FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:9098 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x562d7a88e260 size 40 | libevent_malloc: new ptr-libevent@0x562d7a88e290 size 40 | libevent_malloc: new ptr-libevent@0x562d7a88f9f0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x562d7a88f9b0 size 56 | libevent_malloc: new ptr-libevent@0x562d7a88fa20 size 664 | libevent_malloc: new ptr-libevent@0x562d7a88fcc0 size 24 | libevent_malloc: new ptr-libevent@0x562d7a849250 size 384 | libevent_malloc: new ptr-libevent@0x562d7a88fce0 size 16 | libevent_malloc: new ptr-libevent@0x562d7a88fd00 size 40 | libevent_malloc: new ptr-libevent@0x562d7a88fd30 size 48 | libevent_realloc: new ptr-libevent@0x562d7a88fd70 size 256 | libevent_malloc: new ptr-libevent@0x562d7a88fe80 size 16 | libevent_free: release ptr-libevent@0x562d7a88f9b0 | libevent initialized | libevent_realloc: new ptr-libevent@0x562d7a88fea0 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 | starting up helper thread 2 started thread for crypto helper 3 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 4 started thread for crypto helper 5 | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | checking IKEv1 state table | starting up helper thread 6 | MAIN_R0: category: half-open IKE SA flags: 0: | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x562d7a89a660 | libevent_malloc: new ptr-libevent@0x562d7a8a1730 size 128 | libevent_malloc: new ptr-libevent@0x562d7a89a5c0 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x562d7a894b10 | libevent_malloc: new ptr-libevent@0x562d7a8a17c0 size 128 | libevent_malloc: new ptr-libevent@0x562d7a89a5a0 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x562d7a8948d0 | libevent_malloc: new ptr-libevent@0x562d7a8abd40 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8abdd0 size 16 | libevent_realloc: new ptr-libevent@0x562d7a8abdf0 size 256 | libevent_malloc: new ptr-libevent@0x562d7a8abf00 size 8 | libevent_realloc: new ptr-libevent@0x562d7a8a0a30 size 144 | libevent_malloc: new ptr-libevent@0x562d7a8abf20 size 152 | libevent_malloc: new ptr-libevent@0x562d7a8abfc0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x562d7a8abfe0 size 8 | libevent_malloc: new ptr-libevent@0x562d7a8ac000 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x562d7a8ac0a0 size 8 | libevent_malloc: new ptr-libevent@0x562d7a8ac0c0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x562d7a8ac160 size 8 | libevent_realloc: release ptr-libevent@0x562d7a8a0a30 | starting up helper thread 3 | starting up helper thread 0 | starting up helper thread 4 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | libevent_realloc: new ptr-libevent@0x562d7a8ac180 size 256 | status value returned by setting the priority of this thread (crypto helper 0) 22 | libevent_malloc: new ptr-libevent@0x562d7a8a0a30 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:9190) using fork+execve | forked child 9190 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | status value returned by setting the priority of this thread (crypto helper 4) 22 | crypto helper 1 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 0 waiting (nothing to do) | crypto helper 4 waiting (nothing to do) | crypto helper 3 