FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:8869 core dump dir: /run/pluto secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x557386ef5240 size 40 | libevent_malloc: new ptr-libevent@0x557386ef5270 size 40 | libevent_malloc: new ptr-libevent@0x557386ef69d0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x557386ef6990 size 56 | libevent_malloc: new ptr-libevent@0x557386ef6a00 size 664 | libevent_malloc: new ptr-libevent@0x557386ef6ca0 size 24 | libevent_malloc: new ptr-libevent@0x557386eb0230 size 384 | libevent_malloc: new ptr-libevent@0x557386ef6cc0 size 16 | libevent_malloc: new ptr-libevent@0x557386ef6ce0 size 40 | libevent_malloc: new ptr-libevent@0x557386ef6d10 size 48 | libevent_realloc: new ptr-libevent@0x557386ef6d50 size 256 | libevent_malloc: new ptr-libevent@0x557386ef6e60 size 16 | libevent_free: release ptr-libevent@0x557386ef6990 | libevent initialized | libevent_realloc: new ptr-libevent@0x557386ef6e80 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | starting up helper thread 0 | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) | QUICK_R0: category: established CHILD SA flags: 0: | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | starting up helper thread 2 | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | starting up helper thread 4 | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | status value returned by setting the priority of this thread (crypto helper 2) 22 | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | status value returned by setting the priority of this thread (crypto helper 4) 22 | V2_IPSEC_I: category: established CHILD SA flags: 0: | crypto helper 2 waiting (nothing to do) | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | starting up helper thread 1 | CHILDSA_DEL: category: informational flags: 0: | crypto helper 4 waiting (nothing to do) Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x557386f01640 | libevent_malloc: new ptr-libevent@0x557386f08710 size 128 | libevent_malloc: new ptr-libevent@0x557386f015a0 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x557386efbaf0 | libevent_malloc: new ptr-libevent@0x557386f087a0 size 128 | libevent_malloc: new ptr-libevent@0x557386f01580 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x557386efb8b0 | libevent_malloc: new ptr-libevent@0x557386f12d20 size 128 | libevent_malloc: new ptr-libevent@0x557386f12db0 size 16 | libevent_realloc: new ptr-libevent@0x557386f12dd0 size 256 | libevent_malloc: new ptr-libevent@0x557386f12ee0 size 8 | libevent_realloc: new ptr-libevent@0x557386f07a10 size 144 | libevent_malloc: new ptr-libevent@0x557386f12f00 size 152 | libevent_malloc: new ptr-libevent@0x557386f12fa0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x557386f12fc0 size 8 | libevent_malloc: new ptr-libevent@0x557386f12fe0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x557386f13080 size 8 | libevent_malloc: new ptr-libevent@0x557386f130a0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x557386f13140 size 8 | libevent_realloc: release ptr-libevent@0x557386f07a10 | libevent_realloc: new ptr-libevent@0x557386f13160 size 256 | libevent_malloc: new ptr-libevent@0x557386f07a10 size 152 | signal event handler PLUTO_SIGSYS installed | starting up helper thread 5 | created addconn helper (pid:9031) using fork+execve | forked child 9031 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | status value returned by setting the priority of this thread (crypto helper 5) 22 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 | crypto helper 5 waiting (nothing to do) adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x557386efc9b0 | libevent_malloc: new ptr-libevent@0x557386f13540 size 128 | libevent_malloc: new ptr-libevent@0x557386f135d0 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x557386f135f0 | libevent_malloc: new ptr-libevent@0x557386f13630 size 128 | libevent_malloc: new ptr-libevent@0x557386f136c0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x557386f136e0 | libevent_malloc: new ptr-libevent@0x557386f13720 size 128 | libevent_malloc: new ptr-libevent@0x557386f137b0 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x557386f137d0 | libevent_malloc: new ptr-libevent@0x557386f13810 size 128 | libevent_malloc: new ptr-libevent@0x557386f138a0 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x557386f138c0 | libevent_malloc: new ptr-libevent@0x557386f13900 size 128 | libevent_malloc: new ptr-libevent@0x557386f13990 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x557386f139b0 | libevent_malloc: new ptr-libevent@0x557386f139f0 size 128 | libevent_malloc: new ptr-libevent@0x557386f13a80 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.674 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x557386f13540 | free_event_entry: release EVENT_NULL-pe@0x557386efc9b0 | add_fd_read_event_handler: new ethX-pe@0x557386efc9b0 | libevent_malloc: new ptr-libevent@0x557386f13540 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x557386f13630 | free_event_entry: release EVENT_NULL-pe@0x557386f135f0 | add_fd_read_event_handler: new ethX-pe@0x557386f135f0 | libevent_malloc: new ptr-libevent@0x557386f13630 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x557386f13720 | free_event_entry: release EVENT_NULL-pe@0x557386f136e0 | add_fd_read_event_handler: new ethX-pe@0x557386f136e0 | libevent_malloc: new ptr-libevent@0x557386f13720 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x557386f13810 | free_event_entry: release EVENT_NULL-pe@0x557386f137d0 | add_fd_read_event_handler: new ethX-pe@0x557386f137d0 | libevent_malloc: new ptr-libevent@0x557386f13810 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x557386f13900 | free_event_entry: release EVENT_NULL-pe@0x557386f138c0 | add_fd_read_event_handler: new ethX-pe@0x557386f138c0 | libevent_malloc: new ptr-libevent@0x557386f13900 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x557386f139f0 | free_event_entry: release EVENT_NULL-pe@0x557386f139b0 | add_fd_read_event_handler: new ethX-pe@0x557386f139b0 | libevent_malloc: new ptr-libevent@0x557386f139f0 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.346 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 9031 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0135 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection nss-cert with policy ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-usage-server@testing.libreswan.org,CN=usage-server.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'usage-server' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557386f14790 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557386f18120 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x557386f147c0 | unreference key: 0x557386f14840 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none | new hp@0x557386ef5190 added connection description "nss-cert" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.254/32 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.27 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.316 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | old debugging base+cpu-usage + none | base debugging = base+cpu-usage | old impairing none + suppress-retransmits | base impairing = suppress-retransmits | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0427 milliseconds in whack | spent 0.00284 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 