FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:13611 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x556676d1e260 size 40 | libevent_malloc: new ptr-libevent@0x556676d1e290 size 40 | libevent_malloc: new ptr-libevent@0x556676d1f9f0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x556676d1f9b0 size 56 | libevent_malloc: new ptr-libevent@0x556676d1fa20 size 664 | libevent_malloc: new ptr-libevent@0x556676d1fcc0 size 24 | libevent_malloc: new ptr-libevent@0x556676cd9280 size 384 | libevent_malloc: new ptr-libevent@0x556676d1fce0 size 16 | libevent_malloc: new ptr-libevent@0x556676d1fd00 size 40 | libevent_malloc: new ptr-libevent@0x556676d1fd30 size 48 | libevent_realloc: new ptr-libevent@0x556676d1fd70 size 256 | libevent_malloc: new ptr-libevent@0x556676d1fe80 size 16 | libevent_free: release ptr-libevent@0x556676d1f9b0 | libevent initialized | libevent_realloc: new ptr-libevent@0x556676d1fea0 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 started thread for crypto helper 1 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 2 started thread for crypto helper 3 | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | starting up helper thread 4 | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 2 waiting (nothing to do) started thread for crypto helper 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 1 waiting (nothing to do) | starting up helper thread 5 | crypto helper 4 waiting (nothing to do) started thread for crypto helper 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | checking IKEv1 state table | crypto helper 3 waiting (nothing to do) | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | status value returned by setting the priority of this thread (crypto helper 6) 22 | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | crypto helper 6 waiting (nothing to do) | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x556676d2a690 | libevent_malloc: new ptr-libevent@0x556676d31760 size 128 | libevent_malloc: new ptr-libevent@0x556676d2a5f0 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x556676d24b40 | libevent_malloc: new ptr-libevent@0x556676d317f0 size 128 | libevent_malloc: new ptr-libevent@0x556676d2a5d0 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x556676d24900 | libevent_malloc: new ptr-libevent@0x556676d3bd70 size 128 | libevent_malloc: new ptr-libevent@0x556676d3be00 size 16 | libevent_realloc: new ptr-libevent@0x556676d3be20 size 256 | libevent_malloc: new ptr-libevent@0x556676d3bf30 size 8 | libevent_realloc: new ptr-libevent@0x556676d30a60 size 144 | libevent_malloc: new ptr-libevent@0x556676d3bf50 size 152 | libevent_malloc: new ptr-libevent@0x556676d3bff0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x556676d3c010 size 8 | libevent_malloc: new ptr-libevent@0x556676d3c030 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x556676d3c0d0 size 8 | libevent_malloc: new ptr-libevent@0x556676d3c0f0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x556676d3c190 size 8 | libevent_realloc: release ptr-libevent@0x556676d30a60 | libevent_realloc: new ptr-libevent@0x556676d3c1b0 size 256 | libevent_malloc: new ptr-libevent@0x556676d30a60 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:13687) using fork+execve | forked child 13687 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.1.3.209 Kernel supports NIC esp-hw-offload adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.1.3.209:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.1.3.209:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x556676d249e0 | libevent_malloc: new ptr-libevent@0x556676d3c4b0 size 128 | libevent_malloc: new ptr-libevent@0x556676d3c540 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x556676d25a00 | libevent_malloc: new ptr-libevent@0x556676d3c560 size 128 | libevent_malloc: new ptr-libevent@0x556676d3c5f0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x556676d3c610 | libevent_malloc: new ptr-libevent@0x556676d3c650 size 128 | libevent_malloc: new ptr-libevent@0x556676d3c6e0 size 16 | setup callback for interface eth0 192.1.3.209:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x556676d3c700 | libevent_malloc: new ptr-libevent@0x556676d3c740 size 128 | libevent_malloc: new ptr-libevent@0x556676d3c7d0 size 16 | setup callback for interface eth0 192.1.3.209:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2 | computed rsa CKAID 59 b0 ef 45 loaded private key for keyid: PKK_RSA:AQPHFfpyJ | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.364 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.1.3.209 | no interfaces to sort | libevent_free: release ptr-libevent@0x556676d3c4b0 | free_event_entry: release EVENT_NULL-pe@0x556676d249e0 | add_fd_read_event_handler: new ethX-pe@0x556676d249e0 | libevent_malloc: new ptr-libevent@0x556676d3c4b0 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 20 | libevent_free: release ptr-libevent@0x556676d3c560 | free_event_entry: release EVENT_NULL-pe@0x556676d25a00 | add_fd_read_event_handler: new ethX-pe@0x556676d25a00 | libevent_malloc: new ptr-libevent@0x556676d3c560 size 128 | setup callback for interface lo 127.0.0.1:500 fd 19 | libevent_free: release ptr-libevent@0x556676d3c650 | free_event_entry: release EVENT_NULL-pe@0x556676d3c610 | add_fd_read_event_handler: new ethX-pe@0x556676d3c610 | libevent_malloc: new ptr-libevent@0x556676d3c650 size 128 | setup callback for interface eth0 192.1.3.209:4500 fd 18 | libevent_free: release ptr-libevent@0x556676d3c740 | free_event_entry: release EVENT_NULL-pe@0x556676d3c700 | add_fd_read_event_handler: new ethX-pe@0x556676d3c700 | libevent_malloc: new ptr-libevent@0x556676d3c740 size 128 | setup callback for interface eth0 192.1.3.209:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2 | computed rsa CKAID 59 b0 ef 45 loaded private key for keyid: PKK_RSA:AQPHFfpyJ | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.294 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 13687 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0145 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection modecfg-road-east with policy ENCRYPT+TUNNEL+PFS+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | ike (phase1) algorithm values: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536 | setting ID to ID_DER_ASN1_DN: 'E=user-road@testing.libreswan.org,CN=road.