FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:28774 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x5572f17312c0 size 40 | libevent_malloc: new ptr-libevent@0x5572f1732570 size 40 | libevent_malloc: new ptr-libevent@0x5572f17325a0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x5572f1732530 size 56 | libevent_malloc: new ptr-libevent@0x5572f17325d0 size 664 | libevent_malloc: new ptr-libevent@0x5572f1732870 size 24 | libevent_malloc: new ptr-libevent@0x5572f1723fa0 size 384 | libevent_malloc: new ptr-libevent@0x5572f1732890 size 16 | libevent_malloc: new ptr-libevent@0x5572f17328b0 size 40 | libevent_malloc: new ptr-libevent@0x5572f17328e0 size 48 | libevent_realloc: new ptr-libevent@0x5572f16b4370 size 256 | libevent_malloc: new ptr-libevent@0x5572f1732920 size 16 | libevent_free: release ptr-libevent@0x5572f1732530 | libevent initialized | libevent_realloc: new ptr-libevent@0x5572f1732940 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 started thread for crypto helper 1 | status value returned by setting the priority of this thread (crypto helper 0) 22 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 started thread for crypto helper 2 started thread for crypto helper 3 | crypto helper 0 waiting (nothing to do) | starting up helper thread 3 | crypto helper 1 waiting (nothing to do) | starting up helper thread 2 started thread for crypto helper 4 | status value returned by setting the priority of this thread (crypto helper 2) 22 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 2 waiting (nothing to do) | starting up helper thread 4 | crypto helper 3 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 4) 22 started thread for crypto helper 5 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | checking IKEv1 state table | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x5572f1737f50 | libevent_malloc: new ptr-libevent@0x5572f1744070 size 128 | libevent_malloc: new ptr-libevent@0x5572f1737230 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x5572f1737f10 | libevent_malloc: new ptr-libevent@0x5572f1744100 size 128 | libevent_malloc: new ptr-libevent@0x5572f1737250 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x5572f1732530 | libevent_malloc: new ptr-libevent@0x5572f174e5f0 size 128 | libevent_malloc: new ptr-libevent@0x5572f174e680 size 16 | libevent_realloc: new ptr-libevent@0x5572f16b26c0 size 256 | libevent_malloc: new ptr-libevent@0x5572f174e6a0 size 8 | libevent_realloc: new ptr-libevent@0x5572f1743470 size 144 | libevent_malloc: new ptr-libevent@0x5572f174e6c0 size 152 | libevent_malloc: new ptr-libevent@0x5572f174e760 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x5572f174e780 size 8 | libevent_malloc: new ptr-libevent@0x5572f174e7a0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x5572f174e840 size 8 | libevent_malloc: new ptr-libevent@0x5572f174e860 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x5572f174e900 size 8 | libevent_realloc: release ptr-libevent@0x5572f1743470 | libevent_realloc: new ptr-libevent@0x5572f174e920 size 256 | libevent_malloc: new ptr-libevent@0x5572f1743470 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:28828) using fork+execve | forked child 28828 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x5572f174ec90 | libevent_malloc: new ptr-libevent@0x5572f174ecd0 size 128 | libevent_malloc: new ptr-libevent@0x5572f174ed60 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x5572f174ed80 | libevent_malloc: new ptr-libevent@0x5572f174edc0 size 128 | libevent_malloc: new ptr-libevent@0x5572f174ee50 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x5572f174ee70 | libevent_malloc: new ptr-libevent@0x5572f174eeb0 size 128 | libevent_malloc: new ptr-libevent@0x5572f174ef40 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x5572f174ef60 | libevent_malloc: new ptr-libevent@0x5572f174efa0 size 128 | libevent_malloc: new ptr-libevent@0x5572f174f030 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x5572f174f050 | libevent_malloc: new ptr-libevent@0x5572f174f090 size 128 | libevent_malloc: new ptr-libevent@0x5572f174f120 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x5572f174f140 | libevent_malloc: new ptr-libevent@0x5572f174f180 size 128 | libevent_malloc: new ptr-libevent@0x5572f174f210 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x5572f1744230) PKK_PSK: %any | id type added to secret(0x5572f1744230) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5572f16d95a0) PKK_PSK: @west | id type added to secret(0x5572f16d95a0) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5572f16d7a70) PKK_PSK: @east | id type added to secret(0x5572f16d7a70) PKK_PSK: @roadrandom | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.462 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x5572f174ecd0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ec90 | add_fd_read_event_handler: new ethX-pe@0x5572f174ec90 | libevent_malloc: new ptr-libevent@0x5572f174ecd0 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x5572f174edc0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ed80 | add_fd_read_event_handler: new ethX-pe@0x5572f174ed80 | libevent_malloc: new ptr-libevent@0x5572f174edc0 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x5572f174eeb0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ee70 | add_fd_read_event_handler: new ethX-pe@0x5572f174ee70 | libevent_malloc: new ptr-libevent@0x5572f174eeb0 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x5572f174efa0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ef60 | add_fd_read_event_handler: new ethX-pe@0x5572f174ef60 | libevent_malloc: new ptr-libevent@0x5572f174efa0 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x5572f174f090 | free_event_entry: release EVENT_NULL-pe@0x5572f174f050 | add_fd_read_event_handler: new ethX-pe@0x5572f174f050 | libevent_malloc: new ptr-libevent@0x5572f174f090 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x5572f174f180 | free_event_entry: release EVENT_NULL-pe@0x5572f174f140 | add_fd_read_event_handler: new ethX-pe@0x5572f174f140 | libevent_malloc: new ptr-libevent@0x5572f174f180 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x5572f1744230) PKK_PSK: %any | id type added to secret(0x5572f1744230) PKK_PSK: %any | Processing PSK at line 10: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5572f16d95a0) PKK_PSK: @west | id type added to secret(0x5572f16d95a0) PKK_PSK: @east | Processing PSK at line 12: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | id type added to secret(0x5572f16d7a70) PKK_PSK: @east | id type added to secret(0x5572f16d7a70) PKK_PSK: @roadrandom | Processing PSK at line 13: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.347 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 28828 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0151 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection xauth-road-eastnet-psk with policy PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536 | counting wild cards for @roadrandom is 0 | counting wild cards for @east is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x5572f171b710 added connection description "xauth-road-eastnet-psk" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east,+XS+S=C]---192.1.2.45...