792 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fe 86 78 4a 04 54 5b 1b 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 18 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 00 03 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 00 03 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 00 03 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 00 03 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 00 03 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 00 03 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 00 03 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 00 03 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 00 03 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 00 03 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 03 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 0d 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 | 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 cd 60 46 43 35 df 21 f8 | 7c fd b2 fc 68 b6 a4 48 | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 792 (0x318) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (nss-cert) | find_next_host_connection returns nss-cert | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | creating state object #1 at 0x557386f1b070 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ICOOKIE-DUMP: fe 86 78 4a 04 54 5b 1b "nss-cert" #1: responding to Main Mode | **emit ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | b8 fe 7b 17 71 b0 58 b5 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 3 (0x3) | [3 is OAKLEY_RSA_SIG] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 00 03 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 144 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 144 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fe 86 78 4a 04 54 5b 1b b8 fe 7b 17 71 b0 58 b5 | 01 10 02 00 00 00 00 00 00 00 00 90 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 00 03 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 14 af ca d7 13 | 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 00 00 00 14 | 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x557386f180a0 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557386f181b0 size 128 "nss-cert" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.635 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00245 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fe 86 78 4a 04 54 5b 1b b8 fe 7b 17 71 b0 58 b5 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 1f 02 ac 16 b9 46 04 e2 3a 7a 66 89 1b a7 49 d9 | 77 9f f8 d5 be 65 f9 af e4 d8 bd 66 72 36 40 4c | 96 7f 21 cb 92 f4 72 3a 21 e8 d6 3f dc ee a4 ea | f3 99 ab 41 02 e7 28 3d c5 cb 84 31 5e bb 79 de | fa da 6c f8 d9 53 1b db 65 01 41 67 e5 c1 5a b4 | 21 37 e0 c8 d9 5f 49 1a f8 cf 4a 48 56 e5 58 a4 | 6b a8 73 52 e6 bb 23 b6 e2 81 60 65 a6 e6 34 af | 4a c8 3b 3b cb 18 57 e2 32 4a 99 a7 08 b8 c1 99 | 77 88 c7 24 cf bc c7 17 db af bc 2c 1c 99 9e 6b | e8 34 9d 35 27 68 46 46 85 1d d8 20 a6 88 63 2f | 17 e7 fa ff 85 79 4e 2c 4f e8 47 87 f0 9e 28 8e | f5 a0 27 6d ee 65 0c dd e3 e5 61 fb cd 60 cc d3 | ae ef 7a 02 39 d1 bd e4 f7 ba 3a 37 9b 37 c9 ce | 16 d6 b7 17 83 21 7b 07 90 37 9d 42 9d fa 7b cd | 13 f3 e0 84 9a 7d 7f 44 b6 ed 27 9b 26 9c 68 25 | 95 6a 5c 42 a6 1c a6 70 53 a9 34 01 84 8a 03 b3 | 14 00 00 24 1a b3 40 f8 89 08 4c 2f 97 77 6b ae | b5 5c ab 15 22 1a 78 1f 88 00 43 b9 9a 4a dd 0b | 63 8e f8 93 14 00 00 24 1b 19 7e c6 87 e6 26 8f | 9c 96 9c a8 c4 e8 db 7b 7a 1b 70 c4 5a 3d 68 3c | f7 9e ea 32 34 63 bb b0 00 00 00 24 0e 7f 20 21 | 15 08 05 59 16 84 d4 a0 0b e8 68 b8 d8 b1 f9 cb | 99 76 76 5f 7f 84 45 26 76 38 e8 9c | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | b8 