waiting (nothing to do) | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x562d7a8959d0 | libevent_malloc: new ptr-libevent@0x562d7a8ac560 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8ac5f0 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac610 | libevent_malloc: new ptr-libevent@0x562d7a8ac650 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8ac6e0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac700 | libevent_malloc: new ptr-libevent@0x562d7a8ac740 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8ac7d0 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac7f0 | libevent_malloc: new ptr-libevent@0x562d7a8ac830 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8ac8c0 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac8e0 | libevent_malloc: new ptr-libevent@0x562d7a8ac920 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8ac9b0 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac9d0 | libevent_malloc: new ptr-libevent@0x562d7a8aca10 size 128 | libevent_malloc: new ptr-libevent@0x562d7a8acaa0 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.05 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x562d7a8ac560 | free_event_entry: release EVENT_NULL-pe@0x562d7a8959d0 | add_fd_read_event_handler: new ethX-pe@0x562d7a8959d0 | libevent_malloc: new ptr-libevent@0x562d7a8ac560 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x562d7a8ac650 | free_event_entry: release EVENT_NULL-pe@0x562d7a8ac610 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac610 | libevent_malloc: new ptr-libevent@0x562d7a8ac650 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x562d7a8ac740 | free_event_entry: release EVENT_NULL-pe@0x562d7a8ac700 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac700 | libevent_malloc: new ptr-libevent@0x562d7a8ac740 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x562d7a8ac830 | free_event_entry: release EVENT_NULL-pe@0x562d7a8ac7f0 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac7f0 | libevent_malloc: new ptr-libevent@0x562d7a8ac830 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x562d7a8ac920 | free_event_entry: release EVENT_NULL-pe@0x562d7a8ac8e0 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac8e0 | libevent_malloc: new ptr-libevent@0x562d7a8ac920 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x562d7a8aca10 | free_event_entry: release EVENT_NULL-pe@0x562d7a8ac9d0 | add_fd_read_event_handler: new ethX-pe@0x562d7a8ac9d0 | libevent_malloc: new ptr-libevent@0x562d7a8aca10 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.424 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 9190 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0148 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-usage-server@testing.libreswan.org,CN=usage-server.