 77 ac 74 18 7b a7 e4 b0 a4 6b | bc 95 0f 9d e7 de 1c c8 76 a6 6b 8d 82 88 ca b7 | a5 6e b8 af ff e5 cc 76 91 01 d3 b9 5a 05 c3 7a | 92 2a 34 0d 0a 08 3d 13 e9 60 33 3a c9 fc 9b d3 | b0 79 4a 35 83 44 44 32 19 1e 7d 99 76 78 bf c5 | 30 00 a1 20 23 61 c8 cb 45 14 3e dc 63 72 97 10 | 32 92 69 3a 65 45 a2 d0 87 6d 96 67 c2 18 57 7b | 5e 60 8f 6f ce 03 bf c9 89 4e 18 ed a0 9a 01 1a | 00 ed ec ee c3 e4 d7 78 16 10 9a 00 a4 a8 8c ec | 89 7f 2b 5f 5d 1b 98 8d 2e e3 4b 9b e7 39 d4 9b | 0c a7 6d c4 4f 1c 0b 57 3c 77 b5 3a 31 57 ab c4 | 7f 7f 1d 74 58 01 b8 64 ce 83 96 c5 71 25 c4 1c | 98 60 3a 8c 80 95 9c 33 6c 6f 1e 9b 11 a7 d9 24 | 40 9d d0 f0 bf f8 b3 97 a4 d0 ae a9 23 d6 c2 c5 | bf 5e 09 51 9b 86 18 f8 dd e2 0f 21 45 f8 bd 35 | a2 7f 99 d4 9c 63 75 d7 6c 29 00 80 53 62 01 0c | 2e ac 30 07 35 6d 35 93 9f 2e 23 0e f2 5f 4d 27 | 33 09 4f dc d4 7b f8 69 5e 98 e9 a5 93 cc 7e 08 | 1f 70 f2 ba 36 a3 59 9c fd ee b0 bf 1e 27 68 54 | 3f 39 bd 32 fd f7 84 55 dd ac 8d ff 32 f9 f7 93 | c1 b4 4c 3c ce 3b 81 32 2a 89 b6 5e 02 ac bd 7b | 91 55 94 7e 46 1f a4 2f 2d 80 f5 a1 ca e1 bd 48 | 1e f9 0f 7d 1e 6c 4b c4 5b 24 28 dc 69 31 1c dc | a0 e9 0c 52 d8 2d 65 23 b3 8a c9 ea bf d3 ca f3 | be b4 52 60 72 3c 86 be 0b 14 cf 75 e1 55 7e 4c | 69 64 0f d0 bc ee cd 07 4a 91 bb a7 f1 da 23 c6 | c5 59 22 c8 77 7b fd 5d e4 fc ec 66 79 39 73 54 | 36 81 90 ee 32 fc 3a cb 55 fc 15 4b b9 0e b2 97 | dd c2 39 f8 39 81 a9 c5 0b db a9 6d 17 00 ba 04 | 6d 8e 95 7e 0e f5 27 f7 4d 78 c3 2e 28 80 20 17 | 38 83 57 52 1c fe c8 99 78 e7 e9 aa 26 12 f4 b4 | 81 33 bf a3 74 bf 4f 1a 60 87 e7 5c | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55b06859e7f0 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x55b068590140 size 128 | pstats #1 ikev1.isakmp established "nss-cert" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | #1 spent 9.53 milliseconds | #1 spent 9.96 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 10.2 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00315 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 476 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 08 10 20 01 f5 94 af 69 00 00 01 dc e6 1a 63 34 | d9 c4 ec bf 7a ef 96 6c 0a b7 38 cf a9 87 4b a2 | 0b 84 40 a4 54 5d 24 47 3e fc 4e 36 02 46 6a 28 | 49 46 04 61 9f 1c fe 39 d1 d8 6b 1a d5 df 2e 8e | 28 e8 94 78 7c bb f3 d2 51 3a 2e 53 61 1d 10 65 | 81 da 70 08 dd 88 66 32 14 77 71 0b 44 17 6c 1b | 36 6c 4a 3b 78 8b a3 49 ed 85 dc 97 f9 b3 5c 10 | 65 b4 36 a2 f1 3d 0b 86 81 06 1a 1d 79 14 e3 4d | 18 48 6f de 65 96 39 ae e4 36 83 6a 0f 20 87 9b | be df 63 ef b2 27 64 e0 82 a3 91 55 8d 76 be e1 | 56 93 92 29 55 9a bc 3f ac e3 31 fa e5 96 3c 1e | 1d ac a3 c1 f4 ee 80 48 c0 87 58 f4 0b 63 78 03 | 1f 20 05 25 fb 92 24 a5 99 06 b0 c5 ad 8e c1 dc | cd 63 ae c5 a9 13 12 97 e2 19 18 5d f2 b1 b6 48 | 03 ec 97 72 65 6e a3 5f 9a 22 6e 2d d2 df 7b 2c | e8 a2 78 ad 8a 2c b6 03 f1 41 b2 51 c0 f6 50 7b | 34 ab ae a0 f1 8e d8 d4 66 88 1d 33 54 d6 d5 90 | 2e 21 50 24 56 05 00 c7 4d 42 f6 25 1e 24 07 db | 80 1b 6b 0a 01 72 1b a3 9f f5 ee 99 05 6c 9e 44 | 14 58 72 79 57 88 27 0c f4 cf 87 75 e8 54 07 63 | f5 3d a5 68 1f 77 1a cc 59 24 85 aa 47 40 d9 57 | 98 d4 ac 6b 00 39 dd 8a 44 ef a7 de b9 77 5a c5 | c4 44 db 01 74 20 04 11 ec 85 61 5f dd 69 5a b7 | 2c cc dc aa 30 fc 1f 3a d1 f8 59 01 b5 ce e4 04 | 98 8b 1f 8a 07 0f 17 48 f6 33 36 51 25 3f eb 6b | b7 ca d0 6b 86 7e f7 44 14 04 ad 51 3f f7 3e 6e | c3 ec df e6 0d 4f ec 08 02 63 1d 1e 93 6a a2 01 | 1b ce 00 5d 16 3c 66 fe 49 9f 6e 26 d5 72 75 dc | f4 8f e3 e7 82 a8 f8 81 cd f9 a5 2e | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4120162153 (0xf594af69) | length: 476 (0x1dc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1583) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 01 fe | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 fe | removing 8 bytes of padding | quick_inI1_outR1 HASH(1): | 26 3c 30 83 f1 25 b5 4d 0c 33 14 20 74 b9 d0 32 | 56 aa 4e b4 a3 81 1e 9f b1 f5 cb 3e aa e1 60 36 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 