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading left certificate 'road' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e3b0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e380 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e290 | unreference key: 0x556676d3e790 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1-- | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loading right certificate 'east' pubkey | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e570 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e3b0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e380 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e290 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3cd00 | unreference key: 0x556676d41ec0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | warning: no secret key loaded for right certificate with nickname east: NSS: cert private key not found | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.3.209:500 192.1.2.23:500 -> hp@(nil): none | new hp@0x556676d46fa0 added connection description "modecfg-road-east" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.1.3.209[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org,+MC+XC+S=C]---192.1.3.254...192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org,MS+XS+S=C]===0.0.0.0/0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 2.24 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | dup_any(fd@16) -> fd@21 (in whack_process() at rcv_whack.c:590) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "modecfg-road-east" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'modecfg-road-east' +POLICY_UP | dup_any(fd@21) -> fd@22 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | creating state object #1 at 0x556676d48380 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | suspend processing: connection "modecfg-road-east" (in main_outI1() at ikev1_main.c:118) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:118) | parent state #1: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) | dup_any(fd@22) -> fd@23 (in main_outI1() at ikev1_main.c:123) | Queuing pending IPsec SA negotiating with 192.1.2.23 "modecfg-road-east" IKE SA #1 "modecfg-road-east" "modecfg-road-east" #1: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x556676d47e60 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 2 (0x2) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 72 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 84 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 244 | sending 244 bytes for reply packet for main_outI1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 58 c3 42 63 35 b8 ec 66 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 54 | 00 00 00 01 00 00 00 01 00 00 00 48 00 01 00 02 | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 0e | 00 00 00 20 01 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d41e80 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | #1 STATE_MAIN_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.404359 | #1 spent 0.68 milliseconds in main_outI1() | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:228) | resume processing: connection "modecfg-road-east" (in main_outI1() at ikev1_main.c:228) | stop processing: connection "modecfg-road-east" (in initiate_a_connection() at initiate.c:349) | close_any(fd@21) (in initiate_connection() at initiate.c:372) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.719 milliseconds in whack | spent 0.00236 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 152 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 01 10 02 00 00 00 00 00 00 00 00 98 0d 00 00 34 | 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01 | 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 0e | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 00 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 152 (0x98) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_I1 (find_state_ikev1_init) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 52 (0x34) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [XAUTH] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | OAKLEY proposal verified; matching alg_info found | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | adding outI2 KE work-order 1 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d41e80 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x556676d41e80 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2624) | crypto helper 0 resuming | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.125 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.282 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.000854 seconds | (#1) spent 0.861 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fde80006900 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x556675316630 | main_inR1_outI2_continue for #1: calculated ke+nonce, sending I2 | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 31 68 d8 c4 22 9f ee 20 85 a7 f5 6e 63 33 dd a4 | keyex value 4c 0c 10 38 9f 70 1c 4c 52 1c e9 51 44 62 17 30 | keyex value 61 d3 fc 29 0c 9b 48 59 86 64 e0 15 6f d2 fe e4 | keyex value db 3b 15 28 d0 2a c8 f3 b7 ad 83 7c 1f 3c 95 7e | keyex value 57 6a 75 56 a4 99 4d 35 67 4f d9 fc 90 04 fe 9f | keyex value 73 62 8d aa 81 b7 9d 0c 83 b4 cc 8a 86 3f cb 55 | keyex value e0 46 39 f8 84 63 f5 e4 12 f7 3f 67 82 36 2d 63 | keyex value 41 ae 86 e4 f4 9c df 23 81 59 3e 4e 41 2a 54 9e | keyex value 81 04 c6 41 81 69 c5 42 23 dd d0 26 ab 35 dd 32 | keyex value 2c 62 e4 7d 38 ae ff 58 25 c8 1f e1 4d 24 c5 bf | keyex value dc b1 e9 8b 35 78 be 97 1a 3b 9c 78 9c 76 4f e8 | keyex value 46 47 f3 44 38 f7 78 67 ec 82 01 1c 0e bf 3b 9d | keyex value 56 9f 86 90 b5 4b 9f 61 e1 02 e3 b6 03 c9 45 bf | keyex value d5 31 f5 95 b5 88 31 72 27 8b 63 22 29 fa d7 43 | keyex value f5 43 dc da ed f5 7b 8d 2d 3c 47 d8 5b c1 6e 39 | keyex value 7e b2 df 43 d8 34 e0 65 fe 34 8c bc 0c a1 a2 55 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 5f 25 16 b8 65 c5 c0 70 73 06 81 f8 7b a0 8c 26 | Ni 84 6e 3d 4f 9a b0 3a 2b 7b 28 20 28 15 99 15 89 | emitting length of ISAKMP Nonce Payload: 36 | NAT-T checking st_nat_traversal | NAT-T found (implies NAT_T_WITH_NATD) | sending NAT-D payloads | natd_hash: hasher=0x5566753ec7a0(20) | natd_hash: icookie= 58 c3 42 63 35 b8 ec 66 | natd_hash: rcookie= 2b 0f c0 d2 e5 70 a7 b4 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 46 1a 26 1f | natd_hash: hash= 60 0f ef 1f | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 46 1a 26 1f | NAT-D 60 0f ef 1f | emitting length of ISAKMP NAT-D Payload: 24 | natd_hash: hasher=0x5566753ec7a0(20) | natd_hash: icookie= 58 c3 42 63 35 b8 ec 66 | natd_hash: rcookie= 2b 0f c0 d2 e5 70 a7 b4 | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= 17 94 ea 06 01 20 b3 47 92 c6 0a 8d 10 e5 45 fa | natd_hash: hash= c8 e9 5c 04 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 17 94 ea 06 01 20 b3 47 92 c6 0a 8d 10 e5 45 fa | NAT-D c8 e9 5c 04 | emitting length of ISAKMP NAT-D Payload: 24 | no IKEv1 message padding required | emitting length of ISAKMP Message: 372 | State DB: re-hashing IKEv1 state #1 IKE SPIi and SPI[ir] | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 | parent state #1: MAIN_I1(half-open IKE SA) => MAIN_I2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x556676d41e80 | sending reply packet to 192.1.2.23:500 (from 192.1.3.209:500) | sending 372 bytes for STATE_MAIN_I1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #1) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 04 10 02 00 00 00 00 00 00 00 01 74 0a 00 01 04 | 31 68 d8 c4 22 9f ee 20 85 a7 f5 6e 63 33 dd a4 | 4c 0c 10 38 9f 70 1c 4c 52 1c e9 51 44 62 17 30 | 61 d3 fc 29 0c 9b 48 59 86 64 e0 15 6f d2 fe e4 | db 3b 15 28 d0 2a c8 f3 b7 ad 83 7c 1f 3c 95 7e | 57 6a 75 56 a4 99 4d 35 67 4f d9 fc 90 04 fe 9f | 73 62 8d aa 81 b7 9d 0c 83 b4 cc 8a 86 3f cb 55 | e0 46 39 f8 84 63 f5 e4 12 f7 3f 67 82 36 2d 63 | 41 ae 86 e4 f4 9c df 23 81 59 3e 4e 41 2a 54 9e | 81 04 c6 41 81 69 c5 42 23 dd d0 26 ab 35 dd 32 | 2c 62 e4 7d 38 ae ff 58 25 c8 1f e1 4d 24 c5 bf | dc b1 e9 8b 35 78 be 97 1a 3b 9c 78 9c 76 4f e8 | 46 47 f3 44 38 f7 78 67 ec 82 01 1c 0e bf 3b 9d | 56 9f 86 90 b5 4b 9f 