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'usage-server' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562d7a8ad7b0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562d7a8b1140 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x562d7a8ad7e0 | unreference key: 0x562d7a8ad860 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x562d7a88e1b0 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.33 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.337 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0387 milliseconds in whack | spent 0.00283 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fc d4 1a f8 b6 be a8 11 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x562d7a8b4090 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ICOOKIE-DUMP: fc d4 1a f8 b6 be a8 11 "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 7e 82 d5 7a 3a 26 e5 6c | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fc d4 1a f8 b6 be a8 11 7e 82 d5 7a 3a 26 e5 6c | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x562d7a8b10c0 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562d7a8b11d0 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.633 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00302 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fc d4 1a f8 b6 be a8 11 7e 82 d5 7a 3a 26 e5 6c | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 9c 11 53 0f 26 3b 8c ec 6d f4 8a d9 f1 fa 52 72 | da 52 e9 96 84 f4 9c 18 dc ae ee 33 3b 4a bf d2 | 2c b2 8a 8c 3c d0 68 7d 6f ed a5 12 5c 73 47 33 | 26 3e f9 6d 07 68 12 2f 11 11 36 37 db 7a 8d 8c | 36 90 af c1 60 15 0b f9 4f 1e 4a 81 a7 a9 a5 9b | 1c 7a b4 67 e8 8b 69 03 f5 bd 76 f4 79 d2 bd 71 | 51 55 f4 07 06 d4 00 dd de c2 c9 ff 20 aa 33 e4 | 14 b0 ce 47 74 01 ce 8c 59 7e df 86 b9 c8 da 1c | 74 9a df 82 22 42 5a f1 12 25 4c d0 bf c3 88 19 | 02 ce 8d 59 ec 66 3d ae 20 e3 52 ab 24 db d9 8f | a4 81 cb 7e 8c 8e 94 60 ae 51 88 c0 c0 1c 6a f7 | 45 c1 3b ee 53 a7 b8 2e a2 ad 42 ff f3 9c e4 b3 | c3 7e ea 09 f5 29 18 82 4b 22 62 62 1e 97 35 83 | 1b 34 d9 2a 7c 48 20 68 1d 30 bd 37 ca 3b de 99 | 8e 3f 66 29 ed b8 56 e0 3d 86 e1 82 31 0a 8c 4b | fe 38 6d 23 b7 c4 30 53 75 a0 5a de 80 80 b3 99 | 14 00 00 24 be 45 6d 3b 27 1e b8 3e dc ab 3f 78 | df 88 f7 90 e3 0b bf 3a ca 15 ff 49 19 15 bd ef | 2d b2 e8 1b 14 00 00 24 de ec 62 9a c9 63 14 e3 | ab b4 dd 85 15 d1 8f 84 57 b6 05 b9 d7 bc 3d b1 | 6c 72 af aa 5e 1b 43 59 00 00 00 24 46 18 d7 63 | f7 88 16 bc ed 31 7f 9f bc 21 bc b2 fd ec 16 dd | 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 7e 82 d5 7a 3a 26 e5 6c | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x562d795afc40(32) | natd_hash: icookie= fc d4 1a f8 b6 be a8 11 | natd_hash: rcookie= 7e 82 d5 7a 3a 26 e5 6c | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= de ec 62 9a c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 | natd_hash: hash= 57 b6 05 b9 d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | natd_hash: hasher=0x562d795afc40(32) | natd_hash: icookie= fc d4 1a f8 b6 be a8 11 | natd_hash: rcookie= 7e 82 d5 7a 3a 26 e5 6c | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 46 18 d7 63 f7 88 16 bc ed 31 7f 9f bc 21 bc b2 | natd_hash: hash= fd ec 16 dd 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | expected NAT-D(me): de ec 62 9a c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 | expected NAT-D(me): 57 b6 05 b9 d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | expected NAT-D(him): | 46 18 d7 63 f7 88 16 bc ed 31 7f 9f bc 21 bc b2 | fd ec 16 dd 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | received NAT-D: de ec 62 9a c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 | received NAT-D: 