01 fe | peer client is 192.0.1.254/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 fe | our client is 192.0.2.254/32 | our client protocol/port is 0/0 "nss-cert" #1: the peer proposed: 192.0.2.254/32:0/0 -> 192.0.1.254/32:0/0 | find_client_connection starting with nss-cert | looking for 192.0.2.254/32:0:0/0 -> 192.0.1.254/32:0:0/0 | concrete checking against sr#0 192.0.2.254/32:0 -> 192.0.1.254/32:0 | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | fc_try trying nss-cert:192.0.2.254/32:0:0/0 -> 192.0.1.254/32:0:0/0 vs nss-cert:192.0.2.254/32:0:0/0 -> 192.0.1.254/32:0:0/0 | fc_try concluding with nss-cert [129] | fc_try nss-cert gives nss-cert | concluding with d = nss-cert | client wildcard: no port wildcard: no virtual: no | creating state object #2 at 0x55b06859eec0 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "nss-cert" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI f6 56 fa 5a | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b06859e510 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb7f4006900 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | crypto helper 1 resuming | crypto helper 1 starting work-order 3 for state #2 | crypto helper 1 doing build KE and nonce (quick_outI1 KE); request ID 3 | #1 spent 0.243 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.495 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000888 seconds | (#2) spent 0.891 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 1 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fb7f0007fa0 size 128 | libevent_realloc: release ptr-libevent@0x55b06856ee80 | libevent_realloc: new ptr-libevent@0x55b06859a0c0 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 3 | calling continuation function 0x55b066f64630 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outR1 DH work-order 4 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fb7f4006900 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b06859e510 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55b06859e510 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb7f4006900 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | crypto helper 2 resuming | #2 spent 0.088 milliseconds in resume sending helper answer | crypto helper 2 starting work-order 4 for state #2 | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb7f0007fa0 | crypto helper 2 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 | crypto helper 2 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000825 seconds | (#2) spent 0.834 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr) | crypto helper 2 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fb7e4003590 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 4 | calling continuation function 0x55b066f64630 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4120162153 (0xf594af69) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI f6 56 fa 5a | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x43309c09 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 43 30 9c 09 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 0e 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "nss-cert" #2: responding to Quick Mode proposal {msgid:f594af69} "nss-cert" #2: us: 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org,+S-C] "nss-cert" #2: them: 192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org,+S-C]===192.0.1.254/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 2a 81 8a 24 f1 f1 0f c0 19 5f 44 35 bd 03 c2 0c | Nr a6 5d ec 77 ac 92 10 cd de 23 f5 87 c1 ac 01 3a | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 2e a1 17 88 2b 7c 19 b1 91 c6 a9 4b aa 14 a3 0a | keyex value 3b 55 8e f0 e5 b6 c4 cf f9 06 79 43 b6 cb 56 18 | keyex value f2 22 df cf 2f 0c 4f 1d ea 1d 38 2d a1 c9 3e 71 | keyex value a2 fd 34 a4 13 51 1b 33 67 33 69 6c 69 f1 81 99 | keyex value 11 88 14 14 3a dd 20 0a 6f fc 11 3e fe 70 05 82 | keyex value cf b0 e2 9e 0b a8 5a 83 7d 99 30 8d 3a 1f 9c 29 | keyex value a9 b7 