%any[@roadrandom,+XC+S=C] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.119 milliseconds in whack | spent 0.00283 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 464 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 00 00 00 00 00 00 00 00 | 01 10 04 00 00 00 00 00 00 00 01 d0 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 14 f9 d4 ea a0 84 00 29 93 26 53 a4 | b3 5e 1f 4f b3 09 49 a4 d3 af dc 79 47 0e 82 cc | 52 4e 66 0d 37 41 50 19 8c 70 9e fd 7f 0a 3c 53 | 90 14 ab 49 00 2e 8c d9 87 aa b3 82 98 db 82 d8 | 3a 91 81 df 7f 90 6c 96 a3 5e d8 20 f2 bb f0 52 | 63 35 8e de 8a ed 54 75 d0 87 8b 82 17 13 00 dc | 82 ec eb 85 d7 35 6e 8b 0a c1 87 1f 13 e1 f4 6d | bb e9 c3 de 48 dd 6e 30 33 2b 9e f3 d7 24 17 6e | 82 01 43 82 fd 5a a6 ab 97 c6 af 91 ae f1 2f 4d | 1f 96 94 e3 35 58 86 0e 4e 8f 8b a6 9b 3b ec db | 14 02 83 fb 96 44 19 32 4d 24 88 fe c1 cc 83 e6 | 3a ea 62 27 60 18 5b 61 a7 1d 27 25 c6 f5 23 3d | 89 07 f6 50 05 00 00 24 26 80 37 58 80 6c 68 06 | 2e 4b 87 1e 11 51 3d 96 15 c2 1a b4 b2 c1 58 b0 | ef 70 70 d6 1c ab a4 a1 0d 00 00 12 02 00 00 00 | 72 6f 61 64 72 61 6e 64 6f 6d 0d 00 00 14 40 48 | b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 0d 00 | 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 af ca | d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 0d 00 | 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 | 45 2f 0d 00 00 14 7d 94 19 a6 53 10 ca 6f 2c 17 | 9d 92 15 52 9d 56 0d 00 00 14 90 cb 80 91 3e bb | 69 6e 08 63 81 b5 ec 42 7b 1f 00 00 00 14 cd 60 | 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 00 00 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | length: 464 (0x1d0) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x432 opt: 0x102000 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x430 opt: 0x102000 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 196 (0xc4) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x420 opt: 0x102000 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 36 (0x24) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x20 opt: 0x102000 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 18 (0x12) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 72 6f 61 64 72 61 6e 64 6f 6d | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x102000 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | removing 2 bytes of padding | message 'aggr_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [XAUTH] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW but ignoring ports | find_next_host_connection policy=PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW | find_next_host_connection returns empty | find_host_connection local=192.1.2.23:500 remote= policy=PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW | found policy = PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (xauth-road-eastnet-psk) | find_next_host_connection returns xauth-road-eastnet-psk | find_next_host_connection policy=PSK+XAUTH+AGGRESSIVE+IKEV1_ALLOW | find_next_host_connection returns empty | connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none | new hp@0x5572f16d79c0 | rw_instantiate() instantiated "xauth-road-eastnet-psk"[1] 192.1.3.209 for 192.1.3.209 packet from 192.1.3.209:500: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's | creating state object #1 at 0x5572f1752440 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 from 192.1.3.209:500 (in aggr_inI1_outR1() at ikev1_aggr.c:181) | parent state #1: UNDEFINED(ignore) => AGGR_R1(open IKE SA) "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@roadrandom' | X509: no CERT payloads to process "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: responding to Aggressive Mode, state #1, connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209 | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5572f16d7a70 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5572f16d7a70 (lineno=12) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | adding outI2 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5572f1750820 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 0 resuming | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 0 starting work-order 1 for state #1 | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | spent 0.632 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.000593 seconds | (#1) spent 0.593 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f27e4001e30 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x5572f1213630 | aggr inI1_outR1: calculated ke+nonce, calculating DH | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5572f16d7a70 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5572f16d7a70 (lineno=12) | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5572f1750820 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5572f1750820 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | resume sending helper answer for #1 suppresed complete_v1_state_transition() and stole MD | crypto helper 1 resuming | crypto helper 1 starting work-order 2 for state #1 | #1 spent 0.0621 milliseconds in resume sending helper answer | crypto helper 1 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f27e4001e30 | crypto helper 1 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.000781 seconds | (#1) spent 0.78 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f27dc00b570 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 2 | calling continuation function 0x5572f1213630 | aggr_inI1_outR1_continue2 for #1: calculated ke+nonce+DH, sending R1 | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | I am not sending a certificate request | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5572f16d7a70 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5572f16d7a70 (lineno=12) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 05 80 02 00 02 | attributes 80 03 fd e9 80 04 00 05 | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 40 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 52 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 52 b7 3b 9e 3a a9 10 a1 30 d3 84 86 7e 5c 2d e6 | keyex value 8e 94 74 07 80 14 67 e7 a8 7b 60 fe c7 27 64 00 | keyex value 16 24 06 5f e9 67 a6 1d 82 90 e5 3e c9 f6 03 50 | keyex value d5 00 00 ed 96 b1 2c 0f 6f 37 34 43 b6 6f a0 d9 | keyex value 2f f8 a9 30 9a 84 af 00 6e b9 1c be b2 0b 30 29 | keyex value 56 d4 b5 1e b1 02 e0 2e 25 02 c6 e9 c6 74 54 7e | keyex value 86 f3 31 8f ac ed a2 30 df 00 89 7c 5e 4a b2 94 | keyex value 6d 33 6b b8 18 fb 48 b0 c1 c6 20 99 47 4f 2f f1 | keyex value d3 bc 98 28 a0 80 09 e0 0e a9 b2 e5 de 3d 4f 67 | keyex value 71 a0 fc 47 80 df 7b 80 1b 63 e8 