57 b6 05 b9 d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | received NAT-D: 46 18 d7 63 f7 88 16 bc ed 31 7f 9f bc 21 bc b2 | received NAT-D: fd ec 16 dd 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x562d7a8b11d0 | free_event_entry: release EVENT_SO_DISCARD-pe@0x562d7a8b10c0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562d7a8b10c0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562d7a8b11d0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.123 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.276 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 resuming | crypto helper 2 starting work-order 1 for state #1 | crypto helper 2 doing build KE and nonce (inI2_outR2 KE); request ID 1 | crypto helper 2 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.001017 seconds | (#1) spent 1.02 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 2 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3f5c006900 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 1 | calling continuation function 0x562d794d9630 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 7e 82 d5 7a 3a 26 e5 6c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 70 6b 35 5a 7d bc e4 02 01 a7 47 86 97 0e 38 86 | keyex value 46 71 db aa ea 54 fa 0f 9d b5 43 f5 84 ba 98 a5 | keyex value 23 74 0e 13 67 d7 77 b6 95 18 6a d1 33 46 1a 1a | keyex value 4d 11 73 35 f6 b2 04 8e 09 ce ac d2 87 55 2a 7e | keyex value 80 59 a5 d1 c8 10 42 ea 98 7f dc c7 c2 3c 48 6e | keyex value 6a 59 91 cd 22 d3 1d f7 67 78 53 b8 9e 54 ac cd | keyex value 9f 29 43 be ba a4 4c 3a fc a8 42 e5 7f 1c 76 c4 | keyex value ac ab 4c 8f 18 c7 69 3e 39 5f b7 05 2c 62 f1 b5 | keyex value 3b 2d 28 83 ef ac 07 71 36 75 03 fb da f5 5b e8 | keyex value 41 a6 a6 4c e2 c0 10 96 a5 22 c3 11 7d 24 87 41 | keyex value 5f 1e d6 d1 07 41 d6 c4 49 a6 92 58 83 75 83 78 | keyex value d3 ce b8 56 76 8b 93 8b 36 29 bf d8 0f 2d 79 40 | keyex value 76 75 e1 bb a5 d8 08 ce 79 0c f1 e4 6e 50 1c 73 | keyex value 24 22 71 ed 32 58 37 02 9b be e9 42 0b 47 5d 74 | keyex value c0 79 f3 27 ec 31 41 41 cd 08 a5 be 1a e8 3e 27 | keyex value 51 7e d2 5c 49 36 9f d7 38 de b8 b4 44 ec d4 bb | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 64 49 9d 91 7e fb 80 aa f0 2c 8d c2 53 70 cb 18 | Nr 4d fd f9 8a 60 f4 6c 28 96 9b f7 8f 9b b3 4b cd | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x562d795afc40(32) | natd_hash: icookie= fc d4 1a f8 b6 be a8 11 | natd_hash: rcookie= 7e 82 d5 7a 3a 26 e5 6c | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 46 18 d7 63 f7 88 16 bc ed 31 7f 9f bc 21 bc b2 | natd_hash: hash= fd ec 16 dd 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 46 18 d7 63 f7 88 16 bc ed 31 7f 9f bc 21 bc b2 | NAT-D fd ec 16 dd 9e 46 8e 91 1a 86 b2 e4 e8 05 29 56 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x562d795afc40(32) | natd_hash: icookie= fc d4 1a f8 b6 be a8 11 | natd_hash: rcookie= 7e 82 d5 7a 3a 26 e5 6c | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= de ec 62 9a c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 | natd_hash: hash= 57 b6 05 b9 d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D de ec 62 9a c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 | NAT-D 57 b6 05 b9 