e4 a0 56 73 85 1d 61 ea f1 07 79 ae 1a 34 | keyex value 3c 01 af 70 2e 1d b1 a0 0b 62 c4 6e e2 d8 e1 e2 | keyex value 11 3b d6 9e ea 24 32 40 68 8d 2b c7 b6 5d 61 c0 | keyex value 8e d1 17 6d 5f a1 ba 2f b2 83 6e df 9a 2a f1 48 | keyex value 75 49 19 9d 35 67 0e 1c 0a 9c f2 ea b6 ac 2c 9a | keyex value 64 7d 2e 6d 3d 85 d9 59 71 95 06 a8 a6 e2 af fa | keyex value 59 86 a5 e4 c2 03 a6 be e9 0c 05 f5 2e 4e 75 67 | keyex value 6c 3b a9 3a 1d 00 90 be 1b db ab 26 b6 95 01 b8 | keyex value 3a 4d d4 3e 1d b5 83 03 b3 e2 16 d5 89 66 c6 87 | keyex value 41 ef 58 06 ae eb 91 6a 3b e2 d4 b6 cb 0e 30 6b | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 01 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 fe | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | quick inR1 outI2 HASH(2): | 33 97 29 8b dd c8 e3 de df 93 e5 7f df f9 cf 46 | 81 46 1f e8 6e 5a 64 62 83 8f 3d b8 f5 49 1c 3d | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | could_route called for nss-cert (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x55b06859eec0 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'nss-cert' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.f656fa5a@192.1.2.45 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'nss-cert' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.43309c09@192.1.2.23 included non-error error | priority calculation of connection "nss-cert" is 0xfdfdf | add inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 444 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fb7f4006900 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55b06859e510 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 444 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #2) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 08 10 20 01 f5 94 af 69 00 00 01 bc 05 22 9f 85 | dd f8 50 81 20 72 3d 17 d5 a6 c7 3b 71 38 9d f6 | 60 9a fc 3b 29 da 96 5c 22 04 8c c3 cb d3 2b 18 | ab fe 70 e8 97 8d 41 27 9c 7c 9c dd d4 22 84 78 | cb 4f f0 e0 0f 90 de b9 8d 70 96 b4 5c 02 d0 19 | 8c ad 15 19 f6 dc 70 e6 f8 94 2d 39 6e 07 2f ea | 3d 8b c9 9a 2b 17 b0 eb 77 b4 73 fa e2 c7 63 53 | 39 f4 1f ac 92 fd 85 6f a0 74 61 c0 df 14 56 7c | de 2d 28 68 22 7c bd 8b cf 76 31 08 bc bb 24 14 | f6 de d9 e5 a4 6e bf eb d7 b1 7d 3d 03 43 b3 62 | 74 6e 08 36 42 bb 1c ff 02 c0 2a ec a4 96 3e 70 | 12 29 f8 83 4a d1 ac 36 56 70 ea 13 d6 09 3e cb | 6e cf 0a e2 da ce 2c 1d 06 66 2e 34 47 b9 9b 69 | c0 d6 91 07 dd 03 f0 bc 61 c8 ed d2 80 c6 1b 4f | 31 6e 7b 79 2c ab 67 2b 70 92 0b b0 f0 32 0b 4a | a4 93 9b 67 5b d3 b9 92 7c b4 06 ac c6 7a b1 bb | 0e 1f 5f fd 1d 7b 02 d5 5f 96 fa 72 b3 f0 8a 6c | b0 7d ca 6b c5 37 17 a3 7b 08 76 52 b8 e3 db 66 | a9 ed 3f c8 22 3e a6 fc 10 95 45 55 ed 25 f7 4b | 99 a1 f7 61 6a 26 e8 e3 75 09 fd 15 c6 bb 7e a3 | 34 d3 48 ae 08 94 43 9e cb c0 7e fe 47 cc 91 f3 | bf ad d5 81 95 07 80 d5 a0 5c 0f 5a 52 3f c4 c3 | 25 06 c9 73 11 83 03 94 0c 2e 0f cb 1d 0d 50 66 | 6d 8f be ec 0a 70 9e e1 aa 20 76 fb 86 47 52 4b | 5b 48 cf 76 6a 4f bb f9 df 14 21 2e cc 79 61 24 | cd 67 03 be 79 0c 36 67 cc e5 2f 7c 43 14 82 dc | d8 3a 3a 67 e3 76 69 05 01 98 f0 f5 | !event_already_set at reschedule "nss-cert" #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x55b06859e510 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb7f4006900 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50109.206295 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "nss-cert" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0xf656fa5a <0x43309c09 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 1.03 milliseconds in resume sending helper answer | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fb7e4003590 | spent 0.00314 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 08 10 20 01 f5 94 af 69 00 00 00 4c 7a 53 df 03 | 5c 14 5f 56 c9 c5 78 90 a0 de d9 48 ab 7e 8c 52 | 54 df 34 e0 a2 18 a5 bd 7d 36 fd d0 94 f8 d0 e5 | b7 ce 16 55 af 53 f5 17 cb 03 ba f2 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4120162153 (0xf594af69) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1609) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | removing 12 bytes of padding | quick_inI2 HASH(3): | b0 0d 08 6d 30 2d 04 c0 39 d5 81 8c 05 eb 84 d0 | 90 40 a2 16 fe 84 f5 30 1a d6 42 1e 66 a5 d1 b8 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for nss-cert (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: nss-cert (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "nss-cert" is 0xfdfdf | eroute_connection add eroute 192.0.2.254/32:0 --0-> 192.0.1.254/32:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1040351 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG | popen cmd is 1431 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INT: | cmd( 80):ERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=C: | cmd( 160):A, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libre: | cmd( 240):swan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PL: | cmd( 320):UTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_: | cmd( 400):PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_: | cmd( 480):PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Te: | cmd( 560):st Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org': | cmd( 640): PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLU: | cmd( 800):TO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Lib: | cmd( 880):reswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_A: | cmd( 960):DDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+: | cmd(1040):IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv: | cmd(1120):4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_: | cmd(1200):PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER: | cmd(1280):='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' : | cmd(1360):VTI_SHARED='no' SPI_IN=0xf656fa5a SPI_OUT=0x43309c09 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLI | popen cmd is 1436 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' P: | cmd( 480):LUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, : | cmd( 560):OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan: | cmd( 640):.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLU: | cmd( 720):TO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0: | cmd( 800):' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, C: | cmd( 880):N=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PL: | cmd( 960):UTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_T: | cmd(1040):RACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY: | cmd(1120):='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' P: | cmd(1200):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: | cmd(1280):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: | cmd(1360):'no' VTI_SHARED='no' SPI_IN=0xf656fa5a SPI_OUT=0x43309c09 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY=' | popen cmd is 1434 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_: | cmd( 80):INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID=': | cmd( 160):C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.li: | cmd( 240):breswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32': | cmd( 320): PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_: | cmd( 400):MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLU: | cmd( 480):TO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU: | cmd( 560):=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.o: | cmd( 640):rg' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO: | cmd( 720):_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' : | cmd( 800):PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=: | cmd( 880):Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUT: | cmd( 960):O_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRA: | cmd(1040):CK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY=': | cmd(1120):ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLU: | cmd(1200):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: | cmd(1280):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: | cmd(1360):o' VTI_SHARED='no' SPI_IN=0xf656fa5a SPI_OUT=0x43309c09 ipsec _updown 2>&1: "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. "nss-cert" #2: route-client output: Error: Peer netns reference is invalid. | route_and_eroute: instance "nss-cert", setting eroute_owner {spd=0x55b06858c330,sr=0x55b06858c330} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.23 milliseconds in install_ipsec_sa() | inI2: instance nss-cert[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x7fb7f4006900 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55b06859e510 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55b06859e510 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fb7f4006900 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "nss-cert" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0xf656fa5a <0x43309c09 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #2 spent 1.31 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.45 milliseconds in comm_handle_cb() reading and processing packet | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_EXPIRE message | spent 0.00655 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.0044 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00279 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.0026 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.43309c09@192.1.2.23 | get_sa_info esp.f656fa5a@192.1.2.45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.375 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | pluto_sd: executing action action: stopping(6), status 0 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x55b068597db0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55b0685979a0 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55b068597690 @east.testing.libreswan.org cnt 1-- | unreference key: 0x55b0685972b0 east@testing.libreswan.org cnt 1-- | unreference key: 0x55b068596e90 192.1.2.23 cnt 1-- | unreference key: 0x55b068592940 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | unreference key: 0x55b068592580 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55b068591640 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55b0685914a0 west@testing.libreswan.org cnt 1-- | unreference key: 0x55b068590ac0 192.1.2.45 cnt 1-- | start processing: connection "nss-cert" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "nss-cert" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "nss-cert" from 192.1.2.45:500 (in delete_state() at state.c:879) "nss-cert" #2: deleting state (STATE_QUICK_R2) aged 2.765s and sending notification | child state #2: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.f656fa5a@192.1.2.45 | get_sa_info esp.43309c09@192.1.2.23 "nss-cert" #2: ESP traffic information: in=0B out=0B | #2 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 327926490 (0x138bc2da) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 43 30 9c 09 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | c4 5c e6 fc c1 74 8f e5 ab d2 80 f6 c9 57 41 18 | 53 0d 3b 1e 06 b4 25 99 06 e4 9d 22 07 40 c4 f3 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 08 10 05 01 13 8b c2 da 00 00 00 5c cc c5 a5 da | 72 c2 bb 22 e3 2f f6 4b 70 6a eb 5a 3d 2c 53 b6 | 2d 42 e9 31 df 95 1f 85 51 62 f8 9a 3d 48 e2 0b | b0 6d 4b f9 73 d6 b6 e5 c7 a6 3b 33 d3 59 de d5 | 49 33 a8 c7 f7 39 3f 9e cc 58 0c 92 | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7fb7f4006900 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55b06859e510 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051462' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C | popen cmd is 1324 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C: | cmd( 160):=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.lib: | cmd( 240):reswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' : | cmd( 320):PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_M: | cmd( 