fe 7b 17 71 b0 58 b5 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x557385fd4c40(32) | natd_hash: icookie= fe 86 78 4a 04 54 5b 1b | natd_hash: rcookie= b8 fe 7b 17 71 b0 58 b5 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 1b 19 7e c6 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b | natd_hash: hash= 7a 1b 70 c4 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | natd_hash: hasher=0x557385fd4c40(32) | natd_hash: icookie= fe 86 78 4a 04 54 5b 1b | natd_hash: rcookie= b8 fe 7b 17 71 b0 58 b5 | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 0e 7f 20 21 15 08 05 59 16 84 d4 a0 0b e8 68 b8 | natd_hash: hash= d8 b1 f9 cb 99 76 76 5f 7f 84 45 26 76 38 e8 9c | expected NAT-D(me): 1b 19 7e c6 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b | expected NAT-D(me): 7a 1b 70 c4 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | expected NAT-D(him): | 0e 7f 20 21 15 08 05 59 16 84 d4 a0 0b e8 68 b8 | d8 b1 f9 cb 99 76 76 5f 7f 84 45 26 76 38 e8 9c | received NAT-D: 1b 19 7e c6 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b | received NAT-D: 7a 1b 70 c4 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | received NAT-D: 0e 7f 20 21 15 08 05 59 16 84 d4 a0 0b e8 68 b8 | received NAT-D: d8 b1 f9 cb 99 76 76 5f 7f 84 45 26 76 38 e8 9c | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x557386f181b0 | free_event_entry: release EVENT_SO_DISCARD-pe@0x557386f180a0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x557386f180a0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557386f181b0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 3 resuming | crypto helper 3 starting work-order 1 for state #1 | crypto helper 3 doing build KE and nonce (inI2_outR2 KE); request ID 1 | #1 spent 0.114 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.27 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 3 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.001052 seconds | (#1) spent 0.989 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 3 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f83fc006900 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 1 | calling continuation function 0x557385efe630 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | b8 fe 7b 17 71 b0 58 b5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 76 54 d4 64 30 42 3e a6 0c 56 49 86 28 9c 5f 6e | keyex value 10 16 ab 39 4f 94 75 d5 73 7f 71 3c 9b d8 db 04 | keyex value ca a9 5d cd 31 c9 c9 25 ec 1c 2e 09 52 c9 66 e7 | keyex value 51 5d 64 e7 c0 48 78 17 be 7b ea 5a 9b 46 a0 d6 | keyex value b6 a4 8f e0 78 c5 49 e4 63 8c f6 c0 79 1e ac 91 | keyex value 98 01 c1 3b a7 79 a6 74 ac c2 1b 78 b4 6a 4b 2d | keyex value 9b 13 a5 d6 d7 80 ec bd fe 1a 42 8a 3d 9b a5 c0 | keyex value 85 aa 80 8e 69 36 f8 4b 67 15 8f 8b 23 ab 46 d8 | keyex value 03 4f 26 33 d4 42 71 b1 31 75 69 f6 af 6e ac 95 | keyex value 4c bd 1b e8 4a d9 d5 99 b4 ff 0f 80 87 a4 31 e8 | keyex value 0f ee 94 90 c5 ca f5 3e 16 d6 3e ac dd 58 35 fa | keyex value f4 a0 0d 0c bf 79 f1 38 cf 3f a1 83 28 48 3f 19 | keyex value ee 19 f8 0d 4b 9b 2c 82 e5 7a b3 05 02 66 c0 f8 | keyex value 82 e8 d0 b5 d6 56 ac ef 78 c8 1e 25 94 b5 de ea | keyex value 00 09 04 e1 20 02 14 a5 05 07 c3 84 5e 65 86 9a | keyex value d0 b8 96 bf b0 e6 06 e8 82 b3 e3 8a 15 76 a0 76 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 79 cd 7a 17 13 4a 07 94 3e c6 36 e5 46 b8 19 84 | Nr 52 f1 79 eb 40 ee df 5a f6 b1 5c 97 43 99 db 9f | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x557385fd4c40(32) | natd_hash: icookie= fe 86 78 4a 04 54 5b 1b | natd_hash: rcookie= b8 fe 7b 17 71 b0 58 b5 | natd_hash: ip= c0 01 02 2d | natd_hash: port= 01 f4 | natd_hash: hash= 