d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562d7a8b11d0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562d7a8b10c0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x562d7a8b10c0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562d7a8b11d0 size 128 | #1 main_inI2_outR2_continue1_tail:1158 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x562d7a8b11d0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x562d7a8b10c0 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fc d4 1a f8 b6 be a8 11 7e 82 d5 7a 3a 26 e5 6c | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 70 6b 35 5a 7d bc e4 02 01 a7 47 86 97 0e 38 86 | 46 71 db aa ea 54 fa 0f 9d b5 43 f5 84 ba 98 a5 | 23 74 0e 13 67 d7 77 b6 95 18 6a d1 33 46 1a 1a | 4d 11 73 35 f6 b2 04 8e 09 ce ac d2 87 55 2a 7e | 80 59 a5 d1 c8 10 42 ea 98 7f dc c7 c2 3c 48 6e | 6a 59 91 cd 22 d3 1d f7 67 78 53 b8 9e 54 ac cd | 9f 29 43 be ba a4 4c 3a fc a8 42 e5 7f 1c 76 c4 | ac ab 4c 8f 18 c7 69 3e 39 5f b7 05 2c 62 f1 b5 | 3b 2d 28 83 ef ac 07 71 36 75 03 fb da f5 5b e8 | 41 a6 a6 4c e2 c0 10 96 a5 22 c3 11 7d 24 87 41 | 5f 1e d6 d1 07 41 d6 c4 49 a6 92 58 83 75 83 78 | d3 ce b8 56 76 8b 93 8b 36 29 bf d8 0f 2d 79 40 | 76 75 e1 bb a5 d8 08 ce 79 0c f1 e4 6e 50 1c 73 | 24 22 71 ed 32 58 37 02 9b be e9 42 0b 47 5d 74 | c0 79 f3 27 ec 31 41 41 cd 08 a5 be 1a e8 3e 27 | 51 7e d2 5c 49 36 9f d7 38 de b8 b4 44 ec d4 bb | 14 00 00 24 64 49 9d 91 7e fb 80 aa f0 2c 8d c2 | 53 70 cb 18 4d fd f9 8a 60 f4 6c 28 96 9b f7 8f | 9b b3 4b cd 14 00 00 24 46 18 d7 63 f7 88 16 bc | ed 31 7f 9f bc 21 bc b2 fd ec 16 dd 9e 46 8e 91 | 1a 86 b2 e4 e8 05 29 56 00 00 00 24 de ec 62 9a | c9 63 14 e3 ab b4 dd 85 15 d1 8f 84 57 b6 05 b9 | d7 bc 3d b1 6c 72 af aa 5e 1b 43 59 | crypto helper 5 resuming | crypto helper 5 starting work-order 2 for state #1 | crypto helper 5 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 5 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001183 seconds | (#1) spent 1.19 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 5 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f3f54004f00 size 128 | crypto helper 5 waiting (nothing to do) | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x562d7a8b10c0 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x562d7a8b11d0 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50112.684416 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.392 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3f5c006900 | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 2 | calling continuation function 0x562d794d9630 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1008) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1021) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0234 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f3f54004f00 | spent 0.00316 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fc d4 1a f8 b6 be a8 11 7e 82 d5 7a 3a 26 e5 6c | 05 10 02 01 00 00 00 00 00 00 07 5c f8 e8 60 c6 | c9 b7 83 c4 6c de 7f 71 bc f3 27 f2 c0 2a 19 03 | ab 8e 26 5d c6 55 84 69 b3 2c 46 4f 23 dd 30 70 | 32 20 a9 ef 12 4d fa e9 12 3e 1e e5 71 a2 e5 79 | ba f1 a3 50 3d 37 3b 70 11 8c bc de 52 03 37 15 | f9 ae 38 24 a8 87 e4 37 09 16 87 34 65 32 fb a0 | 46 28 