33 30 83 df 2f | keyex value 22 aa 05 c7 87 89 64 54 0e 75 99 c0 c2 40 5e 9d | keyex value 36 2d 3a 86 c1 5f 08 66 c7 52 3e 22 e6 30 2e 3c | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr 63 e3 ce f1 06 ae 02 b1 fa 88 1f 6f 93 ae 60 b2 | Nr 6d 36 d7 a1 ed 11 3c ff 00 e7 ad 67 05 26 f0 16 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_HASH (0x8) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 8:ISAKMP_NEXT_HASH | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Hash Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload | HASH_R 9b c9 fd 9c 7b 20 65 31 28 e1 1c fa c8 02 f0 87 | HASH_R b0 f1 d9 9c | emitting length of ISAKMP Hash Payload: 24 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | sending NAT-D payloads | natd_hash: hasher=0x5572f12e97a0(20) | natd_hash: icookie= 9e cf 6a d4 62 b6 cc 18 | natd_hash: rcookie= f0 bb 00 32 fe d9 68 de | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= db 7f fc ee ff d8 a5 ae 1b d7 67 2e 4d 6f ff 6a | natd_hash: hash= bb 9a df 2a | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D db 7f fc ee ff d8 a5 ae 1b d7 67 2e 4d 6f ff 6a | NAT-D bb 9a df 2a | emitting length of ISAKMP NAT-D Payload: 24 | natd_hash: hasher=0x5572f12e97a0(20) | natd_hash: icookie= 9e cf 6a d4 62 b6 cc 18 | natd_hash: rcookie= f0 bb 00 32 fe d9 68 de | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | natd_hash: hash= cf 6f 18 40 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | NAT-D cf 6f 18 40 | emitting length of ISAKMP NAT-D Payload: 24 | no IKEv1 message padding required | emitting length of ISAKMP Message: 468 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_AGGR_R0 to state STATE_AGGR_R1 | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5572f1750820 | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 468 bytes for STATE_AGGR_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 01 10 04 00 00 00 00 00 00 00 01 d4 04 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0a 00 00 c4 52 b7 3b 9e 3a a9 10 a1 30 d3 84 86 | 7e 5c 2d e6 8e 94 74 07 80 14 67 e7 a8 7b 60 fe | c7 27 64 00 16 24 06 5f e9 67 a6 1d 82 90 e5 3e | c9 f6 03 50 d5 00 00 ed 96 b1 2c 0f 6f 37 34 43 | b6 6f a0 d9 2f f8 a9 30 9a 84 af 00 6e b9 1c be | b2 0b 30 29 56 d4 b5 1e b1 02 e0 2e 25 02 c6 e9 | c6 74 54 7e 86 f3 31 8f ac ed a2 30 df 00 89 7c | 5e 4a b2 94 6d 33 6b b8 18 fb 48 b0 c1 c6 20 99 | 47 4f 2f f1 d3 bc 98 28 a0 80 09 e0 0e a9 b2 e5 | de 3d 4f 67 71 a0 fc 47 80 df 7b 80 1b 63 e8 33 | 30 83 df 2f 22 aa 05 c7 87 89 64 54 0e 75 99 c0 | c2 40 5e 9d 36 2d 3a 86 c1 5f 08 66 c7 52 3e 22 | e6 30 2e 3c 05 00 00 24 63 e3 ce f1 06 ae 02 b1 | fa 88 1f 6f 93 ae 60 b2 6d 36 d7 a1 ed 11 3c ff | 00 e7 ad 67 05 26 f0 16 08 00 00 0c 02 00 00 00 | 65 61 73 74 0d 00 00 18 9b c9 fd 9c 7b 20 65 31 | 28 e1 1c fa c8 02 f0 87 b0 f1 d9 9c 0d 00 00 14 | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | 0d 00 00 0c 09 00 26 89 df d6 b7 12 0d 00 00 14 | af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | 14 00 00 14 4a 13 1c 81 07 03 58 45 5c 57 28 f2 | 0e 95 45 2f 14 00 00 18 db 7f fc ee ff d8 a5 ae | 1b d7 67 2e 4d 6f ff 6a bb 9a df 2a 00 00 00 18 | df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | cf 6f 18 40 | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x5572f1750820 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: STATE_AGGR_R1: sent AR1, expecting AI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.609 milliseconds in resume sending helper answer | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f27dc00b570 | spent 0.00224 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 100 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 14 10 04 01 00 00 00 00 00 00 00 64 92 fc a2 a9 | 04 6c 22 7a d0 22 9f 25 6d d9 fb 00 8f 60 01 eb | 39 54 43 d0 aa 1f b6 fa 8a cb 15 dd fd d8 df 8f | 35 d2 47 57 4d d7 9e fa ef 54 d0 f0 a3 2c 9b 33 | 6b d5 a1 e7 32 13 2d 4e e4 d9 9b c9 28 bb 4d 24 | 8d e2 7c 07 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_AGGR (0x4) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 100 (0x64) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_AGGR (4) | State DB: found IKEv1 state #1 in AGGR_R1 (find_state_ikev1) | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x100 opt: 0x102000 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 24 (0x18) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x100 opt: 0x102000 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_HASH (0x8) | length: 24 (0x18) | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x102000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 24 (0x18) | message 'aggr_inI2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x5572f12e97a0(20) | natd_hash: icookie= 9e cf 6a d4 62 b6 cc 18 | natd_hash: rcookie= f0 bb 00 32 fe d9 68 de | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | natd_hash: hash= cf 6f 18 40 | natd_hash: hasher=0x5572f12e97a0(20) | natd_hash: icookie= 9e cf 6a d4 62 b6 cc 18 | natd_hash: rcookie= f0 bb 00 32 fe d9 68 de | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= db 7f fc ee ff d8 a5 ae 1b d7 67 2e 4d 6f ff 6a | natd_hash: hash= bb 9a df 2a | expected NAT-D(me): df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | expected NAT-D(me): cf 6f 18 40 | expected NAT-D(him): | db 7f fc ee ff d8 a5 ae 1b d7 67 2e 4d 6f ff 6a | bb 9a df 2a | received NAT-D: df 7b 50 32 8b 25 22 70 32 0c a9 49 6a 59 b3 43 | received NAT-D: cf 6f 18 40 | received NAT-D: db 7f fc ee ff d8 a5 ae 1b d7 67 2e 4d 6f ff 6a | received NAT-D: bb 9a df 2a | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | next payload chain: creating a fake payload for hashing identity | **emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: no previous for current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID); assumed to be fake | emitting 10 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 72 6f 61 64 72 61 6e 64 6f 6d | emitting length of ISAKMP Identification Payload (IPsec DOI): 18 | ***parse ISAKMP Identification Payload: | next payload type: 250?? (0xfa) | length: 18 (0x12) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@roadrandom' | X509: no CERT payloads to process | received 'Aggr' message HASH_I data ok | phase 1 complete | We are a server using PSK and clients are using a group ID | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_AGGR_R1 to state STATE_AGGR_R2 | parent state #1: AGGR_R1(open IKE SA) => AGGR_R2(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_SO_DISCARD-pe@0x5572f1750820 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x5572f1750820 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | pstats #1 ikev1.isakmp established "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: STATE_AGGR_R2: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH: Sending XAUTH Login/Password Request | event_schedule: new EVENT_v1_SEND_XAUTH-pe@0x5572f1752f00 | inserting event EVENT_v1_SEND_XAUTH, timeout in 0.08 