61 e1 02 e3 b6 03 c9 45 bf | d5 31 f5 95 b5 88 31 72 27 8b 63 22 29 fa d7 43 | f5 43 dc da ed f5 7b 8d 2d 3c 47 d8 5b c1 6e 39 | 7e b2 df 43 d8 34 e0 65 fe 34 8c bc 0c a1 a2 55 | 14 00 00 24 5f 25 16 b8 65 c5 c0 70 73 06 81 f8 | 7b a0 8c 26 84 6e 3d 4f 9a b0 3a 2b 7b 28 20 28 | 15 99 15 89 14 00 00 18 c0 58 08 16 a3 ac f7 a1 | 80 d4 15 e1 46 1a 26 1f 60 0f ef 1f 00 00 00 18 | 17 94 ea 06 01 20 b3 47 92 c6 0a 8d 10 e5 45 fa | c8 e9 5c 04 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d41e80 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | #1 STATE_MAIN_I2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.406719 "modecfg-road-east" #1: STATE_MAIN_I2: sent MI2, expecting MR2 | XAUTH client is not yet authenticated | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.301 milliseconds in resume sending helper answer | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fde80006900 | spent 0.00223 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 552 bytes from 192.1.2.23:500 on eth0 (192.1.3.209:500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 04 10 02 00 00 00 00 00 00 00 02 28 0a 00 01 04 | 67 cc 26 ad 65 b1 d3 0e 78 15 6d b2 2f 36 d5 89 | 8a b0 1f ae ee a4 9d 53 1c 04 03 52 a9 9c 54 3f | c5 b2 d2 50 a2 82 02 8c c8 66 9a d3 48 3d 1f 59 | fe 66 56 11 3a 00 68 44 fb f5 af 94 49 08 24 66 | 7a 64 d6 30 ca 1e f6 fa 8b 0d 28 59 7f ca 73 30 | 58 b2 5f ca 10 bc 18 25 90 94 e2 1f cf 04 68 6e | 63 90 31 10 47 b1 ad 35 d9 9b e3 96 65 f1 10 73 | af 82 81 8d 44 88 20 e3 8b 17 4e 41 50 e9 59 55 | 81 fd a4 bf 82 98 44 40 2e 43 05 a5 5a 37 98 0b | 01 04 da 62 96 7e 88 92 04 63 ce e4 49 0e 58 ab | ff d5 21 ec a7 44 03 c1 02 8b f6 cc e0 c8 13 97 | a8 dd 17 12 36 d7 bf 66 ca ed 9c 3b 1c ec 2e d5 | dd 58 04 ba b7 59 8b f9 c6 e0 47 1d ea 76 20 d9 | 36 4c f9 f0 ae 02 df 1e b6 6d 29 6d 56 cf 0a 0c | fb f2 b0 af 7b 49 d7 f5 97 41 94 71 27 67 d4 e7 | 3c 21 6f 8e fa 3a 8c 36 a1 b9 1e 36 ef c4 48 06 | 07 00 00 24 53 12 ea 3a 7d c4 e3 f6 0b 05 82 84 | 29 0b 15 46 7b b1 75 a9 6a c1 28 8b 2f a6 52 f1 | 8b e1 73 9f 14 00 00 b4 04 30 81 ac 31 0b 30 09 | 06 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 | 04 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 | 03 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 | 10 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 | 6e 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 | 20 44 65 70 61 72 74 6d 65 6e 74 31 25 30 23 06 | 03 55 04 03 0c 1c 4c 69 62 72 65 73 77 61 6e 20 | 74 65 73 74 20 43 41 20 66 6f 72 20 6d 61 69 6e | 63 61 31 24 30 22 06 09 2a 86 48 86 f7 0d 01 09 | 01 16 15 74 65 73 74 69 6e 67 40 6c 69 62 72 65 | 73 77 61 6e 2e 6f 72 67 14 00 00 18 7e 1d 4b bd | 1d ae 98 f0 89 e5 ca 61 8f bd 0c b4 f2 02 b0 9d | 00 00 00 18 c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 | 46 1a 26 1f 60 0f ef 1f | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 552 (0x228) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I2 (find_state_ikev1) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | length: 36 (0x24) | got payload 0x80 (ISAKMP_NEXT_CR) needed: 0x0 opt: 0x102080 | ***parse ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 180 (0xb4) | cert type: CERT_X509_SIGNATURE (0x4) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 24 (0x18) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 24 (0x18) | message 'main_inR2_outI3' HASH payload not checked early | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d41e80 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x556676d41e80 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | crypto helper 2 resuming | #1 is busy; has a suspended MD | crypto helper 2 starting work-order 2 for state #1 | #1 spent 0.0736 milliseconds in process_packet_tail() | crypto helper 2 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.225 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.001095 seconds | (#1) spent 1.1 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 2 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 2 | calling continuation function 0x556675316630 | main_inR2_outI3_cryptotail for #1: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | CR 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | CR 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | CR 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | CR 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | CR 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | CR 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | CR 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | CR 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | CR 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | CR 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | CR 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 | requested CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_X509_SIGNATURE | sendcert: CERT_ALWAYSSEND and I did get a certificate request | so send cert. | I am sending a certificate request | I will NOT send an initial contact payload | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x5566753ec7a0(20) | natd_hash: icookie= 58 c3 42 63 35 b8 ec 66 | natd_hash: rcookie= 2b 0f c0 d2 e5 70 a7 b4 | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= 17 94 ea 06 01 20 b3 47 92 c6 0a 8d 10 e5 45 fa | natd_hash: hash= c8 e9 5c 04 | natd_hash: hasher=0x5566753ec7a0(20) | natd_hash: icookie= 58 c3 42 63 35 b8 ec 66 | natd_hash: rcookie= 2b 0f c0 d2 e5 70 a7 b4 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 46 1a 26 1f | natd_hash: hash= 60 0f ef 1f | expected NAT-D(me): 17 94 ea 06 01 20 b3 47 92 c6 0a 8d 10 e5 45 fa | expected NAT-D(me): c8 e9 5c 04 | expected NAT-D(him): | c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 46 1a 26 1f | 60 0f ef 1f | received NAT-D: 7e 1d 4b bd 1d ae 98 f0 89 e5 ca 61 8f bd 0c b4 | received NAT-D: f2 02 b0 9d | received NAT-D: c0 58 08 16 a3 ac f7 a1 80 d4 15 e1 46 1a 26 1f | received NAT-D: 60 0f ef 1f | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_CERT (0x6) | ID type: ID_DER_ASN1_DN (0x9) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 6:ISAKMP_NEXT_CERT | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72 6f 61 | my identity 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72 6f 61 | my identity 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Identification Payload (IPsec DOI): 191 "modecfg-road-east" #1: I am sending my cert | ***emit ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_CR (0x7) | cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate Payload'.'next payload type' value 7:ISAKMP_NEXT_CR | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Certificate Payload (6:ISAKMP_NEXT_CERT) | next payload chain: saving location 'ISAKMP Certificate Payload'.'next payload type' in 'reply packet' | emitting 1224 raw bytes of CERT into ISAKMP Certificate Payload | CERT 30 82 04 c4 30 82 04 2d a0 03 02 01 02 02 01 05 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 39 30 39 31 35 31 39 34 34 35 39 | CERT 5a 18 0f 32 30 32 32 30 39 31 34 31 39 34 34 35 | CERT 39 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 72 | CERT 6f 61 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 72 | CERT 6f 61 64 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 aa a3 