54 02 65 cd 9f 98 10 de 18 e9 18 5e 1f f4 | c8 70 e6 cd 97 35 1f b5 3a c2 7d 67 c8 01 f7 d3 | 1a e9 ba 62 4c 63 52 eb 5d fe f6 68 cb ed 92 84 | dc 54 4a d7 7f 4a cb ad 70 30 ee 26 73 1c bd 82 | ca 39 a7 e9 03 30 62 84 16 f9 d0 9c 32 d7 45 73 | 4a 35 84 81 be f6 1a 6a 0e 44 7a 25 fa 21 ef 59 | cb 7e 0c 04 e5 72 c0 7b e4 cf 0e 5f 42 c1 fd 0c | 5a 4e 10 42 6f 42 99 41 37 51 66 fe 53 21 9c 57 | d3 60 0c 38 f1 f9 b0 c5 fb 47 4f 38 82 2a 51 5f | 6d 0b 6a 8e d0 77 db a3 bd 05 47 1c 61 41 3b 7d | 88 5a 23 9b e5 ca a4 ae 64 3e e5 e0 d0 b5 78 d1 | fd c5 78 c9 36 08 d0 4e 33 1b 1a 31 16 4c 93 48 | 72 1d c4 95 b4 96 3e b2 4f da b1 b8 37 3e cd 23 | 71 21 21 50 b2 29 8d 93 fe ec 74 58 77 2e 6e 91 | 9b ee d7 d9 eb 0a 82 1a 82 62 0c 31 cc fd 2d 9d | e5 51 3f 84 01 3d c4 34 ff 55 6a 8e ea 1d 9d 69 | 51 5f 96 5a 9b 79 87 04 9b 14 a5 4b 1d a1 17 41 | 54 a9 df ad 5b 9b a6 b7 b3 c2 27 fb ce 9d 94 21 | ee c4 1d a0 02 e8 e0 b2 03 df 43 12 09 70 c9 69 | bb 3b db 63 22 13 cb f6 79 25 6a 2a 4d e1 9d 69 | 96 5e 62 dc 0a 79 c1 87 82 ef 59 fd dd e4 e9 2f | b2 b9 e0 36 0a 4d 74 b9 ae 55 a3 6e 42 c8 42 c0 | dd 46 9a be e6 2f 1b a1 40 ee 2a 8f 4d 62 af 95 | 17 c7 75 3b 01 fe ee ef 82 35 e9 08 14 ac 86 7c | 4f 12 88 0b a2 a3 34 f5 00 30 50 48 1e a3 79 fa | 1c 4b b6 69 c7 48 5e fe 8f 7f 84 bf de 10 d4 7f | f1 80 f6 7c d6 20 9e d1 55 3a 92 f8 24 66 4e 19 | 16 ac 51 dd ea e4 53 8b 36 b7 15 5f cf 4e 22 21 | 5c 7b 30 96 2a 99 df 9e 91 25 fd 47 2c 8c c5 f5 | f9 7b d9 78 37 90 31 d2 1a 95 2c cb 0c e5 79 29 | c3 c6 06 74 28 9a 25 02 28 ef 7a 3d c8 45 84 4b | af a0 01 73 ac 39 e0 6a ba 7f 2a 43 96 08 94 ec | f0 7b 9f c6 28 e2 a9 cf 19 e7 a2 22 87 e9 28 d5 | 74 73 47 f6 2c 43 05 03 3c 38 62 35 14 69 b8 b9 | 0c 1a d2 2f df 1f ed d4 fb 36 80 0d 07 ff 20 62 | bb 4e b9 85 3e 9d 6a 70 2e 9f 17 6a 55 b8 1d 2b | 82 b9 cb 06 3b bd 44 f4 c3 8a 59 1e 7a ce ab ff | 12 a2 50 fc aa 28 74 ba b1 9c de ae d0 f0 f6 f6 | 2c ab 68 ee 66 27 be 7a 4e dd e3 53 8c ba af 35 | 0a 8f 89 8d 92 3f 8f a9 b3 3a c5 18 f7 2d 2e b2 | 9f 7e fe 25 e5 fe 05 d6 f7 7e a1 39 2f cd 71 5e | 61 6e 24 51 bd 4d b5 4c 58 91 67 ff 3f 33 36 11 | d4 08 63 a7 1f 5d c6 6f da cf a2 a1 16 bf e2 16 | 43 ff 84 2e d1 52 f4 88 be ba 22 55 d5 a3 47 7a | 34 2c 53 77 a2 24 2b bf f8 b8 de 00 d7 de 86 e9 | 99 89 c0 9c 8f 4c 6e 98 77 3a 4d 89 7c 67 bb c3 | 96 b9 90 1c ac e4 8c e8 5c da 48 c0 ac 94 1a d3 | 01 00 8c 54 a8 a0 89 4e d5 b2 fc 53 01 68 35 a0 | 66 6f 53 06 73 1f 5f 1d 0d 03 18 3b 29 9d 60 51 | 6a 81 0e 44 3b 8b aa 2e c8 59 01 00 2d a9 07 a2 | 0c 80 ab d2 10 e7 5a 24 ac 24 81 49 3b 61 c1 c9 | cf 46 d4 f6 44 75 5a f2 92 43 5c c0 3f 19 ff d8 | 21 94 aa 4d e7 78 4d 35 da bb 05 8b 44 4e 5e e8 | 63 e8 fa a9 13 9f 22 cf 73 91 2b 13 6d e2 c1 cb | f5 57 59 a5 41 2e be 3d 12 1e c2 78 38 62 52 03 | d4 ff b4 51 ec 82 80 35 ed 6e 14 7e 25 c8 b1 cf | 46 5b 90 35 83 2e 33 c1 ec b8 78 6e 91 9f 10 05 | 2c b7 ea e7 d8 98 b2 81 2d 40 64 55 af 87 2f 58 | d6 fd f0 23 37 0f b5 3f 17 80 c0 94 f3 2d 52 0e | da 2f 92 56 2e d2 36 ed 8f 8f 55 09 c7 f2 a6 9b | 88 49 13 f2 75 a6 58 62 c4 81 0f ce 1c c4 af 29 | 53 8e 8c a0 11 bd 48 d1 69 2f be 0a eb 32 2c 83 | 1f 85 c6 60 63 ec 09 76 1d 8a 5e 2d 51 14 74 cf | fb 35 f8 86 df 6e e2 ee 17 94 51 14 41 31 80 1b | d1 9e fb 0b e3 8f ab 51 b1 d0 dd e2 da 33 