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f27dc00b570 size 128 | #1 spent 0.211 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.304 milliseconds in comm_handle_cb() reading and processing packet | timer_event_cb: processing event@0x5572f1752f00 | handling event EVENT_v1_SEND_XAUTH for parent state #1 | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in timer_event_cb() at timer.c:250) | XAUTH: event EVENT_v1_SEND_XAUTH #1 STATE_AGGR_R2 "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: Sending Username/Password request (AGGR_R2->XAUTH_R0) | parent state #1: AGGR_R2(established IKE SA) => XAUTH_R0(established IKE SA) | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 330702245 (0x13b61da5) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'xauth_buf' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'xauth_buf' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 16 | XAUTH: send request HASH(1): | 17 16 f0 9e 7e 24 0c 5a ec 0e 7a 8d 13 7c 59 b7 | 68 a6 82 90 | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | sending 68 bytes for XAUTH: req through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 06 01 13 b6 1d a5 00 00 00 44 57 ac 5a ed | de 3e 7f b1 c6 91 ed ba e2 b1 62 c1 15 4c 7f 6d | 29 ab 1d ab ea 4c b2 64 c8 0b d4 23 42 07 84 22 | 9e 53 6b c8 | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_SA_REPLACE-pe@0x5572f1750820 | event_schedule: new EVENT_RETRANSMIT-pe@0x5572f1750820 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | #1 STATE_XAUTH_R0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 49996.898095 | libevent_free: release ptr-libevent@0x7f27dc00b570 | free_event_entry: release EVENT_v1_SEND_XAUTH-pe@0x5572f1752f00 | #1 spent 0.193 milliseconds in timer_event_cb() EVENT_v1_SEND_XAUTH | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in timer_event_cb() at timer.c:557) | spent 0.00221 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 84 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 06 01 13 b6 1d a5 00 00 00 54 f1 81 43 02 | 5b 3a fd c6 8c e7 d3 68 e6 a1 82 06 56 ff 7c 2e | b4 06 64 9a 6d 98 56 18 15 f2 ba 81 8d 70 24 98 | 4a 80 62 42 1f bc ac f7 ba 79 29 0c 9c 19 70 86 | 9a 74 8a da | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 330702245 (0x13b61da5) | length: 84 (0x54) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=13b61da5 st_msgid=00000000 st_msgid_phase15=13b61da5 | p15 state object #1 found, in STATE_XAUTH_R0 | State DB: found IKEv1 state #1 in XAUTH_R0 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1778) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 28 (0x1c) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | removing 4 bytes of padding | xauth_inR0 HASH(1): | 7d c9 2c c1 aa 58 a6 94 27 9b bb 14 05 83 1b 71 | a1 c6 6d 80 | received 'xauth_inR0' message HASH(1) data ok | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 4 (0x4) | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 8 (0x8) | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_XAUTH_R0: retransmits: cleared | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_RETRANSMIT-pe@0x5572f1750820 "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: password file authentication method requested to authenticate user 'use2' "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: password file (/etc/ipsec.d/passwd) open. | XAUTH: found user(road/use2) pass($apr1$898RP...$9gJFVFuZIvsD0dTGADcv10) connid(xauth-road-eastnet/xauth-road-eastnet-psk) addresspool() | XAUTH: found user(use1/use2) pass(xOzlFlqtwJIu2) connid(xauth-road-eastnet/xauth-road-eastnet-psk) addresspool() | XAUTH: found user(use2/use2) pass(xOzlFlqtwJIu2) connid(xauth-road-eastnet-psk/xauth-road-eastnet-psk) addresspool() "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: success user(use2:xauth-road-eastnet-psk) | scheduling resume xauth immediate for #1 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.0868 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.203 milliseconds in comm_handle_cb() reading and processing packet | processing resume xauth immediate for #1 | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: User use2: Authentication Successful | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3132625311 (0xbab8119f) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'xauth_buf' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_SET (0x3) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'xauth_buf' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 12 | XAUTH: status HASH(1): | 1f 2b 0e 10 f0 4a 1b e2 ae 1d 6e e6 7a ec 05 65 | 81 5b 3b 52 | no IKEv1 message padding required | emitting length of ISAKMP Message: 64 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | event_schedule: new EVENT_RETRANSMIT-pe@0x5572f1750820 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f27dc00b570 size 128 | #1 STATE_XAUTH_R0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 49996.89879 | sending 68 bytes for XAUTH: status through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 06 01 ba b8 11 9f 00 00 00 44 39 52 f8 cb | a4 b4 f8 2f c0 c2 bc d6 f2 d0 e1 c9 48 84 0a e8 | ba 2d 9e b2 8d ab 46 0e 6a 20 64 a8 ff 0b ee 6b | ef 5e a1 cf | parent state #1: XAUTH_R0(established IKE SA) => XAUTH_R1(established IKE SA) | resume xauth immediate for #1 suppresed complete_v1_state_transition() | #1 spent 0.1 milliseconds in resume xauth immediate | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x5572f1750860 | spent 0.00204 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 06 01 ba b8 11 9f 00 00 00 44 65 02 bb 22 | 59 c9 ac fe d8 f7 12 26 22 af ff 21 d9 f1 d3 12 | e1 4a 55 5b 19 41 05 94 52 61 cd 6a b1 e2 9b 49 | c3 ca ec 3e | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3132625311 (0xbab8119f) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=bab8119f st_msgid=00000000 st_msgid_phase15=bab8119f | p15 state object #1 found, in STATE_XAUTH_R1 | State DB: found IKEv1 state #1 in XAUTH_R1 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1778) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | Attr Msg Type: ISAKMP_CFG_ACK (0x4) | Identifier: 0 (0x0) | removing 4 bytes of padding | xauth_inR1 HASH(1): | 11 88 ae b6 57 17 f4 ea bf 9b 37 49 37 54 d7 a2 | 4f ac 79 a7 | received 'xauth_inR1' message HASH(1) data ok "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: XAUTH: xauth_inR1(STF_OK) | Not server, starting new exchange | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_XAUTH_R1 to state STATE_MAIN_R3 | parent state #1: XAUTH_R1(established IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x7f27dc00b570 | free_event_entry: release EVENT_RETRANSMIT-pe@0x5572f1750820 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x5572f1750820 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x7f27dc00b570 size 128 | pstats #1 ikev1.isakmp established "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #1 spent 0.0483 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.173 