11 32 ef 77 | CERT 46 01 b5 ee 57 1d 61 fa 91 8d 78 a8 03 4b e5 df | CERT a7 08 56 02 30 6d 5d 62 0c 0b 23 e0 6d ec a4 87 | CERT 09 62 a4 38 c2 f3 a1 26 03 19 4c 31 eb 50 c5 bd | CERT 53 4c e1 91 e3 75 bd 32 48 47 a9 3f bc c1 d9 42 | CERT 7e 92 ef 03 3c 28 35 0b c9 ee 30 ec 71 63 b0 3e | CERT e9 8d 0e e9 ff d3 02 36 76 42 b1 b2 df 55 9c ce | CERT 28 1a 0f 56 1a 5d 89 03 d0 e1 04 ad 7b ad e0 b4 | CERT 8e 36 df 0b be 9d 1b bd fd 46 c5 fb 2c 67 ab 73 | CERT ca e2 6b f0 a7 15 6c 5a 83 05 63 36 84 da cd 96 | CERT 7a fc 30 e2 18 ce 01 20 45 91 45 bc 34 67 3e 24 | CERT 06 ac ae a7 06 7c 54 f2 98 fe 3b 07 5d b9 32 06 | CERT ab 7b f2 1b 2d c1 b0 06 8e 86 3a ac 8f 44 69 58 | CERT 00 7d ac c9 e5 5c fc 2c 6d 7b e3 f3 35 7e 8e 4d | CERT 94 6a 6d 36 7f bc 95 c0 a8 31 41 f1 cd f3 b0 f4 | CERT 48 fc ff 1a 17 5d a3 c6 5f e9 30 f0 15 e8 a6 4b | CERT de e7 d9 2c 17 2f 03 78 2e d8 0f 39 1a 37 b1 92 | CERT 16 d3 6a 3d 98 9c ef 3b 97 89 8a d4 e7 0d d5 65 | CERT 73 46 c8 b4 10 cf 04 c1 b8 3e 0d d4 b1 21 9d 0f | CERT e6 5b c0 28 9e c4 a9 54 cc 6b 8a cf 05 23 d7 5c | CERT 76 e8 c5 b3 c3 a0 f8 11 9b 33 f7 be 02 46 82 08 | CERT e8 2f 15 b5 7f 7d 20 8a e2 2c e2 7a 16 ef 7a 6a | CERT ab 4a d2 cd 70 9f dd eb 3c fe e5 0b 3f 35 d7 e4 | CERT 49 55 bd 64 5c 8a be c8 d0 3d d9 ef 61 79 6c 0c | CERT 4d 63 fc 07 1e 0b cb 35 ff 67 02 03 01 00 01 a3 | CERT 81 e3 30 81 e0 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 25 06 03 55 1d 11 04 1e 30 1c 82 1a 72 6f 61 | CERT 64 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 30 0b 06 03 55 1d 0f 04 04 | CERT 03 02 07 80 30 1d 06 03 55 1d 25 04 16 30 14 06 | CERT 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 05 | CERT 07 03 02 30 41 06 08 2b 06 01 05 05 07 01 01 04 | CERT 35 30 33 30 31 06 08 2b 06 01 05 05 07 30 01 86 | CERT 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 65 73 74 | CERT 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 | CERT 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f 04 36 30 | CERT 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 3a 2f 2f | CERT 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 6f 6b 65 | CERT 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 f7 0d 01 | CERT 01 0b 05 00 03 81 81 00 54 b5 6f 69 2c bf a0 8e | CERT d5 3e da 46 11 21 59 98 cf f7 41 fa 7b 38 05 03 | CERT 0e c0 ef ef 91 e8 f4 e2 87 d9 4e d8 a0 18 74 64 | CERT 71 44 3b 9d 57 86 56 7f 62 5e 48 0f 9d 64 e2 5e | CERT b8 f9 e8 a2 14 bc 7f 3d 26 20 03 85 5a 6e 44 cb | CERT 15 e7 74 21 11 6b d1 85 c7 93 9d 1a c0 22 7e 71 | CERT fb c9 58 8a 04 85 f5 cf 3d 62 1a ce 6e 05 ac b3 | CERT 0c dc 15 61 94 11 f6 48 6b cb eb 4c 91 bc 5a 73 | CERT 15 52 a7 08 39 59 1b 13 | emitting length of ISAKMP Certificate Payload: 1229 "modecfg-road-east" #1: I am sending a certificate request | ***emit ISAKMP Certificate RequestPayload: | next payload type: ISAKMP_NEXT_SIG (0x9) | cert type: CERT_X509_SIGNATURE (0x4) | next payload chain: ignoring supplied 'ISAKMP Certificate RequestPayload'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Certificate Payload'.'next payload type' to current ISAKMP Certificate RequestPayload (7:ISAKMP_NEXT_CR) | next payload chain: saving location 'ISAKMP Certificate RequestPayload'.'next payload type' in 'reply packet' | emitting 175 raw bytes of CA into ISAKMP Certificate RequestPayload | CA 30 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 | CA 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | CA 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | CA 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | CA 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | CA 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | CA 6e 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 | CA 72 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 | CA 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a | CA 86 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e | CA 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 | emitting length of ISAKMP Certificate RequestPayload: 180 | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org of kind PKK_RSA | searching for certificate PKK_RSA:AwEAAaqjE vs PKK_RSA:AwEAAaqjE | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Certificate RequestPayload'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 384 raw bytes of SIG_I into ISAKMP Signature Payload | SIG_I 16 f6 ea b4 15 09 ee b1 4c d1 2b 02 a5 f3 37 e1 | SIG_I 5c c0 be 0c b6 2e a0 02 dc 2c 6d dd 51 16 39 97 | SIG_I 3a 18 c6 78 b0 e7 76 3a ad 50 2d 98 ed 6b e1 9c | SIG_I 4a 08 7d 8d 7f 98 95 c8 db 14 17 b5 a2 2e bc 14 | SIG_I be ea ee 3c 30 8c ac 11 72 4c 1f 7c b8 e6 b4 c7 | SIG_I 04 30 1a b0 3a 41 95 64 26 4a b3 51 68 9f d0 17 | SIG_I a3 c5 1d 26 9d e4 18 e8 02 9b 57 05 1c cf da 2a | SIG_I b4 5f f5 6d 73 13 9c df e8 a3 9f ec f3 82 c8 44 | SIG_I df 86 af c5 8c 9f 9f 29 62 04 1a f7 98 d4 a6 e5 | SIG_I 9f 5e 2d 8c 36 76 08 7d 5f fa 68 cb 58 d7 bb 57 | SIG_I 29 42 86 3e 3a ff 59 2d 52 b4 9b ad 21 28 42 dc | SIG_I 16 11 9a f2 c4 cb 1c 54 0e 82 f6 a8 04 c6 d3 15 | SIG_I 96 39 b3 f4 81 ca e7 bf 70 0a df 4e 7f 23 2c e3 | SIG_I a2 5a 2e a2 bd bb 74 1b c4 94 77 7e 42 7f 8d 4a | SIG_I 84 58 d3 c8 d4 45 5c 69 8f 77 bd c0 c0 e6 15 37 | SIG_I 78 ae db 90 22 81 bc 9f 3d 0d 9f 8f 79 30 c0 69 | SIG_I 57 bf c2 36 db fd bc 69 29 dd 7f 07 f9 48 c8 01 | SIG_I 21 e9 06 9f e6 9d 61 47 98 b5 b2 b1 7a 85 1f 5e | SIG_I 99 7c 81 96 6e 27 34 76 70 82 42 ff 36 f3 7b dd | SIG_I f6 2b 10 32 6a cf 2c 85 0a 95 c8 10 fb 6c 50 8e | SIG_I a4 5e aa cc dd 09 a4 5e aa 88 99 ba 49 ef 29 69 | SIG_I c7 e0 54 6a 56 11 8b d1 e8 71 4f 07 36 9e 33 1e | SIG_I 2c 4b b1 1b fb 8b 1c 41 8d 75 35 70 bb 5c 67 0c | SIG_I 2e f8 f3 73 e8 ee 72 23 b2 61 16 e9 65 1d 9c 55 | emitting length of ISAKMP Signature Payload: 388 | Not sending INITIAL_CONTACT | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 2020 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 | parent state #1: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x556676d41e80 | NAT-T: #1 in MAIN_I3 floating IKEv1 ports to PLUTO_NAT_PORT 4500 | NAT: #1 floating local endpoint from 192.1.3.209:500 to 192.1.3.209:4500 using pluto_nat_port (in complete_v1_state_transition() at ikev1.c:2767) | NAT: #1 floating endpoint ended up on interface eth0 192.1.3.209:4500 | NAT-T: #1 floating remote port from 500 to 4500 using pluto_nat_port (in complete_v1_state_transition() at ikev1.c:2767) | sending reply packet to 192.1.2.23:4500 (from 192.1.3.209:4500) | sending 2024 bytes for STATE_MAIN_I2 through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 05 10 02 01 00 00 00 00 00 00 07 e4 | 01 c0 bd 3e 99 7d e1 bc da ca bd 5f f1 b7 0e 05 | 56 45 46 7e a7 40 b5 ae d5 de 29 a1 78 83 5b 6c | e6 c9 31 c2 04 38 6f ea 60 5e df 57 0c 24 13 a8 | d6 4d 04 2d 93 4c e9 0f d8 21 01 a6 48 83 0b 79 | a7 4c ef 8f 98 8a 58 16 68 43 3c 3e 8d 78 97 c3 | 0a cc 8a e2 8c 3f c9 34 71 90 d6 2a f1 41 39 ad | 2f 80 5d 1c d0 a1 ef 0a 51 3e a8 1b 82 97 24 36 | fb 38 34 ac 5c b6 be 32 10 50 49 78 1a 8e 79 2b | 15 aa ec 7a 47 45 ba 99 73 0f b6 e9 5d f7 9d 61 | 10 f0 75 5e a8 5b 84 b7 6b 66 c9 ef 35 26 37 5f | 4a 24 9d ba 1d de 3e 1d ea 54 78 9d 63 56 1b 26 | 45 ac 0d 84 4b 70 18 61 56 4b c5 5e 6f 05 3e 83 | c5 44 b2 27 0c 4e 9f e5 66 d8 c4 4c 92 1a 65 14 | ff fe 63 c2 26 af 6d 15 f5 70 1b 4b 4e 9c 