2e 2e | 2e 3c d1 8b b6 ed e1 08 c1 46 e5 06 75 a8 0b b3 | 93 cf 85 1f c3 ee 54 2e 05 55 16 30 7f 6b 9d 8c | 8e d4 1a 7b 2e b9 6a 70 7f 93 08 19 72 46 cd 10 | 14 c6 f7 64 86 95 93 0e 31 91 e3 ed 12 a9 bc 94 | b1 00 fa c4 f3 21 8f 75 0d 87 e3 d2 1b f1 1e 3c | 5a af 91 a5 dd 95 95 05 1c 06 8e 54 33 53 73 72 | 41 fa e5 f1 83 63 19 34 c8 86 6e 1d b0 68 30 2b | cd 81 87 f0 d6 51 48 7c 39 f8 77 d7 f5 07 5c 16 | dc f6 83 fd 5c cf 2b 62 66 78 24 71 56 f2 be eb | 55 09 2f 35 1a a9 ef 63 04 b6 f2 8a ce 0f 6c ed | bd e1 f9 9d d5 42 ea cc 0f 66 fd 83 af 85 21 ea | c2 7a 53 fb b0 50 f9 f0 68 35 e5 ee 65 5b df 55 | 4d 5f 52 bc f2 b6 68 72 0e 1f 8e 6a 37 70 19 98 | 75 cc 39 47 64 46 eb 5a 0f c5 7a 49 04 21 ba 7d | 1e 4d a3 48 a2 d9 32 cf 34 99 ac cd 9d 8e 86 dc | 53 07 10 cb 35 6b a3 3d 5d 73 39 5c f8 7e 7d a6 | 22 da 96 be 69 57 99 84 e7 19 92 fb b3 f6 e0 df | dd 6d 31 99 94 1f 00 6c 39 75 c6 29 24 d3 f5 60 | d0 88 78 68 71 e3 c9 b6 37 2e a7 19 e7 e7 6b e2 | 65 90 12 44 d5 19 54 9f 01 2c 4f 56 39 45 84 b8 | 78 43 6d 61 3c 44 ff 9e 80 52 25 a1 aa e3 d5 92 | 25 3c e4 5d 32 65 64 1f 56 ad 25 51 7c 79 31 ef | bd 4d 16 72 c2 68 10 33 f5 8e 1e 97 a0 44 00 16 | c0 fb 32 f7 31 60 55 95 93 10 f2 15 4f b6 c1 1a | ed 6a 7a db 4c ad 92 d8 80 4d 3e 3d 7c 49 b3 b8 | cc c4 28 c6 42 27 24 ed cd ed 33 51 7c 02 62 72 | ae cb 92 18 78 88 0c 16 ec c8 b3 22 f8 2a de 12 | 13 29 d8 aa 60 61 b0 3f b4 66 60 d8 6f 8e 8c 00 | ac 3b ac 78 c2 14 41 dd a5 31 4e be 66 91 22 ef | a9 42 a0 8b b4 2e 4b 06 00 50 dc 4c 92 d2 99 68 | ef d3 4c 00 81 2d a0 fa 2f 68 0d c8 1a ab 66 ad | dd ce 21 f9 c0 dd c3 61 3e c0 e1 3e 58 6a 9c b9 | fb 62 17 13 be 99 ad 56 45 2a 57 85 b2 4c 7b 11 | fc bb e9 c6 3f e0 9d d8 0b dc 42 8a be 37 6f ae | 9d b1 87 05 e1 fe 3b 0e c0 ea 0e 58 1c ac 08 18 | b5 7f 6a 2c 12 92 0e 76 71 7e 1e 6a 48 b6 c6 f5 | 12 05 36 73 b3 55 a3 84 0a c7 09 ec 38 a1 99 f8 | 3f db 25 c1 ec 61 55 d4 27 6d 15 5e 69 4c ba 68 | 03 7c 58 d2 6a 8a 29 e3 d9 91 1e 5a f7 6a a9 62 | ad 10 15 eb 68 34 5f 64 20 1e 2a 96 3a 51 b1 ef | dd 25 60 ae de 6f bc af d9 9c 38 95 fb 68 57 5a | 53 13 5e 0f d0 cf d6 a9 93 d7 ee cc 00 ff a4 15 | d3 ad fa 9c 01 e0 c3 c1 bf 24 32 6b ca d6 ba 96 | 4e e8 69 fa f8 5a 54 cb 44 ad 75 d0 ba e8 75 b7 | ea 73 02 6e 45 74 66 1c 6a 04 72 af 0f 53 13 56 | 50 a6 7f 09 ca 77 19 e6 79 2b 1e ad | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 7e 82 d5 7a 3a 26 e5 6c | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 203 (0xcb) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 73 61 | obj: 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e 67 2e | obj: 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 34 30 | obj: 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 75 73 | obj: 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 74 65 | obj: 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | obj: 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1247 (0x4df) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 13 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 c0 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 29 30 27 06 03 55 04 03 0c 20 75 73 61 | DER ASN1 DN: 67 65 2d 62 6f 74 68 2e 74 65 73 74 69 6e 67 2e | DER ASN1 DN: 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 