0e 7f 20 21 15 08 05 59 16 84 d4 a0 0b e8 68 b8 | natd_hash: hash= d8 b1 f9 cb 99 76 76 5f 7f 84 45 26 76 38 e8 9c | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 0e 7f 20 21 15 08 05 59 16 84 d4 a0 0b e8 68 b8 | NAT-D d8 b1 f9 cb 99 76 76 5f 7f 84 45 26 76 38 e8 9c | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x557385fd4c40(32) | natd_hash: icookie= fe 86 78 4a 04 54 5b 1b | natd_hash: rcookie= b8 fe 7b 17 71 b0 58 b5 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 1b 19 7e c6 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b | natd_hash: hash= 7a 1b 70 c4 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 1b 19 7e c6 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b | NAT-D 7a 1b 70 c4 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org->%fromcert of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-server.testing.libreswan.org, E=user-usage-server@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x557386f181b0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x557386f180a0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x557386f180a0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557386f181b0 size 128 | #1 main_inI2_outR2_continue1_tail:1158 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle; has background offloaded task | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x557386f181b0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x557386f180a0 | sending reply packet to 192.1.2.45:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fe 86 78 4a 04 54 5b 1b b8 fe 7b 17 71 b0 58 b5 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 76 54 d4 64 30 42 3e a6 0c 56 49 86 28 9c 5f 6e | 10 16 ab 39 4f 94 75 d5 73 7f 71 3c 9b d8 db 04 | ca a9 5d cd 31 c9 c9 25 ec 1c 2e 09 52 c9 66 e7 | 51 5d 64 e7 c0 48 78 17 be 7b ea 5a 9b 46 a0 d6 | b6 a4 8f e0 78 c5 49 e4 63 8c f6 c0 79 1e ac 91 | 98 01 c1 3b a7 79 a6 74 ac c2 1b 78 b4 6a 4b 2d | 9b 13 a5 d6 d7 80 ec bd fe 1a 42 8a 3d 9b a5 c0 | 85 aa 80 8e 69 36 f8 4b 67 15 8f 8b 23 ab 46 d8 | 03 4f 26 33 d4 42 71 b1 31 75 69 f6 af 6e ac 95 | 4c bd 1b e8 4a d9 d5 99 b4 ff 0f 80 87 a4 31 e8 | 0f ee 94 90 c5 ca f5 3e 16 d6 3e ac dd 58 35 fa | f4 a0 0d 0c bf 79 f1 38 cf 3f a1 83 28 48 3f 19 | ee 19 f8 0d 4b 9b 2c 82 e5 7a b3 05 02 66 c0 f8 | 82 e8 d0 b5 d6 56 ac ef 78 c8 1e 25 94 b5 de ea | 00 09 04 e1 20 02 14 a5 05 07 c3 84 5e 65 86 9a | d0 b8 96 bf b0 e6 06 e8 82 b3 e3 8a 15 76 a0 76 | 14 00 00 24 79 cd 7a 17 13 4a 07 94 3e c6 36 e5 | 46 b8 19 84 52 f1 79 eb 40 ee df 5a f6 b1 5c 97 | 43 99 db 9f 14 00 00 24 0e 7f 20 21 15 08 05 59 | 16 84 d4 a0 0b e8 68 b8 d8 b1 f9 cb 99 76 76 5f | 7f 84 45 26 76 38 e8 9c 00 00 00 24 1b 19 7e c6 | 87 e6 26 8f 9c 96 9c a8 c4 e8 db 7b 7a 1b 70 c4 | 5a 3d 68 3c f7 9e ea 32 34 63 bb b0 | !event_already_set at reschedule "nss-cert" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds | event_schedule: new EVENT_RETRANSMIT-pe@0x557386f180a0 | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x557386f181b0 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50112.452469 "nss-cert" #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.367 milliseconds in resume sending helper answer | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f83fc006900 | crypto helper 6 resuming | crypto helper 6 starting work-order 2 for state #1 | crypto helper 6 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | crypto helper 6 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001179 seconds | (#1) spent 1.19 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 6 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f83f4004f00 size 128 | crypto helper 6 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in