8d aa | b1 95 7a 75 3b bb d4 c4 81 92 36 3e c5 6c 81 57 | 34 a1 b5 01 fd 6b b4 15 f0 90 01 08 f2 b1 3c 07 | d0 cc 87 cc 7f 07 3d 9a b6 56 0c ad e0 75 14 f7 | c5 62 8a 2c 53 de 1b 2e d2 b7 6a ee 2c 2c 9f e9 | aa 9e b4 de ec 9d 42 47 07 70 63 7a 62 88 2c d9 | 07 ff a4 a6 e6 b5 9a eb 86 75 a8 05 32 c4 98 e4 | cb 79 64 72 08 ea 5c 7b 51 dc 35 dd 31 d5 b6 c4 | b0 d8 a1 8b a3 db 20 31 b8 36 e7 4b ac 60 9e 43 | 96 51 f2 46 4b e4 3d 63 de 2f 0e 89 57 7e 4a 36 | ee 81 1e ab 9a 9e 3e 7a e3 e8 6f 7d 85 39 eb 65 | 86 61 98 a7 b0 1d a6 25 b8 a2 bb cc 27 c2 65 29 | 39 21 d9 64 08 2e 03 c1 a6 13 a6 b7 a7 76 46 00 | bd 50 50 95 5e b3 4d 88 7f a6 51 39 94 72 79 1e | cd 88 55 e5 06 ac 46 19 91 af 56 ad b2 eb 5f ea | 7a 05 f7 de 9b f7 d6 cd 72 95 1c 8e 47 ed 4d 77 | bb 3a 05 a1 72 82 f1 f6 dc e4 20 31 d7 c4 77 ae | 37 17 36 82 a8 e6 02 2c 2a 56 ca 9d 2b 48 67 57 | eb 24 c2 45 1d 9a 55 76 e6 a8 58 e8 9b 53 e8 17 | b0 7e d2 d3 93 8a a8 52 76 8d fd b7 a3 b6 68 46 | f2 c8 e3 0d 70 3f e6 b1 df 0d c5 5e aa 03 f6 14 | 3d 3a 51 6b f2 8f 2b 80 29 ed 0a a9 0e ea 83 10 | f7 fd 1d 66 13 09 3d 49 45 af b3 e7 4a 9d d6 d8 | 6e 66 ee 93 16 a0 2b d6 42 1b ac b1 e4 0f 58 ef | b0 98 2d db 17 db 5d 59 e1 30 49 a2 b2 74 5f aa | fa 4c 51 41 ba fa 56 6c bb ec 91 b5 ad f2 ab 6f | e5 e9 8c 64 6c 2e f0 5c 8b 07 41 29 77 77 2e 2b | 9e 1a 13 08 68 d3 60 7d a3 d1 e1 66 b0 8d c0 b0 | e9 03 4e 37 39 64 49 b0 b0 4a c5 35 2d e3 a3 2f | 8e 23 5c ea c8 84 fd 39 54 fc c9 bd b8 08 dc 81 | ba 56 9a 53 a0 61 91 00 74 e9 bd 38 db a3 d2 3a | ce 92 83 c9 99 99 1a 15 4c b7 86 6c c7 13 76 a0 | 73 6a 75 05 0c 38 bb b3 4f 55 0d 45 37 64 b6 ae | b1 a4 47 0c 69 97 44 a6 2c 02 0a 87 5b 71 c5 09 | df c4 87 30 4e a5 39 70 03 d6 ba 63 ed 5b 7c ae | 7c 93 d3 d4 88 52 69 58 6c a2 05 8b 75 69 71 49 | 01 24 41 ea cf 13 ab 3b f5 fc 8a 0b c4 d6 70 e5 | 4e d1 aa 0a 9e 1c e0 b8 2b 90 54 d2 3e 6c 8e e9 | 6b 23 da 94 03 4c 8c 68 fb d8 ff 8f 32 88 c1 42 | 59 21 e4 80 be 83 8c 8b 2c da db f1 42 a9 9b 32 | 49 95 3e 13 37 0b 82 b5 93 5c f9 14 d8 75 b8 4f | 86 57 3f b8 25 c2 94 c6 ee 27 03 08 b4 8e 8e 77 | aa 67 a8 4c e7 79 09 50 51 dd 50 8c fb 79 e3 85 | 90 70 a4 f8 68 f9 5a a2 01 24 97 29 d7 b2 35 f0 | fa 3b 32 3e 88 b9 6c e5 88 66 7d 46 7c 77 72 71 | a2 8c 64 80 bf ae fa 1f 88 0a 9b c8 e1 13 84 c9 | f1 20 e1 52 e8 7b a5 66 e4 cd 0a 21 05 c3 8a 2c | 23 11 cd ed 40 81 52 a8 03 08 41 20 b4 7e b0 71 | b2 4d a0 fd 0c 89 60 8f 47 ad 5d 8c 35 59 ea f4 | 28 ea ef ad a6 2e 7f 31 a7 ee e2 1e f2 ab 82 df | 49 16 a3 ec 19 2d ed 80 23 b4 d9 3a d7 e1 c6 82 | 21 e5 84 a3 a4 0b d7 28 3f 26 81 38 ed 5f 48 2e | 3a 21 82 10 a7 ea e5 64 98 91 c2 96 98 ca b5 14 | 51 e6 42 31 e1 fe e6 e5 19 25 13 46 90 da 14 47 | 61 ff 13 c3 09 fc f6 17 a9 9a 11 3a c0 f1 19 4a | b4 10 bd b4 4d 7e b3 51 2a ec 5b a7 2c 9a b9 ac | a8 5c 35 2b 78 b4 f3 53 43 f9 af ba 4f 52 61 47 | 19 a8 1b de a1 be b8 ad 4b d5 62 42 32 ea ff 01 | 11 41 e5 c7 bc a2 14 04 b0 d6 21 66 9c 20 c9 a8 | f0 37 a0 73 fe 1a 14 4d 2f 40 fd cc 7d 38 e0 32 | c5 42 c9 bd 28 8b 51 18 bb fe ba 31 fa cf 92 76 | 12 cf d3 0e 6d dc ae fa a6 84 92 7c ee a1 d8 39 | 3a 97 0c 18 51 c3 f9 e1 be ff 71 b2 60 da 1e 4c | a5 6d 53 c9 e7 2c 10 a0 d2 73 33 9e 0e a6 ee 68 | c7 26 93 87 87 45 e8 be 7d 1d a5 eb 78 46 c5 6c | 64 77 55 a0 9d 6c f4 f0 95 5c 21 7e 9e 4d 47 0a | 7c 58 fe a3 57 71 8d 69 df 89 c1 44 7c 1a b7 84 | 98 4f 1d 29 a1 77 71 3c d4 38 30 ec 82 33 08 bf | 56 e2 d9 63 fa d8 6c ea 10 6e 62 18 50 16 41 bf | b2 e6 11 79 fc ef c1 00 f4 e6 2c 9b 32 a4 f1 84 | ac 17 ca fa cc 9f c4 52 35 b9 3b 7e d3 c7 c3 a7 | 75 af 69 96 b5 4b 44 70 39 3f 1b 05 ee c1 61 43 | 30 9a e1 aa e7 07 41 fe 99 8e ec aa 9c 2e 6f 31 | 8a cd ff 74 e2 3b d1 c2 6f 53 3d d2 32 e0 7c 94 | 60 14 40 6c 52 fe 46 4e b4 04 eb c1 f3 df f4 05 | 70 29 cf 4b 2f cd f3 1e 9b d6 2a a1 50 f4 5d a2 | b1 2a e2 79 49 44 8b fd 82 7e ae 8f 8a 69 32 6b | 29 7e fe b1 6c 28 77 6e cb 94 33 30 8f ae 0b 34 | 92 4c 02 e1 69 28 2e 71 af 39 63 b0 23 7b ef 8c | 80 04 4d ad a2 c5 81 4d c0 b0 5e e7 64 d6 27 3b | 0c fc fe 33 e1 4b 8a fc 9a 79 05 ca e2 46 cb 83 | f5 b6 69 8f 07 68 8b 8d 2f 2f 49 1c b8 89 3e 0e | 92 4f 60 16 ef 48 dc a7 3f 74 38 9d 52 b6 7c 8c | 44 ff 05 33 af 67 07 81 61 0a 4f 5e 40 7d 7f 37 | d6 91 2d 7c c3 7e 61 cd 21 c7 b9 25 0c 8d 9e 48 | 75 0c bd 76 f4 ac 45 fe e5 a0 91 18 0e ed ed e4 | c7 31 59 4b 12 78 40 a6 9e 1a 12 c3 a9 76 e7 6f | 50 da 88 75 f8 fd ae 2c 9d 61 24 8f d4 d0 95 26 | 9a 42 1d 93 e1 73 51 36 bb 41 5c 78 e1 68 65 f1 | 7a 3f e7 58 a7 b1 d4 7a fe f8 7e e3 c7 c9 65 0b | 2c 19 6c 12 91 61 20 5a 45 6e 59 32 9e f4 64 de | e7 bf 94 d4 35 33 95 d6 91 2f 34 04 ff f0 1e c7 | 75 e6 7f 71 9e bc d4 f3 1c dc fc d2 c3 3a 21 87 | 70 8e 81 10 10 d4 59 8e e9 f7 6f 7a 97 55 fa 96 | 0e c5 be 35 a8 32 cd 8f 5b 17 07 18 c3 fc 8c 8b | ef 4f 6e 4b 14 fb 81 1f cd 7a ff c8 1a b2 5a 9d | c8 89 b3 82 b4 f9 21 3a 05 05 cc 67 3b b7 2f 9a | 10 c9 e7 3a 56 a1 de 9f bc d4 f6 e2 f5 4d fb 65 | ca 62 57 98 d5 ca 66 9b 08 69 26 12 95 b6 ef 29 | ff d3 89 49 8f 48 f3 2d 5e 59 ee d1 55 e9 0d 7a | 89 b0 65 bf 48 55 1a 2a f2 ca 37 ae 39 67 6f ec | c7 c3 79 90 41 a7 be 10 f4 a0 ac dc 98 35 c6 9e | e1 9b ac 7e 7c 37 f6 b8 49 02 50 8c 1b 08 dd c9 | 4a 00 ab ec e2 83 54 24 9d 8b bc 0d cb bd 56 34 | c2 28 7d c0 87 33 75 75 7b f2 1e db 7b 53 15 3f | 98 17 43 91 4c 23 31 94 f6 23 4d 9d 66 83 3b 9b | b3 37 98 4d 98 0b 95 c5 9b af fb a6 1b 41 c0 fa | 54 ae ce 5a 80 c4 96 a3 89 94 28 5c a5 b6 55 6e | 91 75 23 22 79 c7 20 82 f2 68 ef a8 ab 78 fe c5 | 8a 6f 34 eb a9 52 f2 e9 ca 17 f6 84 65 33 0d 66 | 53 59 af 2f c6 f4 98 af b0 91 aa a2 52 24 cf 5f | 9b 64 62 9b 6d f1 b8 0e | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d4cf70 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | #1 STATE_MAIN_I3: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.418389 "modecfg-road-east" #1: STATE_MAIN_I3: sent MI3, expecting MR3 | XAUTH client is not yet authenticated | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 8.42 milliseconds in resume sending helper answer | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fde7800b7e0 | spent 0.00365 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 1876 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 05 10 02 01 00 00 00 00 00 00 07 54 d4 4a 81 66 | f1 0a be 07 a2 13 ff 66 3e d7 bf 1c 26 f2 cf 5d | 46 bb 35 38 f7 26 f8 00 2f 46 17 62 28 34 3b 4a | 41 b8 43 2f 85 2b 75 7c 1e e8 e2 95 d7 ac a3 78 | 94 39 e8 31 b8 e7 64 16 df 7f a3 bf 73 0c 55 a9 | 2c dd 19 b5 05 af 9d 9e 1d b2 a7 79 ff 70 4c e4 | 0f 4a 4e 06 ad b8 86 cd 9b 2b 6b 32 d7 66 cb 73 | 71 cb e6 05 e9 23 00 b0 07 c2 fb 77 d9 9f ee cb | 9b 8a b8 19 28 1f 46 9e 25 85 9c 57 97 c8 09 4a | a5 da 23 77 47 d3 27 3f 79 75 7a e3 9a 51 c6 6f | a5 c3 2c b8 3e f1 e8 5f 75 8b f2 07 eb 03 8c 6b | af 0d 4e cb 0a cb 8e 16 82 cd 6a 08 f2 e3 57 6d | af 98 b6 5a eb 18 ae 59 29 63 9d f0 1d df 6c 74 | bc 80 75 d9 25 69 11 62 76 d0 4a 8c 35 bb fb 41 | 6c 84 ba a4 6f a5 3c 6a 05 76 9a 27 05 9e 37 07 | 86 2c b5 1e b5 11 37 0e 61 34 8e a8 a0 53 01 f0 | 0e ff 35 d8 04 94 54 7b d2 17 5d 69 0b 5c b6 b0 | 34 40 67 e7 35 96 a2 25 35 a3 1c 4d 8b 79 2c 9b | 08 71 41 a7 82 22 8e 05 9c ea bf 3b 26 a0 95 fc | a8 00 60 5c 20 93 42 3e 2d 02 57 fa 89 df d6 aa | ae cd 58 c4 25 76 30 f6 cd fb fd 51 59 9b 8c 8e | ff 08 72 af fd 53 a7 e3 9d 49 a3 7d b7 b8 98 c4 | 25 b3 01 26 90 4e 63 a4 2f 25 94 71 94 13 dd c3 | 61 95 e7 53 