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00203 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 20 01 17 4e 2e 47 00 00 01 8c 12 5c ac a7 | 21 2b ef d5 74 83 92 83 3b dd 8b 2c 96 c3 1f 83 | c2 36 03 16 a4 77 c1 8d 16 88 35 57 7c d8 86 30 | 32 55 29 fe 55 0e 8e d0 0d 81 51 47 4e c8 50 cb | 2d 5d 0f 39 22 67 e4 7e 8d 7a ef b9 eb a0 0a e9 | 6e e9 0f 9d 7f e7 9f c4 aa 91 fd da ad c9 3f dd | ce 58 de 29 ed a3 32 c9 5b 9f cf b6 75 bd 14 d6 | 42 50 a8 cf c4 6f 53 cc 62 2f 39 b4 2e f3 3c 60 | d4 fc 16 55 9d 54 f8 46 6c 04 6c 8a 0f 91 da e6 | 46 28 59 86 cd 1b de 34 87 db 28 db 40 71 b6 1c | 6a da ac 48 67 3b 32 d8 df 73 74 94 d3 57 ff a3 | 29 2d eb 60 c0 f3 49 52 73 32 15 25 2f 23 55 5a | 20 2c ad 91 4a 31 e1 3f ce 11 b6 10 4d da f4 c3 | b5 fd a2 97 f2 5f 58 7a 93 48 38 bb d2 7d b5 c0 | 94 25 11 1f 54 ff 36 e7 9c 18 8b 1e 11 cc b5 45 | 99 82 3b eb cb ab 4c 08 eb 5d c1 21 63 6f 0e c8 | 38 8e 56 f8 b4 d5 87 ae 74 33 c7 12 29 90 5f b7 | 5a aa 0c ad f5 bf 80 6e 58 ce b0 29 d1 66 78 08 | 5f 03 f6 fe 39 6e f7 30 da ca 22 4e b5 e3 76 60 | a0 24 61 18 fb 86 d4 d8 cb ba 32 56 a3 f5 16 ca | 10 3f 5e 55 5e 27 90 40 09 56 00 75 00 77 71 a7 | 32 ba b0 b9 59 fe b5 a0 8a 30 0f 7c f2 c8 fb 40 | 55 89 94 68 fc 05 a1 b1 70 2a c0 2c fe 4b a5 e1 | 27 a0 95 b7 1b 5d a8 28 eb 7b 8c 1c | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 390999623 (0x174e2e47) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_R3 (find_state_ikev1) | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1583) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 24 (0x18) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 84 (0x54) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 196 (0xc4) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 01 03 d1 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 00 ff ff ff 00 | quick_inI1_outR1 HASH(1): | f0 45 3b b6 38 7f 61 ba 01 3b 3b 40 83 3b 23 48 | f7 a7 37 04 | received 'quick_inI1_outR1' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 01 03 d1 | peer client is 192.1.3.209/32 | peer client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask ff ff ff 00 | our client is subnet 192.0.2.0/24 | our client protocol/port is 0/0 "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.1.3.209/32:0/0 | find_client_connection starting with xauth-road-eastnet-psk | looking for 192.0.2.0/24:0:0/0 -> 192.1.3.209/32:0:0/0 | concrete checking against sr#0 192.0.2.0/24:0 -> 192.1.3.209/32:0 | match_id a=@roadrandom | b=@roadrandom | results matched | fc_try trying xauth-road-eastnet-psk:192.0.2.0/24:0:0/0 -> 192.1.3.209/32:0:0/0 vs xauth-road-eastnet-psk:192.0.2.0/24:0:0/0 -> 192.1.3.209/32:0:0/0 | fc_try concluding with xauth-road-eastnet-psk [129] | fc_try xauth-road-eastnet-psk gives xauth-road-eastnet-psk | concluding with d = xauth-road-eastnet-psk | client wildcard: no port wildcard: no virtual: no | creating state object #2 at 0x5572f1753700 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "xauth-road-eastnet-psk"[1] 192.1.3.209 as #2 for IPSEC SA | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | start processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in quick_inI1_outR1_tail() at ikev1_quick.c:1294) | child state #2: UNDEFINED(ignore) => QUICK_R0(established CHILD SA) | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 98 7b 59 45 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5572f1752f00 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | #1 spent 0.145 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.334 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 resuming | crypto helper 2 starting work-order 3 for state #2 | crypto helper 2 doing build KE and nonce (quick_outI1 KE); request ID 3 | crypto helper 2 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000291 seconds | (#2) spent 0.295 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 2 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f27e0001e30 size 128 | libevent_realloc: release ptr-libevent@0x5572f1732940 | libevent_realloc: new ptr-libevent@0x5572f1752f40 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 3 | calling continuation function 0x5572f1213630 | quick_inI1_outR1_cryptocontinue1 for #2: calculated ke+nonce, calculating DH | started looking for secret for @east->@roadrandom of kind PKK_PSK | actually looking for secret for @east->@roadrandom of kind PKK_PSK | line 12: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @roadrandom to @east / @roadrandom -> 004 | 2: compared key @east to @east / @roadrandom -> 014 | line 12: match=014 | match 014 beats previous best_match 000 match=0x5572f16d7a70 (line=12) | line 10: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key @east to @east / @roadrandom -> 010 | 2: compared key @west to @east / @roadrandom -> 010 | line 10: match=010 | line 9: key type PKK_PSK(@east) to type PKK_PSK | 1: compared key %any to @east / @roadrandom -> 002 | 2: compared key %any to @east / @roadrandom -> 002 | line 9: match=002 | match 002 loses to best_match 014 | concluding with best_match=014 best=0x5572f16d7a70 (lineno=12) | adding quick outR1 DH work-order 4 for state #2 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5572f1752f00 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x5572f1752f00 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | suspending state #2 and saving MD | #2 is busy; has a suspended MD | resume sending helper answer for #2 suppresed complete_v1_state_transition() and stole MD | crypto helper 3 resuming | #2 spent 0.0555 milliseconds in resume sending helper answer | crypto helper 3 starting work-order 4 for state #2 | stop processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 | libevent_free: release ptr-libevent@0x7f27e0001e30 | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outR1 DH); request ID 4 time elapsed 0.000293 seconds | (#2) spent 0.293 milliseconds in crypto helper computing work-order 4: quick outR1 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f27d4003120 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x5572f1213630 | quick_inI1_outR1_cryptocontinue2 for #2: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 390999623 (0x174e2e47) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 72 (0x48) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 98 7b 59 45 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0xa5556011 for esp.0@192.1.2.23 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI a5 55 60 11 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | emitting 24 raw bytes of attributes into ISAKMP Transform Payload (ESP) | attributes 80 03 00 05 80 04 00 01 80 01 00 01 80 02 70 80 | attributes 80 05 00 02 80 06 00 80 | emitting length of ISAKMP Transform Payload (ESP): 32 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: responding to Quick Mode proposal {msgid:174e2e47} "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east,+XS+S=C] "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: them: 192.1.3.209[@roadrandom,+XC+S=C] | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr f2 ce f0 e0 95 58 db 00 e0 a7 08 cd ef 14 fb 65 | Nr e8 92 64 be 91 c3 be 84 f0 fe a6 30 5d 64 76 4a | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 192 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 0b a2 06 64 cb 9e 62 fc 87 e9 7d d3 a6 9e 40 a1 | keyex value a4 fc 5e 5e 07 6a 61 4c 00 f2 0b 67 3a 41 28 95 | keyex value 07 6a 09 1e f7 c8 53 5f e3 5c db 45 d4 87 d0 3c | keyex value a4 98 80 3f 34 9d e9 6a 83 5b 4b f7 6c 7d 6b 37 | keyex value 2a be 54 9b c7 0c db 72 17 9d f9 cf ae db ed fa | keyex value 9a 01 33 4a d6 bc 57 fb 1d c0 76 56 c3 4d 3f 9b | keyex value a6 52 36 58 7f 18 0b bc 42 3c 4a 24 3c be b8 df | keyex value 34 e9 81 ae 71 ab d6 00 39 ef 98 15 33 d7 09 4b | keyex value e5 e9 cb 09 e6 c5 29 a9 68 ac b4 a5 b4 dd 57 92 | keyex value e4 d5 88 43 4e f3 6c 32 d7 e9 d4 12 99 94 ec 2d | keyex value a6 a8 39 aa 30 7c 8d b0 c8 37 29 ca 2c be d4 01 | keyex value 53 7e e1 41 1b 03 f3 22 35 34 b2 76 82 8a fa 68 | emitting length of ISAKMP Key Exchange Payload: 196 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 01 03 d1 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 8 raw bytes of ID body into ISAKMP Identification Payload (IPsec DOI) | ID body c0 00 02 00 ff ff ff 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | quick inR1 outI2 HASH(2): | 4d 23 92 93 e8 64 c8 de 87 e6 ca dd 44 f3 41 e6 | e6 2f dc f0 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | install_inbound_ipsec_sa() checking if we can route | could_route called for xauth-road-eastnet-psk (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x5572f1753700 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'xauth-road-eastnet-psk' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.987b5945@192.1.3.209 included non-error error | outgoing SA has refhim=0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'xauth-road-eastnet-psk' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.a5556011@192.1.2.23 included non-error error | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | add inbound eroute 192.1.3.209/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042399 | raw_eroute result=success | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 372 | finished processing quick inI1 | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | child state #2: QUICK_R0(established CHILD SA) => QUICK_R1(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x5572f1752f00 | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 372 bytes for STATE_QUICK_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #2) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 20 01 17 4e 2e 47 00 00 01 74 91 ce 96 ba | bf 39 38 9f 8f 23 4a 21 6b 5a a8 59 49 41 25 d9 | c7 47 d3 9d ae d8 e3 7e d4 e8 f2 5c e2 ae e9 3e | 67 a6 3d 26 4e 73 0d c0 cc ba c0 00 35 12 22 fd | ee bd 66 79 9c 53 ce a6 14 62 e5 08 cf 35 95 e6 | b2 b8 dd a6 57 0f 19 86 ea 58 4a d7 74 1e f2 72 | bd 50 d1 c5 30 6f ff c1 03 3a 30 f9 ba 8d 9a a0 | 6b 80 7b e2 c1 2c ee 45 c8 33 79 8e 22 38 a9 60 | 04 b9 8b 51 5c 99 6f 38 cf c7 cb 5f 64 bb c5 23 | 89 26 1e 7a e7 4a 87 f3 a9 50 b0 47 a8 0e eb 8a | 6f 0d a6 b5 af 98 48 5a 00 71 14 8d 06 d6 ca 08 | 40 36 ea dd c1 7b 68 f3 00 51 76 ad 17 93 4f 5e | 76 8f 40 f2 a1 c4 cc 7e dd 1d a5 80 89 16 3a 3f | 1c de 05 c6 da 8f 0e c8 3c 2f 9b b8 d4 7a 21 27 | de 1d b2 70 9f 29 1a 08 17 7a 54 a1 99 bc 57 c7 | bc 35 e3 9c f9 c2 aa 5d f3 97 f0 0d c1 fe 73 0a | 9b 9b 85 f6 c2 56 f3 c4 43 f9 90 f1 18 ad 4e 0b | fb 12 77 94 dd b9 bd 81 f5 cf 0c 88 9a 4c 42 bd | 2a f4 bf de 54 8c b4 8f 18 10 53 79 3e 6c 54 33 | 93 8a 9f ba 8d d6 3d 35 f0 83 44 ae dc 10 8a 72 | 43 6a 5e 8e 36 72 d1 ab 8c 09 7f f7 54 73 b8 5a | e9 f8 a3 7e ae 14 fc 40 ad f9 92 27 5f d3 ad 4b | 0f 4d d9 35 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x5572f1752f00 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | #2 STATE_QUICK_R1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 49996.901795 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP=>0x987b5945 <0xa5556011 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive username=use2} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.633 milliseconds in resume sending helper answer | stop processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f27d4003120 | spent 0.00252 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 52 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 20 01 17 4e 2e 47 00 00 00 34 d3 30 93 67 | 23 29 19 1a 0f ee 56 24 73 8c 2d 1a 48 ed e9 41 | f5 2b 9f 5c | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 390999623 (0x174e2e47) | length: 52 (0x34) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_R1 (find_state_ikev1) | start processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1609) | #2 is idle | #2 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 24 (0x18) | quick_inI2 HASH(3): | 73 14 6e 72 2a cb 8c 9e 2c bb 43 b8 78 b1 56 ba | 5c ea eb e4 | received 'quick_inI2' message HASH(3) data ok | install_ipsec_sa() for #2: outbound only | could_route called for xauth-road-eastnet-psk (kind=CK_INSTANCE) | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk"[1] 192.1.3.209 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: xauth-road-eastnet-psk (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.1.3.209/32:0 => tun.0@192.1.3.209 (raw_eroute) | IPsec Sa SPD priority set to 1042399 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFAC | popen cmd is 1089 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-: | cmd( 80):psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PL: | cmd( 160):UTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0': | cmd( 240): PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PL: | cmd( 320):UTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID=: | cmd( 400):'@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.: | cmd( 480):209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PRO: | cmd( 560):TOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POL: | cmd( 640):ICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_AL: | cmd( 720):LOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAI: | cmd( 800):LED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO: | cmd( 880):_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT=: | cmd( 960):'0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN: | cmd(1040):=0x987b5945 SPI_OUT=0xa5556011 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0 | popen cmd is 1094 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eas: | cmd( 80):tnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0: | cmd( 240):.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=': | cmd( 320):0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEE: | cmd( 400):R_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192: | cmd( 480):.