resume_handler() at server.c:797) | crypto helper 6 replies to request ID 2 | calling continuation function 0x557385efe630 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1008) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1021) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.0238 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f83f4004f00 | spent 0.0032 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1884 bytes from 192.1.2.45:500 on eth1 (192.1.2.23:500) | fe 86 78 4a 04 54 5b 1b b8 fe 7b 17 71 b0 58 b5 | 05 10 02 01 00 00 00 00 00 00 07 5c fb 85 3e d2 | d2 ec b1 49 fa c4 6c 33 c6 a0 95 47 60 19 cc 0f | b4 2a 80 77 d5 44 1b 69 65 d5 1a 57 11 4e e0 05 | f4 8a e0 dd f9 3c 19 21 e8 3c 9b bd 08 fb 83 20 | b7 0a e2 f0 d8 dd b3 1b e5 51 a5 66 63 f5 85 2c | c0 65 16 27 07 31 24 08 25 73 ed b6 d4 fc 68 03 | b5 7d 4a 23 a5 93 fc 42 0c 15 37 f6 17 b0 39 b7 | fb ea 8d 6d f1 08 43 18 33 46 26 3b f9 dc 0d 36 | 78 9c 5a ec 17 fc f8 f6 bc 20 8f 93 13 6c 5e 20 | 95 b5 bd ae 0f b6 8b 67 6e 78 82 55 4a 44 20 3e | 06 5d 54 9c 66 ea f3 14 a4 10 ad 60 27 95 9e 94 | ff 8f 35 56 f5 dc b9 41 97 79 8c b6 e0 9e 57 25 | 4f 41 ac 7d 91 41 08 fc f3 0d 9c eb 2f c6 09 7b | f8 0b 92 23 66 37 a5 98 c4 69 af 15 01 3a 66 57 | 5d 6b d3 51 9d 01 1a 9b e7 1f 21 2b 13 2f 04 7c | 16 e3 a9 5f 5f 80 ed 84 b1 51 34 f9 5f 53 1d 5f | 0a c8 6e fa 8a 85 cf e4 52 f0 da a5 c5 b1 5f 80 | 1d 3d c1 38 12 5f c6 c1 bd a2 29 b1 4b 48 14 f0 | 36 e3 e0 18 b6 4f 36 07 bf 9a 84 7d 01 f1 3d 55 | 3a 2a 56 4e 9d 35 7f 11 a8 7d ba b3 fc 6d 06 67 | 7a 81 2d 89 50 0f fa ca 6a 53 68 ce 60 cc 84 5a | f4 d7 6e 68 61 a8 c8 1b f9 79 87 6b f0 96 86 38 | 8a 75 3e 4a 89 b9 fc 01 0a 7e c1 04 6c 0a 5f 4c | a6 73 11 c7 fb e6 b4 b3 c7 30 c6 b6 5a be f7 bf | 6e 66 c6 fc 3a c8 6e 6b 41 21 60 bd 4d a8 6a c9 | 3d a8 02 5d 17 28 0c db d2 38 a1 7f 50 8d b5 8c | 50 32 44 ba d2 bd f7 a1 c9 01 c3 f6 ef 03 8c 0e | 61 5c 85 48 2f ff 87 e9 8a 3f b5 45 97 b0 43 02 | d5 34 e7 25 13 98 46 ae 4b 64 c2 ed f9 4e af 42 | 79 f3 f1 9e a9 58 1e d7 3e e9 d7 79 af fd 31 25 | e7 c3 5b 18 5e 57 af b7 b5 1c 9c 9d 2d 89 bb ff | cd cd a9 da 57 df 61 af 07 99 8f 1a 09 5a 4e 74 | b3 09 63 23 e4 d3 aa 8c 12 57 7b 7d 93 8d a0 12 | 3d 47 3a 71 2b af 24 a0 51 34 ce d2 16 ae da e4 | 5a 7b c9 db 78 8c 0b 96 dd 1f d9 cf 63 d1 9b 96 | 2d e4 73 7c ca 50 bc 57 8b 0a 81 22 85 2b 18 2e | 78 30 f0 5b 45 6a ad 01 e0 3f 7e ad 33 27 46 da | d3 1d 60 0a c6 a2 30 17 95 47 c3 1f 47 25 a5 e9 | e9 f8 f2 c1 17 53 4e 88 08 ca 62 69 83 30 e7 8d | b9 be 1f 57 a3 69 f7 e1 4f 6b 35 c5 14 fc 30 cf | 11 0a 31 bd a7 c3 75 82 ca a9 13 a6 c7 06 ca 1d | 3a 2f 82 8b cd ef 75 a7 cb 1f d3 59 d0 21 df e3 | 0b bb ae 7b 32 f0 f7 1c 68 04 48 93 4f 87 7f 37 | cf 72 02 24 8a b5 f7 c4 1d 0c d3 a2 ff ac fc bd | a9 62 75 0b bd 10 9c e6 03 b7 27 3b 6c a2 a1 63 | d7 7a 94 bd 08 65 42 f5 86 39 cc bc 98 2b 1a 4b | ef db 13 38 35 98 aa b0 e7 9b 28 1a 7b 77 f1 42 | df d6 07 cd 43 6d 68 df 80 95 4b 3a 3e c2 68 54 | a4 cf 82 2f be 83 5d 34 82 a0 d9 2f 03 a3 e1 96 | 04 53 d1 64 d9 25 e2 99 95 14 3e 81 cf 7d 31 fe | 35 81 60 97 cd b5 e0 7d 6b 5b 43 9b b4 56 3c 64 | 58 09 fe 82 2c 9e c5 a8 86 ce b0 36 2b 10 7a 1f | 17 95 2f c2 a0 6a 6f 28 95 e9 94 7a 3c c8 dd a2 | de b5 d2 a9 e0 ad 4e 24 80 4b 6a 8a d9 a6 93 ba | 83 79 4d 45 c7 5f 17 84 27 a0 17 9b 51 87 12 22 | 2c ba 56 25 f8 5b 74 3e 29 e4 ca 0f 65 2f 59 54 | 47 cb b1 eb 9f b4 97 df 5d ee 64 bc 8a 9a ee f7 | 7e e7 ab e0 9f 83 7f ae a5 fc 5c 44 0b b4 2b ad | c8 53 97 43 c2 b4 29 db 1b dd 54 35 fa 7e 47 68 | 50 f5 4e 71 27 b3 11 79 30 82 7c b3 13 8d 79 e3 | 63 fb 31 56 dc b4 a7 90 4c ae a4 f1 9a 29 79 7f | a0 f5 3c d6 63 26 6a 86 f9 2d 5f 0e 2c b5 17 fe | f3 d4 5c f7 8f ba 00 eb fc bb 8a b4 2c 47 8d 1f | e1 21 e2 10 