0d c4 f2 8a 75 bb 70 d3 8b ee f6 6f | 45 ca 10 72 c3 9b ea a8 d5 f6 4b dc 2b b4 ef 6d | ed 7b 8e 3a 1f 92 63 f2 69 41 df 7d ec 30 bd 9a | c5 0e 24 10 16 02 ca 2e e3 2b 16 fb 39 5b e9 73 | 01 a5 31 2a 2a 81 62 9c f9 26 43 7e 6d c7 e6 54 | 90 1b ec 53 26 90 d6 d5 b6 ef 51 00 2a d4 bc 24 | 38 e0 70 1c c1 76 62 6f dd d2 e5 5e 96 33 93 65 | ef 05 9f 13 3e 4e d6 6b e3 bc e0 cd 77 b9 4a 41 | b3 26 1d 5c e5 c4 50 6b 80 b2 f8 19 07 fb 66 3b | 1e e3 3f c7 1b 2e 96 eb cf 81 d9 48 cb 64 d4 b5 | 45 09 03 30 fc 62 17 3a 1f c8 96 40 15 6d cb a1 | 3d 3d 99 47 f8 79 4a 93 82 f5 f0 8a a3 70 54 cf | b3 ac 92 d9 64 30 3c 5c c8 37 7c 48 27 98 99 f5 | 3b 65 05 0a 55 66 b7 fa 92 84 a9 c5 e4 c7 1b bb | ed 53 c0 71 09 c0 88 73 04 b6 bb ca ac 8e 3b fd | 8c 65 3f 04 25 7b 01 01 7c 60 17 8b 23 b8 ff da | e5 f4 f3 06 cc e9 ee 84 20 c8 2e 13 e4 89 db 67 | bc 7f 42 93 42 40 76 0b 54 c8 ba 61 54 dd e8 2a | e6 8d ae 91 82 c3 df 1b 94 49 61 12 27 7a b8 52 | b1 79 e1 1b 68 72 2b 13 fc ac 47 93 3e 9b e5 a5 | 80 80 07 39 5e 8d f7 08 5b c9 5d 5f c2 78 98 58 | ca a6 93 75 70 e1 3c 76 be d0 00 14 de 16 80 ba | 0e fd 0a f0 d7 4e 32 ac 4b 96 fb 9f bc b7 9f 7a | 24 8b 79 c8 2c 2a 1a a5 42 22 35 13 2f 0a b0 8e | dd 70 63 43 84 fc 86 cf a6 b0 42 11 6a d1 1a a4 | c6 95 e8 14 d4 ef 68 38 ed 0b ee 7d ff 5c f5 a8 | ad 73 fe b0 cf 25 90 0c ba a7 e9 7b 46 d8 3d 80 | 24 80 2b 28 d7 40 07 d8 c6 65 31 14 38 6c 11 35 | a9 83 5a ed e8 cd a2 da a6 14 02 b9 ef c3 6e 27 | 1c 73 29 1b 70 bd d2 3a 8a 7d 4e 7c e9 14 da d6 | bf 1e 96 4e 56 c1 1d c8 19 f3 aa 0e 0e 01 d7 83 | 94 77 4d 57 cb 4a 8d 0e 07 7a 54 2a 19 8d 66 8b | ba 13 d7 86 35 fc 4a da 13 52 df fd e0 b5 8e 62 | 4b e9 e1 b8 01 98 ba 45 db 6b 59 57 94 c3 7d 1a | 54 5f cc 1d 04 24 98 d4 5b 03 d5 0c a0 65 5d 81 | 67 59 60 19 ff f0 01 a7 bd 9c 24 35 70 72 43 59 | 6b 5d bd 42 ad 83 d9 c4 7b e0 16 bd d3 9b 71 e9 | 11 45 a1 c5 b6 05 99 97 63 7a bb 2e 17 c9 10 c6 | dd 61 cc 3b 69 1d 9e 9c 74 e5 ca 6a 37 fe 07 86 | d6 d4 e8 25 33 57 76 a7 5a 77 ac 3f 57 3f 82 c6 | 13 7f c9 e0 07 bf 4b 65 22 f7 20 54 5f 44 b0 54 | 99 c1 75 e5 d4 cf ea be 1e cb fc 4a c7 58 6b 99 | 7e 5d 4e cc 39 08 a3 c7 3d d7 98 bd 60 03 02 c7 | 35 83 90 cb ba 2d b6 32 87 2f 01 e5 76 9d 27 60 | cd 38 2d 1b c3 32 85 f4 ef 2d 62 a5 b8 6a 3c 5a | 0c 7d e5 e8 a6 30 8d 1d 5b 2d d6 40 af 91 49 32 | cc 8f d9 d4 40 eb 1c 03 50 9c e0 52 95 c1 66 b9 | 77 b9 94 a9 02 ba 69 9d 46 19 c6 21 cc e4 9e 4c | 14 d1 8a 42 ce db 06 40 4e 78 7f a2 e7 39 7c ca | fd c7 d5 c7 19 7b e1 f7 8d 42 b8 50 60 90 90 41 | 66 7d 7d 31 f4 af 5a a8 b7 95 2e 28 fc af 6f b8 | 83 e2 14 e8 b3 53 cb 0d 37 d0 38 0c 1c 81 99 2a | 01 27 59 66 08 fc b7 31 f9 d2 29 13 ba 08 ed 1b | 97 f3 1f c2 f8 24 80 ed e5 43 6e c1 73 26 75 41 | 2e 1b 71 44 56 d2 e9 83 7d 8e 77 6b 77 3b b4 4d | ed 2a 21 80 bf 66 2e 3f 06 cd ef 01 9b 76 9a 10 | 07 03 54 12 ed af 8f 60 f8 fe 0c 66 02 4e f8 b9 | 23 7d 2c f4 c8 43 e9 11 77 68 b5 91 24 53 5a b5 | 0f 75 76 99 38 2b 35 b1 d0 0b b0 c3 6a 58 55 73 | bf dc a6 67 0b 6c 03 e7 c5 a8 c5 95 6f 27 68 6f | 3c 0c 22 1d 06 92 55 60 3e e5 91 13 f1 3a 31 da | 9d 0c ee f3 2b b5 71 98 09 61 cd 1e 31 b5 0e 4e | b2 3b aa 29 8b 62 65 53 00 37 2f aa 8f a9 72 00 | d5 a2 fc 7e eb 4b 59 30 ad 74 cb 05 55 78 f9 66 | 7f 25 f0 89 ea 9e 84 6b 8d f5 c5 90 a9 ee c6 83 | 55 7f 70 c6 6a db 40 db 4a 11 fd 5e ae a7 16 96 | fd c1 41 94 7a e4 13 e9 09 2f 21 71 f9 36 6e b6 | d6 14 a5 5c 44 4b 48 0d 0d a0 99 12 11 d7 2e 17 | 17 8e 6f 02 59 71 8e 4f 0d 6b a9 79 d1 49 8e a2 | ad 34 86 6e f1 cc 3b b9 11 c3 4b c0 7e d1 20 2f | 41 95 ee a4 39 d0 86 1c e6 3d f7 5a 47 6b 9d af | 82 74 8a 43 c4 1b c1 84 cf 46 89 d8 d7 98 1f fe | fa 8f 3c f8 62 13 18 5d 4f a3 4b a4 3b d7 6d df | bc bf 76 be c3 43 a6 6d fd 2c 04 1e a2 be 23 46 | 9c 06 9f 74 8a 2f b6 c3 fb ed 51 ae 14 a5 4f e1 | 39 ef 5d 65 cf d8 cc de 5c 14 95 c9 df 8b 86 78 | d6 7b a2 6f 25 7d 3d c0 ed b2 d6 e5 57 21 57 9d | a6 d5 0a 07 09 c2 de 62 26 f2 ba 6e a3 d6 98 fb | 32 e1 2a e5 55 1c f9 c8 0a 83 d7 5e 8b 1c 03 55 | a5 b7 1a 1a 25 ce ac ea 48 9f 9f 32 ac c0 ac b5 | 97 ef 41 a1 29 93 d8 33 8b f1 09 ea 40 35 c3 2e | 7c 05 46 b7 e6 c2 78 52 c5 1f a5 ea 8f 07 de 2b | e6 5b 3f 0d 6a 03 25 91 c0 fe d5 be 00 24 a5 6e | 77 62 f3 1e 16 67 8b 91 d2 1b 80 d3 5f 8c bd 4e | 61 00 4d 29 5d ee e2 9a b6 7a 8c 14 5f 45 dd 3b | 53 e5 98 38 cd 61 31 26 2f a7 76 af 78 c2 13 fe | a1 91 81 ff 17 e1 7c 52 74 6c c2 b6 96 16 29 b8 | 23 0a 33 98 fb 60 de 26 ac 48 1f d9 5d 95 42 3c | be 95 10 e7 fd 57 94 12 c1 92 b3 47 d7 4a 53 14 | 26 a9 47 33 b2 e5 d3 d1 65 28 b6 fd e0 b3 c0 e4 | f5 53 56 22 4a 91 ca 51 03 b4 74 88 ab c8 b8 1f | 28 13 57 90 be db f4 8f cf bd 56 a8 f9 c2 74 9e | f4 b7 f9 e0 4a a3 13 b4 61 86 c9 38 ba fa f5 3f | 7b 0d 43 cd | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 1876 (0x754) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I3 (find_state_ikev1) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_CERT (0x6) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | obj: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | obj: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | obj: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | obj: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | obj: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | obj: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | obj: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | obj: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | obj: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | obj: 77 61 6e 2e 6f 72 67 | got payload 0x40 (ISAKMP_NEXT_CERT) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Certificate Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 1265 (0x4f1) | cert encoding: CERT_X509_SIGNATURE (0x4) | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 388 (0x184) | removing 4 bytes of padding | message 'main_inR3' HASH payload not checked early | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 "modecfg-road-east" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | global one-shot timer EVENT_FREE_ROOT_CERTS scheduled in 300 seconds loading root certificate cache | spent 4.36 milliseconds in get_root_certs() calling PK11_ListCertsInSlot() | spent 0.0316 milliseconds in get_root_certs() filtering CAs | #1 spent 4.43 milliseconds in find_and_verify_certs() calling get_root_certs() | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' | decoded cert: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0529 milliseconds in find_and_verify_certs() calling decode_cert_payloads() | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | #1 spent 0.0494 milliseconds in find_and_verify_certs() calling crl_update_check() | missing or expired CRL | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | verify_end_cert trying profile IPsec | certificate is valid (profile IPsec) | #1 spent 0.151 milliseconds in find_and_verify_certs() calling verify_end_cert() "modecfg-road-east" #1: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e3b0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e290 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d4cf20 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3e570 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x556676d3cd00 | unreference key: 0x556676d60680 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | #1 spent 0.317 