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEE: | cmd( 560):R_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CON: | cmd( 640):N_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FR: | cmd( 720):AG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUT: | cmd( 800):H_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' : | cmd( 880):PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CL: | cmd( 960):IENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' S: | cmd(1040):PI_IN=0x987b5945 SPI_OUT=0xa5556011 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VT | popen cmd is 1092 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastn: | cmd( 80):et-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23': | cmd( 160): PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2: | cmd( 240):.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': | cmd( 320): PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_: | cmd( 400):ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1: | cmd( 480):.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_: | cmd( 560):PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_: | cmd( 640):POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG: | cmd( 720):_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_: | cmd( 800):FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PL: | cmd( 880):UTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIE: | cmd( 960):NT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI: | cmd(1040):_IN=0x987b5945 SPI_OUT=0xa5556011 ipsec _updown 2>&1: | route_and_eroute: instance "xauth-road-eastnet-psk"[1] 192.1.3.209, setting eroute_owner {spd=0x5572f1751fe0,sr=0x5572f1751fe0} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 0.577 milliseconds in install_ipsec_sa() | inI2: instance xauth-road-eastnet-psk[1], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:no | IKEv1: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | child state #2: QUICK_R1(established CHILD SA) => QUICK_R2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_R2: retransmits: cleared | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_RETRANSMIT-pe@0x5572f1752f00 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x5572f1752f00 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2 | libevent_malloc: new ptr-libevent@0x5572f1750860 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x987b5945 <0xa5556011 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive username=use2} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | #2 spent 0.637 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.756 milliseconds in comm_handle_cb() reading and processing packet | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00328 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00191 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00191 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.a5556011@192.1.2.23 | get_sa_info esp.987b5945@192.1.3.209 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.334 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | pluto_sd: executing action action: stopping(6), status 0 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | start processing: connection "xauth-road-eastnet-psk"[1] 192.1.3.209 (in delete_connection() at connections.c:189) "xauth-road-eastnet-psk"[1] 192.1.3.209: deleting connection "xauth-road-eastnet-psk"[1] 192.1.3.209 instance with peer 192.1.3.209 {isakmp=#1/ipsec=#2} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #2 | suspend processing: connection "xauth-road-eastnet-psk"[1] 192.1.3.209 (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879) "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: deleting state (STATE_QUICK_R2) aged 10.542s and sending notification | child state #2: QUICK_R2(established CHILD SA) => delete | get_sa_info esp.987b5945@192.1.3.209 | get_sa_info esp.a5556011@192.1.2.23 "xauth-road-eastnet-psk"[1] 192.1.3.209 #2: ESP traffic information: in=336B out=336B XAUTHuser=use2 | #2 send IKEv1 delete notification for STATE_QUICK_R2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1731591979 (0x6735ff2b) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload a5 55 60 11 | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | 35 0f ec 9d 6f f5 5d c8 c1 53 12 c4 1b 48 62 5f | be 22 d5 40 | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | sending 68 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 05 01 67 35 ff 2b 00 00 00 44 b2 c1 8d 1d | 88 0a 2e de b4 f7 db dc 3f 0f 47 81 ef 46 c7 b5 | 65 b0 01 5c 6c e6 03 6f 1d 56 57 cc 58 2c a2 72 | 7d e4 34 27 | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x5572f1750860 | free_event_entry: release EVENT_SA_REPLACE-pe@0x5572f1752f00 | running updown command "ipsec _updown" for verb down | command executing down-client | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051350' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGUR | popen cmd is 1102 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastne: | cmd( 80):t-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' : | cmd( 160):PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.: | cmd( 240):0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' : | cmd( 320):PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.209' PLUTO_PEER_I: | cmd( 400):D='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.: | cmd( 480):3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051350' PLU: | cmd( 640):TO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+: | cmd( 720):IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ip: | cmd( 800):v4' XAUTH_FAILED=0 PLUTO_USERNAME='use2' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_: | cmd( 880):INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUT: | cmd( 960):O_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE: | cmd(1040):D='no' SPI_IN=0x987b5945 SPI_OUT=0xa5556011 ipsec _updown 2>&1: | shunt_eroute() called for connection 'xauth-road-eastnet-psk' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.1.3.209/32:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.1.3.209/32:0 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | IPsec Sa SPD priority set to 1042399 | delete esp.987b5945@192.1.3.209 | netlink response for Del SA esp.987b5945@192.1.3.209 included non-error error | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | delete inbound eroute 192.1.3.209/32:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.a5556011@192.1.2.23 | netlink response for Del SA esp.a5556011@192.1.2.23 included non-error error | stop processing: connection "xauth-road-eastnet-psk"[1] 192.1.3.209 (BACKGROUND) (in update_state_connection() at connections.c:4037) | start processing: connection NULL (in update_state_connection() at connections.c:4038) | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #2 in QUICK_R2 | child state #2: QUICK_R2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.3.209:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | state #1 | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #1 | start processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "xauth-road-eastnet-psk"[1] 192.1.3.209 from 192.1.3.209:500 (in delete_state() at state.c:879) "xauth-road-eastnet-psk"[1] 192.1.3.209 #1: deleting state (STATE_MAIN_R3) aged 10.640s and sending notification | parent state #1: MAIN_R3(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_R3 | **emit ISAKMP Message: | initiator cookie: | 9e cf 6a d4 62 b6 cc 18 | responder cookie: | f0 bb 00 32 fe d9 68 de | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 424788049 (0x1951c051) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 9e cf 6a d4 62 b6 cc 18 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI f0 bb 00 32 fe d9 68 de | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 8d 84 b4 da b7 b5 82 e7 eb 67 fb ab 4c a5 9c c5 | ca f8 dd a1 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | sending 84 bytes for delete notify through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 9e cf 6a d4 62 b6 cc 18 f0 bb 00 32 fe d9 68 de | 08 10 05 01 19 51 c0 51 00 00 00 54 df fa 9b 69 | 3d 90 7b b3 2e 05 40 38 98 87 91 76 08 a2 7e 53 | 59 48 7b 1c cb ac ba 31 7b 23 2f f7 68 69 a3 38 | 82 16 65 e1 ba 87 14 ad 98 a8 59 14 c1 6d e1 0c | ec bc f1 fd | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7f27dc00b570 | free_event_entry: release EVENT_SA_REPLACE-pe@0x5572f1750820 | State DB: IKEv1 state not found (flush_incomplete_children) | in connection_discard for connection xauth-road-eastnet-psk | State DB: deleting IKEv1 state #1 in MAIN_R3 | parent state #1: MAIN_R3(established IKE SA) => UNDEFINED(ignore) | stop processing: state #1 from 192.1.3.209:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | shunt_eroute() called for connection 'xauth-road-eastnet-psk' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.1.3.209/32:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.1.3.209/32:0 | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | priority calculation of connection "xauth-road-eastnet-psk" is 0xfe7df | FOR_EACH_CONNECTION_... in route_owner | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 vs | conn xauth-road-eastnet-psk mark 0/00000000, 0/00000000 | route owner of "xauth-road-eastnet-psk" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eastnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PEER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='192.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ | popen cmd is 1061 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='xauth-road-eas: | cmd( 80):tnet-psk' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.2: | cmd( 160):3' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0: | cmd( 240):.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL=': | cmd( 320):0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.209' PLUTO_PE: | cmd( 400):ER_ID='@roadrandom' PLUTO_PEER_CLIENT='192.1.3.209/32' PLUTO_PEER_CLIENT_NET='19: | cmd( 480):2.1.3.209' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PE: | cmd( 560):ER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CO: | cmd( 640):NN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_F: | cmd( 720):RAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' X: | cmd( 800):AUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_I: | cmd( 880):NFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_C: | cmd( 960):ONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0: | cmd(1040):x0 ipsec _updown 2>&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x5572f16d79c0 | flush revival: connection 'xauth-road-eastnet-psk' wasn't on the list | processing: STOP connection NULL (in discard_connection() at connections.c:249) | start processing: connection "xauth-road-eastnet-psk" (in delete_connection() at connections.c:189) | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | free hp@0x5572f171b710 | flush revival: connection 'xauth-road-eastnet-psk' wasn't on the list | stop processing: connection "xauth-road-eastnet-psk" (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x5572f174ecd0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ec90 | libevent_free: release ptr-libevent@0x5572f174edc0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ed80 | libevent_free: release ptr-libevent@0x5572f174eeb0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ee70 | libevent_free: release ptr-libevent@0x5572f174efa0 | free_event_entry: release EVENT_NULL-pe@0x5572f174ef60 | libevent_free: release ptr-libevent@0x5572f174f090 | free_event_entry: release EVENT_NULL-pe@0x5572f174f050 | libevent_free: release ptr-libevent@0x5572f174f180 | free_event_entry: release EVENT_NULL-pe@0x5572f174f140 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x5572f174e5f0 | free_event_entry: release EVENT_NULL-pe@0x5572f1732530 | libevent_free: release ptr-libevent@0x5572f1744100 | free_event_entry: release EVENT_NULL-pe@0x5572f1737f10 | libevent_free: release ptr-libevent@0x5572f1744070 | free_event_entry: release EVENT_NULL-pe@0x5572f1737f50 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x5572f174e6c0 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x5572f174e7a0 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x5572f174e860 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x5572f1743470 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x5572f174e920 | libevent_free: release ptr-libevent@0x5572f1723fa0 | libevent_free: release ptr-libevent@0x5572f1732870 | libevent_free: release ptr-libevent@0x5572f1752f40 | libevent_free: release ptr-libevent@0x5572f1732890 | libevent_free: release ptr-libevent@0x5572f174e680 | libevent_free: release ptr-libevent@0x5572f174e760 | libevent_free: release ptr-libevent@0x5572f1732920 | libevent_free: release ptr-libevent@0x5572f1737230 | libevent_free: release ptr-libevent@0x5572f1737250 | libevent_free: release ptr-libevent@0x5572f174f210 | libevent_free: release ptr-libevent@0x5572f174f120 | libevent_free: release ptr-libevent@0x5572f174f030 | libevent_free: release ptr-libevent@0x5572f174ef40 | libevent_free: release ptr-libevent@0x5572f174ee50 | libevent_free: release ptr-libevent@0x5572f174ed60 | libevent_free: release ptr-libevent@0x5572f16b4370 | libevent_free: release ptr-libevent@0x5572f174e840 | libevent_free: release ptr-libevent@0x5572f174e780 | libevent_free: release ptr-libevent@0x5572f174e6a0 | libevent_free: release ptr-libevent@0x5572f174e900 | libevent_free: release ptr-libevent@0x5572f16b26c0 | libevent_free: release ptr-libevent@0x5572f17328b0 | libevent_free: release ptr-libevent@0x5572f17328e0 | libevent_free: release ptr-libevent@0x5572f17325d0 | releasing global libevent data | libevent_free: release ptr-libevent@0x5572f17312c0 | libevent_free: release ptr-libevent@0x5572f1732570 | libevent_free: release ptr-libevent@0x5572f17325a0