400):Y_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUT: | cmd( 480):O_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=: | cmd( 560):Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.or: | cmd( 640):g' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' P: | cmd( 800):LUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051462' PLUTO_CONN_POLIC: | cmd( 880):Y='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 960):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_: | cmd(1040):SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER: | cmd(1120):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' P: | cmd(1200):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xf6: | cmd(1280):56fa5a SPI_OUT=0x43309c09 ipsec _updown 2>&1: | shunt_eroute() called for connection 'nss-cert' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.254/32:0 --0->- 192.0.1.254/32:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.254/32:0 dest 192.0.1.254/32:0 | priority calculation of connection "nss-cert" is 0xfdfdf | IPsec Sa SPD priority set to 1040351 | delete esp.f656fa5a@192.1.2.45 | netlink response for Del SA esp.f656fa5a@192.1.2.45 included non-error error | priority calculation of connection "nss-cert" is 0xfdfdf | delete inbound eroute 192.0.1.254/32:0 --0-> 192.0.2.254/32:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.43309c09@192.1.2.23 | netlink response for Del SA esp.43309c09@192.1.2.23 included non-error error | stop processing: connection "nss-cert" (BACKGROUND) (in update_state_connection() at connections.c:4037) | start processing: connection NULL (in update_state_connection() at connections.c:4038) | in connection_discard for connection nss-cert | State DB: deleting IKEv1 state #2 in QUICK_R2 | child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in delete_state() at state.c:879) "nss-cert" #1: deleting state (STATE_MAIN_R3) aged 2.876s and sending notification | parent state #1: MAIN_R3(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_R3 | **emit ISAKMP Message: | initiator cookie: | 54 0c 1c cb 69 d4 cc 3e | responder cookie: | b5 ef 21 16 49 70 eb 4a | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4237744696 (0xfc96da38) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 54 0c 1c cb 69 d4 cc 3e | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI b5 ef 21 16 49 70 eb 4a | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | a1 8b ec d7 7c 56 56 46 fd 17 6d 4d 17 cc e2 5f | db 20 d3 00 64 45 d7 bb b0 5e ba a5 b4 fa 9d cf | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | 54 0c 1c cb 69 d4 cc 3e b5 ef 21 16 49 70 eb 4a | 08 10 05 01 fc 96 da 38 00 00 00 5c 4f 3f a3 b6 | e8 6d 56 74 26 3e 02 bc 3d c2 3e 13 b7 2c dd bd | 8f f0 17 c3 c2 6e e2 5e c5 f9 40 d9 5a 0d 67 ec | 74 1e b7 0f fe 51 f8 e5 8a 34 f1 ce 05 46 25 6c | f8 6f fd 50 68 a0 5d ee 3b dc ef f1 | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55b068590140 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55b06859e7f0 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection nss-cert | State DB: deleting IKEv1 state #1 in MAIN_R3 | parent state #1: MAIN_R3(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55b068592940 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | shunt_eroute() called for connection 'nss-cert' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.254/32:0 --0->- 192.0.1.254/32:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.254/32:0 dest 192.0.1.254/32:0 | priority calculation of connection "nss-cert" is 0xfdfdf | priority calculation of connection "nss-cert" is 0xfdfdf | FOR_EACH_CONNECTION_... in route_owner | conn nss-cert mark 0/00000000, 0/00000000 vs | conn nss-cert mark 0/00000000, 0/00000000 | route owner of "nss-cert" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/32' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CON | popen cmd is 1305 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='nss-cert' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID: | cmd( 