34 30 | DER ASN1 DN: 32 06 09 2a 86 48 86 f7 0d 01 09 01 16 25 75 73 | DER ASN1 DN: 65 72 2d 75 73 61 67 65 2d 62 6f 74 68 40 74 65 | DER ASN1 DN: 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | DER ASN1 DN: 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-both.testing.libreswan.org, E=user-usage-both@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 3.8 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0307 milliseconds in get_root_certs() filtering CAs | #1 spent 3.86 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-usage-both@testing.libreswan.org,CN=usage-both.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.212 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0402 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "nss-cert" #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "nss-cert" #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.432 milliseconds in find_and_verify_certs() calling verify_end_cert() "nss-cert" #1: X509: Certificate rejected for this connection "nss-cert" #1: X509: CERT payload bogus or revoked | Peer ID failed to decode | complete v1 state transition with INVALID_ID_INFORMATION | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle "nss-cert" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.45:500 | **emit ISAKMP Message: | initiator cookie: | fc d4 1a f8 b6 be a8 11 | responder cookie: | 7e 82 d5 7a 3a 26 e5 6c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 910606767 (0x3646c1af) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'notification msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 0 (0x0) | Notify Message Type: INVALID_ID_INFORMATION (0x12) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Notification Payload (11:ISAKMP_NEXT_N) | next payload chain: saving location 'ISAKMP Notification Payload'.'next payload type' in 'notification msg' | emitting length of ISAKMP Notification Payload: 12 | send notification HASH(1): | 43 f5 93 6e 8e 92 07 d4 84 eb 1c 42 b2 b0 ef d3 | 7e 5e 01 b9 2f 1d 54 50 df 3a c2 2b d8 1a 60 79 | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | sending 76 bytes for notification packet through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fc d4 1a f8 b6 be a8 11 7e 82 d5 7a 3a 26 e5 6c | 08 10 05 01 36 46 c1 af 00 00 00 4c ed 3c d7 a3 | 4e 94 af d0 57 39 8d a0 18 da 26 03 b2 a3 0d f7 | 58 c5 8d 24 b6 ce a9 bc cf 78 79 c5 ac 66 9a e7 | f8 23 52 d2 85 9e 37 8f bb 48 4b bc | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION | #1 spent 4.89 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 5.29 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00443 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1572) | not behind NAT: no NAT-T KEEP-ALIVE required for conn nss-cert | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1574) | spent 0.0186 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00415 milliseconds in global timer EVENT_SHUNT_SCAN [New LWP 7527] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf'. Program terminated with signal SIGABRT, Aborted. #0 0x00007fac281dbe75 in raise () from /lib64/libc.so.6 #0 0x00007fac281dbe75 in raise () from /lib64/libc.so.6 Backtrace stopped: Cannot access memory at address 0x7ffe449a9058