95 c4 d2 bf ee 73 31 78 3e 5c db 45 | e7 b3 2d 96 84 a0 bb 23 04 c0 60 fc 38 9b c2 a8 | 72 fb 1b 76 91 44 d7 56 43 fe f1 01 bd ea 88 a8 | 83 45 ba 4e 38 5c 88 f4 ba 74 e9 f6 50 df 4e 84 | 0d ff ad 7c a4 67 a3 39 81 71 a1 0f 76 31 e8 35 | 4f fa 8f ba 14 3b 14 fe 52 b0 6d 39 9b 83 fe f9 | 1d 2f 5f d2 44 84 16 77 6c 5e 4c 22 e0 a9 1f a2 | d4 3e 14 29 a3 ae 59 da c2 f2 40 72 8e 67 90 84 | 60 d7 10 2d d4 7e e7 e1 11 f6 fc d4 66 f4 77 6d | f1 2a 45 58 0a e8 b8 a9 86 e4 a5 15 d9 80 34 82 | 7d 97 8f ec 3b 4a 40 12 96 ee 88 e4 87 73 e8 30 | 02 bd b3 e0 11 94 e8 ce b0 10 58 a3 cd 4d c8 59 | 16 54 1d e3 2c 99 e2 fb cb 86 32 38 86 cd 86 c5 | 01 0c 1c 99 f0 fa 0c 07 13 f4 36 cc 6a 4c a6 70 | 67 ec ef 8f 13 c7 12 3d 23 2c fa 85 23 8e 01 aa | 15 33 87 d9 94 6b 45 24 22 b8 e0 cb bf 81 44 32 | ae d4 d4 e4 03 8e 45 f3 4f 7b 54 aa 69 2f e1 05 | ad fb ea 12 ba d2 0a 17 24 99 19 39 13 81 b4 6d | d3 39 85 12 d2 97 a1 ed 3c 25 78 ac 6b a3 d6 54 | a6 30 07 8e 85 bd 11 f1 58 59 c2 6b d6 09 89 d5 | 67 ab 3d 3d 27 35 49 03 a5 b0 a7 a2 0e 86 13 ff | b8 99 98 d5 11 10 75 c7 de 34 cb 54 e3 87 21 a8 | e1 c0 65 f3 fa f9 ba c5 a9 78 30 3b 29 a8 3e 9f | ff d4 e3 60 02 9f b1 92 83 5c 12 8b b6 63 f8 31 | f3 f1 23 ad 88 0e 1a bf f1 b2 ea 32 56 43 fd 18 | 01 6c 20 bf b0 9b 56 70 27 61 51 80 4e dc c9 fb | 3c b4 62 37 93 56 48 43 5b d5 86 de 00 76 f7 44 | 64 ef 36 2a 23 ad 47 96 4a f5 02 64 bf 94 60 b2 | ac a1 e6 bf 96 8a d6 0b 7a e4 9b dc 16 41 1d 8a | 93 cd ac 47 3b e6 f3 44 b8 aa b9 51 83 be 12 c2 | 81 d3 47 5b de 65 f6 0e 85 f0 b9 ae fa 4c c2 6d | d6 99 3e 37 f5 75 e5 74 81 09 0d 45 fa 66 e6 6d | 3b d8 33 ae 12 ef 3b e1 9e 5f 65 d5 8e 7e 49 8e | 74 03 02 76 d5 fe 81 a4 a5 a6 7e 61 53 50 9e 02 | 0d ce d6 da c3 45 b8 97 ed 52 5c 80 e1 20 8b 05 | 90 a3 37 56 45 16 38 90 84 d2 3c d4 80 94 ef 2e | 8f 68 b2 dd 21 eb 64 ac a5 a2 ea bc b4 c4 fd 17 | 4f b4 8e 13 71 29 1c ff 2d 1c 5b 28 5b cb e3 4b | a8 6b 3a 94 61 d5 a8 2d 6f d0 92 72 8c f2 7d 8f | 04 ca 28 f7 0d 58 44 25 cb 2b b8 59 06 cb d6 62 | cf 59 56 3f 1d 30 c6 9b 62 64 65 0c 24 40 2e dd | c0 f2 c0 17 cb d3 fa 29 b6 c1 9b 95 0a 08 33 6f | a4 53 63 18 13 72 29 1f 59 9b ae a4 c0 22 d1 a9 | 81 17 a5 91 34 60 af 8a 70 28 9c 82 0f ae f8 e4 | cd 00 39 ef b1 24 f7 03 1b 67 0c 8a 4e f9 a5 38 | 19 45 bd af 5e b7 32 0e a0 4f c6 d5 ba f3 22 44 | e3 c8 3d 4c 83 7a e0 07 0f fe c9 7b bc 0d b3 26 | 57 a4 ce d4 18 d4 9f 8b 33 bb db f2 a0 35 1c a1 | d0 c2 0f 1b 88 d2 77 0e 0d 52 b1 b1 8b 7c 1b d4 | 70 78 ec 39 8c a8 90 3a 3a aa 73 c9 fb 8c 55 66 | d7 f3 eb 07 4a 9d cd 26 e7 49 84 21 d5 92 a3 56 | 82 87 eb 47 ac 1e 50 d2 d6 07 86 03 48 33 85 dc | 70 a3 fe 49 de 49 ea d6 4e 20 9c 64 59 48 cb 3d | 86 31 c3 68 04 4f 8e a6 54 d4 3a 6e | start processing: from 192.1.2.45:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | b8 fe 7b 17 71 b0 58 b5 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1884 (0x75c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.45:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 207 (0xcf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 c4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 2b 30 29 06 03 55 04 03 0c 22 75 73 61 | obj: 67 65 2d 63 6c 69 65 6e 74 2e 74 65 73 74 69 6e | obj: 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | obj: 36 30 34 06 09 2a 86 48 86 f7 0d 01 09 01 16 27 | obj: 75 73 65 72 2d 75 73 61 67 65 2d 63 6c 69 65 6e | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 1253 (0x4e5) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 5 (0x5) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 3 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early | DER ASN1 DN: 30 81 c4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 2b 30 29 06 03 55 04 03 0c 22 75 73 