FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:27579 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x5575fc769160 size 40 | libevent_malloc: new ptr-libevent@0x5575fc769190 size 40 | libevent_malloc: new ptr-libevent@0x5575fc76a480 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x5575fc76a440 size 56 | libevent_malloc: new ptr-libevent@0x5575fc76a4b0 size 664 | libevent_malloc: new ptr-libevent@0x5575fc76a750 size 24 | libevent_malloc: new ptr-libevent@0x5575fc75bf50 size 384 | libevent_malloc: new ptr-libevent@0x5575fc76a770 size 16 | libevent_malloc: new ptr-libevent@0x5575fc76a790 size 40 | libevent_malloc: new ptr-libevent@0x5575fc76a7c0 size 48 | libevent_realloc: new ptr-libevent@0x5575fc6ec370 size 256 | libevent_malloc: new ptr-libevent@0x5575fc76a800 size 16 | libevent_free: release ptr-libevent@0x5575fc76a440 | libevent initialized | libevent_realloc: new ptr-libevent@0x5575fc76a820 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 started thread for crypto helper 1 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 5 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 5 | starting up helper thread 4 | checking IKEv1 state table | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 5) 22 | status value returned by setting the priority of this thread (crypto helper 4) 22 | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | status value returned by setting the priority of this thread (crypto helper 6) 22 | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | crypto helper 5 waiting (nothing to do) | crypto helper 4 waiting (nothing to do) | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | crypto helper 6 waiting (nothing to do) | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5575fc76fe30 | libevent_malloc: new ptr-libevent@0x5575fc77bf50 size 128 | libevent_malloc: new ptr-libevent@0x5575fc76f110 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5575fc76fdf0 | libevent_malloc: new ptr-libevent@0x5575fc77bfe0 size 128 | libevent_malloc: new ptr-libevent@0x5575fc76f130 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5575fc76a440 | libevent_malloc: new ptr-libevent@0x5575fc786550 size 128 | libevent_malloc: new ptr-libevent@0x5575fc7865e0 size 16 | libevent_realloc: new ptr-libevent@0x5575fc6ea5b0 size 256 | libevent_malloc: new ptr-libevent@0x5575fc786600 size 8 | libevent_realloc: new ptr-libevent@0x5575fc77b350 size 144 | libevent_malloc: new ptr-libevent@0x5575fc786620 size 152 | libevent_malloc: new ptr-libevent@0x5575fc7866c0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x5575fc7866e0 size 8 | libevent_malloc: new ptr-libevent@0x5575fc786700 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x5575fc7867a0 size 8 | libevent_malloc: new ptr-libevent@0x5575fc7867c0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x5575fc786860 size 8 | libevent_realloc: release ptr-libevent@0x5575fc77b350 | libevent_realloc: new ptr-libevent@0x5575fc786880 size 256 | libevent_malloc: new ptr-libevent@0x5575fc77b350 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:27652) using fork+execve | forked child 27652 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x5575fc786bf0 | libevent_malloc: new ptr-libevent@0x5575fc786c30 size 128 | libevent_malloc: new ptr-libevent@0x5575fc786cc0 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x5575fc786ce0 | libevent_malloc: new ptr-libevent@0x5575fc786d20 size 128 | libevent_malloc: new ptr-libevent@0x5575fc786db0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x5575fc786dd0 | libevent_malloc: new ptr-libevent@0x5575fc786e10 size 128 | libevent_malloc: new ptr-libevent@0x5575fc786ea0 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x5575fc786ec0 | libevent_malloc: new ptr-libevent@0x5575fc786f00 size 128 | libevent_malloc: new ptr-libevent@0x5575fc786f90 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x5575fc786fb0 | libevent_malloc: new ptr-libevent@0x5575fc786ff0 size 128 | libevent_malloc: new ptr-libevent@0x5575fc787080 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x5575fc7870a0 | libevent_malloc: new ptr-libevent@0x5575fc7870e0 size 128 | libevent_malloc: new ptr-libevent@0x5575fc787170 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x5575fc77c130) PKK_PSK: %any | id type added to secret(0x5575fc77c130) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5575fc70f8d0) PKK_PSK: @west | id type added to secret(0x5575fc70f8d0) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5575fc711530) PKK_PSK: @east | id type added to secret(0x5575fc711530) PKK_PSK: @roadrandom | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.372 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x5575fc786c30 | free_event_entry: release EVENT_NULL-pe@0x5575fc786bf0 | add_fd_read_event_handler: new ethX-pe@0x5575fc786bf0 | libevent_malloc: new ptr-libevent@0x5575fc786c30 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x5575fc786d20 | free_event_entry: release EVENT_NULL-pe@0x5575fc786ce0 | add_fd_read_event_handler: new ethX-pe@0x5575fc786ce0 | libevent_malloc: new ptr-libevent@0x5575fc786d20 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x5575fc786e10 | free_event_entry: release EVENT_NULL-pe@0x5575fc786dd0 | add_fd_read_event_handler: new ethX-pe@0x5575fc786dd0 | libevent_malloc: new ptr-libevent@0x5575fc786e10 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x5575fc786f00 | free_event_entry: release EVENT_NULL-pe@0x5575fc786ec0 | add_fd_read_event_handler: new ethX-pe@0x5575fc786ec0 | libevent_malloc: new ptr-libevent@0x5575fc786f00 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x5575fc786ff0 | free_event_entry: release EVENT_NULL-pe@0x5575fc786fb0 | add_fd_read_event_handler: new ethX-pe@0x5575fc786fb0 | libevent_malloc: new ptr-libevent@0x5575fc786ff0 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x5575fc7870e0 | free_event_entry: release EVENT_NULL-pe@0x5575fc7870a0 | add_fd_read_event_handler: new ethX-pe@0x5575fc7870a0 | libevent_malloc: new ptr-libevent@0x5575fc7870e0 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x5575fc77c130) PKK_PSK: %any | id type added to secret(0x5575fc77c130) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5575fc70f8d0) PKK_PSK: @west | id type added to secret(0x5575fc70f8d0) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5575fc711530) PKK_PSK: @east | id type added to secret(0x5575fc711530) PKK_PSK: @roadrandom | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.814 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 27652 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0153 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection road-eastnet-psk with policy PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536 | counting wild cards for @roadrandom is 0 | counting wild cards for @east is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x5575fc7535b0 added connection description "road-eastnet-psk" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]---192.1.2.45...%virtual[@roadrandom]===vhost:? | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.123 milliseconds in whack | spent 0.00538 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 452 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 7b 77 c2 3c 11 a5 8d 25 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 c4 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05 | 0a 00 00 c4 3d 0a de 94 f6 87 5d 8f 04 f4 be 3c | 0c 4d d7 da 8b 9d c7 73 ea 66 d4 bd a4 18 0d 65 | 87 1f de 00 5b d9 c3 a4 82 af 19 45 f0 aa 69 6e | 1d 83 e1 ed 42 3f 7c 79 c2 d0 5c 04 c3 07 33 4d | 9f 98 be df bd 8f c5 3e 76 78 71 ee f4 00 e5 87 | 71 f2 09 d8 ce 93 dd c2 51 6b d0 c5 20 a4 0e 2f | 91 45 e4 b2 48 fd 08 cc d2 a5 6a 75 d9 98 45 66 | 07 98 1e d4 b0 f5 cb 3d 2d ea fd 17 b1 e4 43 43 | 0e fe d5 a0 14 5c 1b 94 7f 73 76 ee 11 b1 11 05 | 82 26 0c e1 65 b4 8a 35 27 1c 09 fc 89 20 0a 34 | f9 1b 93 f4 d4 26 34 19 db ac bb 02 48 66 76 bc | 3d ee 11 4d 9c 6b 92 26 cd ed ba 68 37 66 f8 45 | 4d 74 3f 29 05 00 00 24 d8 f0 23 1c 19 46 a4 3d | 5c 77 1b 97 e8 09 c2 de 92 53 af c2 ba 6d 34 da | 0b bb 03 97 e8 72 7a 28 0d 00 00 12 02 00 00 00 | 72 6f 61 64 72 61 6e 64 6f 6d 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 | 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 | 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 53 10 | ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 90 cb | 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 | 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 | a4 48 00 00 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7b 77 c2 3c 11 a5 8d 25 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | length: 452 (0x1c4) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 196 (0xc4) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x420 opt: 0x102000 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 36 (0x24) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 18 (0x12) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 72 6f 61 64 72 61 6e 64 6f 6d | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | removing 2 bytes of padding | message 'aggr_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=PSK+AGGRESSIVE+IKEV1_ALLOW but ignoring ports | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=PSK+AGGRESSIVE+IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW | found policy = PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (road-eastnet-psk) | find_next_host_connection returns road-eastnet-psk | find_next_host_connection policy=PSK+AGGRESSIVE+IKEV1_ALLOW | find_next_host_connection returns empty | connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none | new hp@0x5575fc711280 | rw_instantiate() instantiated "road-eastnet-psk"[1] 192.1.3.209 for 192.1.3.209 packet from 192.1.3.209:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's | creating state object #1 at 0x5575fc78a3a0 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 from 192.1.3.209:500 (in aggr_inI1_outR1() at ikev1_aggr.c:181) | parent state #1: UNDEFINED(ignore) => AGGR_R1(open IKE SA) "road-eastnet-psk"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@roadrandom' | X509: no CERT payloads to process "road-eastnet-psk"[1] 192.1.3.209 #1: responding to Aggressive Mode, state #1, connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209 | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5575fc711530 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5575fc711530 (lineno=12) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | adding outI2 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5575fc788790 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5575fc7887d0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 0 resuming | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 0 starting work-order 1 for state #1 | stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | spent 1.19 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.00124 seconds | (#1) spent 1.25 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f0a28001e30 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x5575fbf09630 | aggr inI1_outR1: calculated ke+nonce, calculating DH | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5575fc711530 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5575fc711530 (lineno=12) | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5575fc7887d0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5575fc788790 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5575fc788790 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5575fc7887d0 size 128 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | resume sending helper answer for #1 suppresed complete_v1_state_transition() and stole MD | #1 spent 0.176 milliseconds in resume sending helper answer | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0a28001e30 | crypto helper 1 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.001748 seconds | (#1) spent 1.71 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f0a2000b570 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x5575fbf09630 | aggr_inI1_outR1_continue2 for #1: calculated ke+nonce+DH, sending R1 | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | I am not sending a certificate request | **emit ISAKMP Message: | initiator cookie: | 7b 77 c2 3c 11 a5 8d 25 | responder cookie: | 7d 8d f6 76 b5 79 7a d1 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 1 (0x1) | [1 is OAKLEY_PRESHARED_KEY] | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5575fc711530 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5575fc711530 (lineno=12) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02 | attributes 80 03 00 01 80 04 00 05 | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 7a 2a 04 f9 2a c8 12 ef f2 58 e3 2a c5 6e 21 d4 | keyex value b7 f0 7e 31 b8 0d 01 50 90 78 43 ad 6f ef ab cf | keyex value ed 78 11 ea c3 1c c2 71 6a fb a2 b2 af 2b 56 2d | keyex value 4d 24 56 f1 42 7e 92 cf 75 40 ec 2b 30 98 64 35 | keyex value 84 b3 3d 15 cf 3a d4 0f af 60 f4 a5 19 78 5d 66 | keyex value 06 41 e9 7e 40 e9 0e 57 f7 c8 35 45 68 90 fb 07 | keyex value 0b fd f9 81 5d b1 70 b6 e8 a5 04 55 a0 49 34 f2 | keyex value f6 c0 8d 83 59 71 c7 6a 04 74 f5 ef b8 c7 80 2e | keyex value ab 07 54 65 2d 94 bf 31 6c d5 5d e6 b7 05 06 dd | keyex value a1 1d 71 f3 6e ac aa 99 8b 4a a7 4d 44 53 82 d8 | keyex value 93 55 f6 f0 44 e7 74 ae 6f 51 df a0 b2 93 5e f7 | keyex value 7e 6e 94 d0 df 17 b6 bb 0a b1 e9 bb 9e 71 b7 74 | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr b0 88 8e 44 f8 e7 90 2d ab 6f b9 59 df ce a3 82 | Nr fd 2e 70 25 ea 6a 0c 58 ec dc e2 51 1d 88 08 d4 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_HASH (0x8) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 8:ISAKMP_NEXT_HASH | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Hash Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload | HASH_R b4 bf 73 e1 26 7b 77 94 f0 bd dd 26 60 c0 59 ef | HASH_R 7f 17 74 13 | emitting length of ISAKMP Hash Payload: 24 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | sending NAT-D payloads | natd_hash: hasher=0x5575fbfdf7a0(20) | natd_hash: icookie= 7b 77 c2 3c 11 a5 8d 25 | natd_hash: rcookie= 7d 8d f6 76 b5 79 7a d1 | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= 44 17 0b d2 22 06 6c d5 53 f6 ae 63 d7 25 33 2a | natd_hash: hash= 86 62 cf c9 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 44 17 0b d2 22 06 6c d5 53 f6 ae 63 d7 25 33 2a | NAT-D 86 62 cf c9 | emitting length of ISAKMP NAT-D Payload: 24 | natd_hash: hasher=0x5575fbfdf7a0(20) | natd_hash: icookie= 7b 77 c2 3c 11 a5 8d 25 | natd_hash: rcookie= 7d 8d f6 76 b5 79 7a d1 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= e0 8b db 97 27 c5 d5 87 63 09 36 1f 55 16 31 a1 | natd_hash: hash= 91 00 78 84 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D e0 8b db 97 27 c5 d5 87 63 09 36 1f 55 16 31 a1 | NAT-D 91 00 78 84 | emitting length of ISAKMP NAT-D Payload: 24 | no IKEv1 message padding required | emitting length of ISAKMP Message: 456 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1 | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5575fc7887d0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5575fc788790 | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 456 bytes for STATE_AGGR_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 7b 77 c2 3c 11 a5 8d 25 7d 8d f6 76 b5 79 7a d1 | 01 10 04 00 00 00 00 00 00 00 01 c8 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 05 | 0a 00 00 c4 7a 2a 04 f9 2a c8 12 ef f2 58 e3 2a | c5 6e 21 d4 b7 f0 7e 31 b8 0d 01 50 90 78 43 ad | 6f ef ab cf ed 78 11 ea c3 1c c2 71 6a fb a2 b2 | af 2b 56 2d 4d 24 56 f1 42 7e 92 cf 75 40 ec 2b | 30 98 64 35 84 b3 3d 15 cf 3a d4 0f af 60 f4 a5 | 19 78 5d 66 06 41 e9 7e 40 e9 0e 57 f7 c8 35 45 | 68 90 fb 07 0b fd f9 81 5d b1 70 b6 e8 a5 04 55 | a0 49 34 f2 f6 c0 8d 83 59 71 c7 6a 04 74 f5 ef | b8 c7 80 2e ab 07 54 65 2d 94 bf 31 6c d5 5d e6 | b7 05 06 dd a1 1d 71 f3 6e ac aa 99 8b 4a a7 4d | 44 53 82 d8 93 55 f6 f0 44 e7 74 ae 6f 51 df a0 | b2 93 5e f7 7e 6e 94 d0 df 17 b6 bb 0a b1 e9 bb | 9e 71 b7 74 05 00 00 24 b0 88 8e 44 f8 e7 90 2d | ab 6f b9 59 df ce a3 82 fd 2e 70 25 ea 6a 0c 58 | ec dc e2 51 1d 88 08 d4 08 00 00 0c 02 00 00 00 | 65 61 73 74 0d 00 00 18 b4 bf 73 e1 26 7b 77 94 | f0 bd dd 26 60 c0 59 ef 7f 17 74 13 0d 00 00 14 | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 14 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 14 00 00 18 44 17 0b d2 | 22 06 6c d5 53 f6 ae 63 d7 25 33 2a 86 62 cf c9 | 00 00 00 18 e0 8b db 97 27 c5 d5 87 63 09 36 1f | 55 16 31 a1 91 00 78 84 | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x5575fc788790 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5575fc7887d0 size 128 "road-eastnet-psk"[1] 192.1.3.209 #1: STATE_AGGR_R1: sent AR1, expecting AI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 1.34 milliseconds in resume sending helper answer | stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f0a2000b570 | spent 0.00437 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 40 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 7b 77 c2 3c 11 a5 8d 25 7d 8d f6 76 b5 79 7a d1 | 0b 10 05 00 00 00 00 00 00 00 00 28 00 00 00 0c | 00 00 00 01 01 00 00 17 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 7b 77 c2 3c 11 a5 8d 25 | responder cookie: | 7d 8d f6 76 b5 79 7a d1 | next payload type: ISAKMP_NEXT_N (0xb) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: none (0x0) | Message ID: 0 (0x0) | length: 40 (0x28) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_AGGR_R1 | State DB: found IKEv1 state #1 in AGGR_R1 (find_v1_info_state) | start processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1455) "road-eastnet-psk"[1] 192.1.3.209 #1: Informational Exchange message must be encrypted | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.149 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00496 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00416 milliseconds in global timer EVENT_SHUNT_SCAN