160):='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.: | cmd( 240):libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.254/3: | cmd( 320):2' PLUTO_MY_CLIENT_NET='192.0.2.254' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUT: | cmd( 400):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' : | cmd( 480):PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan,: | cmd( 560): OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswa: | cmd( 640):n.org' PLUTO_PEER_CLIENT='192.0.1.254/32' PLUTO_PEER_CLIENT_NET='192.0.1.254' PL: | cmd( 720):UTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL=': | cmd( 800):0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RS: | cmd( 880):ASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: | cmd( 960):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURC: | cmd(1040):EIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMA: | cmd(1120):IN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_: | cmd(1200):NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_O: | cmd(1280):UT=0x0 ipsec _updown 2>&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x55b068591780 | flush revival: connection 'nss-cert' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x55b06858b540 | free_event_entry: release EVENT_NULL-pe@0x55b0685749b0 | libevent_free: release ptr-libevent@0x55b06858b630 | free_event_entry: release EVENT_NULL-pe@0x55b06858b5f0 | libevent_free: release ptr-libevent@0x55b06858b720 | free_event_entry: release EVENT_NULL-pe@0x55b06858b6e0 | libevent_free: release ptr-libevent@0x55b06858b810 | free_event_entry: release EVENT_NULL-pe@0x55b06858b7d0 | libevent_free: release ptr-libevent@0x55b06858b900 | free_event_entry: release EVENT_NULL-pe@0x55b06858b8c0 | libevent_free: release ptr-libevent@0x55b06858b9f0 | free_event_entry: release EVENT_NULL-pe@0x55b06858b9b0 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x55b06858ad20 | free_event_entry: release EVENT_NULL-pe@0x55b0685738b0 | libevent_free: release ptr-libevent@0x55b0685807a0 | free_event_entry: release EVENT_NULL-pe@0x55b068573af0 | libevent_free: release ptr-libevent@0x55b068580710 | free_event_entry: release EVENT_NULL-pe@0x55b068579640 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x55b06858af00 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x55b06858afe0 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x55b06858b0a0 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x55b06857fa10 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x55b06858b160 | libevent_free: release ptr-libevent@0x55b068528230 | libevent_free: release ptr-libevent@0x55b06856eca0 | libevent_free: release ptr-libevent@0x55b06859a0c0 | libevent_free: release ptr-libevent@0x55b06856ecc0 | libevent_free: release ptr-libevent@0x55b06858adb0 | libevent_free: release ptr-libevent@0x55b06858afa0 | libevent_free: release ptr-libevent@0x55b06856ee60 | libevent_free: release ptr-libevent@0x55b0685795a0 | libevent_free: release ptr-libevent@0x55b068579580 | libevent_free: release ptr-libevent@0x55b06858ba80 | libevent_free: release ptr-libevent@0x55b06858b990 | libevent_free: release ptr-libevent@0x55b06858b8a0 | libevent_free: release ptr-libevent@0x55b06858b7b0 | libevent_free: release ptr-libevent@0x55b06858b6c0 | libevent_free: release ptr-libevent@0x55b06858b5d0 | libevent_free: release ptr-libevent@0x55b06856ed50 | libevent_free: release ptr-libevent@0x55b06858b080 | libevent_free: release ptr-libevent@0x55b06858afc0 | libevent_free: release ptr-libevent@0x55b06858aee0 | libevent_free: release ptr-libevent@0x55b06858b140 | libevent_free: release ptr-libevent@0x55b06858add0 | libevent_free: release ptr-libevent@0x55b06856ece0 | libevent_free: release ptr-libevent@0x55b06856ed10 | libevent_free: release ptr-libevent@0x55b06856ea00 | releasing global libevent data | libevent_free: release ptr-libevent@0x55b06856d240 | libevent_free: release ptr-libevent@0x55b06856d270 | libevent_free: release ptr-libevent@0x55b06856e9d0