61 | DER ASN1 DN: 67 65 2d 63 6c 69 65 6e 74 2e 74 65 73 74 69 6e | DER ASN1 DN: 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | DER ASN1 DN: 36 30 34 06 09 2a 86 48 86 f7 0d 01 09 01 16 27 | DER ASN1 DN: 75 73 65 72 2d 75 73 61 67 65 2d 63 6c 69 65 6e | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=usage-client.testing.libreswan.org, E=user-usage-client@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 3.56 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0313 milliseconds in get_root_certs() filtering CAs | #1 spent 3.63 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-usage-client@testing.libreswan.org,CN=usage-client.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.213 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0415 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec "nss-cert" #1: Certificate E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed IPsec verification "nss-cert" #1: ERROR: The certificate was signed using a signature algorithm that is disabled because it is not secure. | #1 spent 0.426 milliseconds in find_and_verify_certs() calling verify_end_cert() "nss-cert" #1: X509: Certificate rejected for this connection "nss-cert" #1: X509: CERT payload bogus or revoked | Peer ID failed to decode | complete v1 state transition with INVALID_ID_INFORMATION | [RE]START processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle "nss-cert" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.45:500 | **emit ISAKMP Message: | initiator cookie: | fe 86 78 4a 04 54 5b 1b | responder cookie: | b8 fe 7b 17 71 b0 58 b5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 164170719 (0x9c90bdf) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'notification msg' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Notification Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 0 (0x0) | Notify Message Type: INVALID_ID_INFORMATION (0x12) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Notification Payload (11:ISAKMP_NEXT_N) | next payload chain: saving location 'ISAKMP Notification Payload'.'next payload type' in 'notification msg' | emitting length of ISAKMP Notification Payload: 12 | send notification HASH(1): | 33 e7 b7 53 fe 16 82 b2 11 13 2b dd 99 8c ed 9a | 14 51 ef e0 45 8a 20 b5 41 e1 55 e0 52 61 c8 b5 | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | sending 76 bytes for notification packet through eth1 from 192.1.2.23:500 to 192.1.2.45:500 (using #1) | fe 86 78 4a 04 54 5b 1b b8 fe 7b 17 71 b0 58 b5 | 08 10 05 01 09 c9 0b df 00 00 00 4c 51 56 63 92 | a9 94 46 bd 43 78 84 bd 0f c2 01 48 2e dc e6 3a | be 15 23 ad 3c d3 f4 47 e1 0e 92 6e 2a 37 2f 02 | 8e fb 72 a4 25 60 e2 f1 e0 b2 cc 8d | state transition function for STATE_MAIN_R2 failed: INVALID_ID_INFORMATION | #1 spent 4.66 milliseconds in process_packet_tail() | stop processing: from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 5.01 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00401 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1572) | not behind NAT: no NAT-T KEEP-ALIVE required for conn nss-cert | stop processing: state #1 connection "nss-cert" from 192.1.2.45:500 (in for_each_state() at state.c:1574) | spent 0.0173 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00341 milliseconds in global timer EVENT_SHUNT_SCAN [New LWP 7527] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Core was generated by `/usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf'. Program terminated with signal SIGABRT, Aborted. #0 0x00007fac281dbe75 in raise () from /lib64/libc.so.6 #0 0x00007fac281dbe75 in raise () from /lib64/libc.so.6 Backtrace stopped: Cannot access memory at address 0x7ffe449a9058