milliseconds in decode_certs() calling add_pubkey_from_nss_cert() | #1 spent 5.04 milliseconds in decode_certs() | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | ID_DER_ASN1_DN 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' matched our ID 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | SAN ID matched, updating that.cert | X509: CERT and ID matches current connection | required RSA CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | RSA key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbANn [remote certificates] | #1 spent 0.17 milliseconds in try_all_keys() trying a pubkey "modecfg-road-east" #1: Authenticated using RSA | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 | parent state #1: MAIN_I3(open IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d4cf70 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x556676d41e80 | inserting event EVENT_SA_REPLACE, timeout in 2607 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | pstats #1 ikev1.isakmp established "modecfg-road-east" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | #1 spent 5.54 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 5.98 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00276 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 06 01 b4 71 61 c1 00 00 00 44 02 c8 26 76 | e1 3f 9a 94 48 c8 c3 e7 36 4f 32 ba 4f d3 ff 14 | b8 62 48 6a 7c 03 5f f4 12 7e 59 33 b0 37 2c 47 | 1b 39 22 cd | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3027329473 (0xb47161c1) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=b47161c1 st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #1 in MAIN_I4 (find_v1_info_state) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1654) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient modecfgclient | call init_phase2_iv | set from_state to STATE_MAIN_I4 this is xauthclient and IS_PHASE1() is TRUE | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | xauth_inI0 HASH(1): | 7a 29 e9 77 13 bf 01 55 97 1e 5c 07 33 6e 48 33 | 2b 3f 6a 02 | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3027329473 (0xb47161c1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 0 (0x0) | Received Cisco XAUTH username | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 0 (0x0) | Received Cisco XAUTH password | XAUTH: Username or password request received | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | prompting for Username: | emitting 4 raw bytes of XAUTH username into ISAKMP ModeCfg attribute | XAUTH username 75 73 65 33 | emitting length of ISAKMP ModeCfg attribute: 4 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | started looking for xauth secret for use3 | line 0: key type PKK_XAUTH(@use3) to type PKK_RSA | line 1: key type PKK_XAUTH(@use3) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | looked up username=use3, got=(nil) | prompting for Password: | emitting 8 raw bytes of XAUTH password into ISAKMP ModeCfg attribute | XAUTH password 75 73 65 31 70 61 73 73 | emitting length of ISAKMP ModeCfg attribute: 8 | emitting length of ISAKMP Mode Attribute: 28 "modecfg-road-east" #1: XAUTH: Answering XAUTH challenge with user='use3' | XAUTH: client response HASH(1): | 1c da 48 db 5b 0c 19 6d f0 e7 39 3d a6 40 80 e5 | f1 a2 a9 3b | no IKEv1 message padding required | emitting length of ISAKMP Message: 80 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | xauth_inI0(STF_OK) | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 | parent state #1: MAIN_I4(established IKE SA) => XAUTH_I1(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_SA_REPLACE-pe@0x556676d41e80 | sending reply packet to 192.1.2.23:4500 (from 192.1.3.209:4500) | sending 88 bytes for STATE_XAUTH_I0 through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 06 01 b4 71 61 c1 00 00 00 54 | 49 37 fa 8c 6c ba 91 5c d2 a6 dd e9 be 2b 1e 3d | 88 f9 ea 5c a6 64 15 65 a3 2e ce 84 61 ef 89 45 | 4f 93 ef 42 51 92 76 a8 df d9 4e 53 23 c6 b0 d1 | 19 4c c3 fb a4 3c bf 59 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d41e80 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | #1 STATE_XAUTH_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.511407 | pstats #1 ikev1.isakmp established "modecfg-road-east" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=RSA_SIG cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | #1 spent 0.263 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.462 milliseconds in comm_handle_cb() reading and processing packet | spent 0.0017 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 06 01 1d 7c 7b 60 00 00 00 44 ce fb 06 9e | e0 be aa 5b 67 54 37 27 d6 1a d1 22 01 90 0b 51 | d2 e1 4a 6d e9 e6 e4 c1 7c fd 44 6c 75 a2 cb 66 | 87 37 d3 28 | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 494697312 (0x1d7c7b60) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=1d7c7b60 st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_XAUTH_I1 | State DB: found IKEv1 state #1 in XAUTH_I1 (find_v1_info_state) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1654) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient modecfgclient | call init_phase2_iv | set from_state to STATE_XAUTH_I1 this is xauthclient and state == STATE_XAUTH_I1 | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | Attr Msg Type: ISAKMP_CFG_SET (0x3) | Identifier: 0 (0x0) | removing 4 bytes of padding | xauth_inI0 HASH(1): | b1 41 46 5c d2 d2 84 76 77 5b dd b7 5e ab 01 0f | c8 02 47 bb | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 494697312 (0x1d7c7b60) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | Received Cisco XAUTH status: OK | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_ACK (0x4) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 12 | XAUTH: ack status HASH(1): | e7 d0 b4 27 fe 8e e2 95 84 47 31 1f ca 62 40 94 | 78 9a c0 3e | no IKEv1 message padding required | emitting length of ISAKMP Message: 64 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 "modecfg-road-east" #1: XAUTH: Successfully Authenticated | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_XAUTH_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d41e80 | sending reply packet to 192.1.2.23:4500 (from 192.1.3.209:4500) | sending 72 bytes for STATE_XAUTH_I0 through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 06 01 1d 7c 7b 60 00 00 00 44 | f7 a6 22 df 4e d3 d7 6d 8c e4 d4 bd 50 b0 25 b1 | 33 1f f7 70 d3 bb aa 6f 65 02 ee 8e 8a fd 81 7c | c5 f8 b1 51 ec 2d f3 c7 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d41e80 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | #1 STATE_XAUTH_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.512061 | pstats #1 ikev1.isakmp established "modecfg-road-east" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=RSA_SIG cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:pull modecfg-client | modecfg client is starting due to policy "modecfg-road-east" #1: modecfg: Sending IP request (MODECFG_I1) | parent state #1: XAUTH_I1(established IKE SA) => MODE_CFG_I1(established IKE SA) | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3617324256 (0xd79bfce0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'xauth_buf' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'xauth_buf' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_ADDRESS (0x1) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_NETMASK (0x2) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: MODECFG_BANNER (0x7000) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: MODECFG_DOMAIN (0x7002) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: CISCO_SPLIT_INC (0x7004) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 32 | XAUTH: mode config request HASH(1): | 84 86 4f c4 15 8e f0 b4 f4 ee 3c 49 37 43 36 45 | b9 ea 70 68 | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | sending 88 bytes for modecfg: req through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 06 01 d7 9b fc e0 00 00 00 54 | 5f 5e ff 33 7c 1f 9a 21 84 a2 6d c7 a9 09 e5 2d | 47 b8 07 23 0b 68 ab 6d a5 a5 59 9f 1c 9f bb c9 | 98 ad 45 46 ea 5d ca a4 3e 07 59 26 64 a3 d6 f0 | 93 95 18 bf e9 86 8e e0 | #1 spent 0.31 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.437 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00192 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 06 01 d7 9b fc e0 00 00 00 5c 10 6d 49 eb | d1 c0 61 86 95 1f ba 34 7b b3 9f 4e 48 e6 e3 18 | dd 17 8f 15 ba 40 70 51 89 83 21 26 56 c9 86 01 | 6a 49 46 28 72 65 eb 93 6e 86 25 40 cb 38 50 2e | a4 fe cf 2d d0 2a ea 01 ba 92 17 27 | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3617324256 (0xd79bfce0) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=d79bfce0 st_msgid=00000000 st_msgid_phase15=d79bfce0 | p15 state object #1 found, in STATE_MODE_CFG_I1 | State DB: found IKEv1 state #1 in MODE_CFG_I1 (find_v1_info_state) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1778) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 24 (0x18) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | modecfg_inR1 HASH(1): | 58 60 54 c4 fc 9a d5 1e 4f 5a aa 2c 47 b6 ec a9 | 47 2c 94 3b | received 'modecfg_inR1' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3617324256 (0xd79bfce0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | modecfg_inR1: received mode cfg reply | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_ADDRESS (0x1) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr c0 00 02 13 "modecfg-road-east" #1: Received IPv4 address: 192.0.2.19/32 | setting ip source address to 192.0.2.19/32 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_NETMASK (0x2) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 00 00 00 00 | Received IP4 NETMASK 0.0.0.0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 01 02 03 04 "modecfg-road-east" #1: Received DNS server 1.2.3.4 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 05 06 07 08 "modecfg-road-east" #1: Received DNS server 5.6.7.8 | modecfg_inR1(STF_OK) | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4 | parent state #1: MODE_CFG_I1(established IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d41e80 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x556676d41e80 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | pstats #1 ikev1.isakmp established "modecfg-road-east" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:pull modecfg-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | creating state object #2 at 0x556676d4add0 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "modecfg-road-east" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.3.209:4500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:683) | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:683) | child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "modecfg-road-east" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:85ac0691 proposal=defaults pfsgroup=MODP2048} | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fde80002b20 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | libevent_realloc: release ptr-libevent@0x556676d1fea0 | libevent_realloc: new ptr-libevent@0x556676d51ee0 size 128 | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:762) | resume processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:762) | unqueuing pending Quick Mode with 192.1.2.23 "modecfg-road-east" | removing pending policy for no connection {0x556676ce5400} | close_any(fd@22) (in release_whack() at state.c:654) | #1 spent 0.218 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.35 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 resuming | crypto helper 1 starting work-order 3 for state #2 | crypto helper 1 doing build KE and nonce (quick_outI1 KE); request ID 3 | crypto helper 1 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000874 seconds | (#2) spent 0.88 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 1 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fde7c006900 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 3 | calling continuation function 0x556675316630 | quick_outI1_continue for #2: calculated ke+nonce, sending I1 | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2242643601 (0x85ac0691) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | emitting quick defaults using policy none | empty esp_info, returning defaults for ENCRYPT | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x88307d9e for esp.0@192.1.3.209 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 88 30 7d 9e | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 3 (0x3) | [3 is ENCAPSULATION_MODE_UDP_TUNNEL_RFC] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ESP): 32 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 1 (0x1) | ESP transform ID: ESP_3DES (0x3) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 3 (0x3) | [3 is ENCAPSULATION_MODE_UDP_TUNNEL_RFC] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | emitting length of ISAKMP Transform Payload (ESP): 28 | emitting length of ISAKMP Proposal Payload: 72 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 84 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni f9 0f 26 27 51 34 55 d0 9b 2e 54 c3 2c aa c3 da | Ni 7b 4b 2a 44 5b 31 23 ef e2 0b 92 a6 6a d1 f2 62 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 32 23 68 46 05 c5 a6 0f 59 14 f8 0f 0a 51 fc a1 | keyex value 82 9b df 54 b6 f1 76 5a 66 c2 79 fc 5d d8 b5 3c | keyex value 5d 45 c5 a7 c4 33 c4 92 66 0a 0b b1 aa b5 2d 98 | keyex value d9 3e 10 a7 4a 73 5f 21 f4 f9 e5 a2 53 d7 b8 35 | keyex value 23 58 ac b0 16 c7 d0 29 a1 36 d6 72 c4 1c 07 9e | keyex value 57 5e 15 f3 f8 f7 c4 bc e9 e9 89 d6 e7 4b 0a 33 | keyex value df 35 ff fd a5 eb 08 8d aa 9f 33 20 ee 72 28 a0 | keyex value 02 ce 22 26 6d 8e 92 3e 3e 1c fe 05 b0 fe f5 ca | keyex value 06 5d 5b ce d3 48 52 26 38 7e 46 66 73 78 43 15 | keyex value 16 ae 8b b2 40 9e 92 03 9f ef a6 ec ac b7 82 ed | keyex value fc c1 47 56 ca 8a a8 f7 bd ba fa 17 54 2b 38 09 | keyex value fe 34 ae fd 22 96 70 ea dd 5a 56 32 74 bb e6 31 | keyex value de d8 f1 ed b2 c0 70 a3 33 5f d2 93 fd 1e f6 e5 | keyex value f4 4b 85 a3 2c f1 cf 6a cf 22 4a 67 b7 2d 80 27 | keyex value c9 4e 2d 92 45 55 74 3e 00 f1 ca 9e b3 da 81 28 | keyex value 46 b5 e9 de b1 c8 26 3b 9a a1 e5 45 db fd 7e b3 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 00 02 13 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network 00 00 00 00 | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) | client mask 00 00 00 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | outI1 HASH(1): | 80 65 79 13 93 f3 70 94 a0 aa 81 3e d4 3d 5b 95 | 82 5e d4 59 | no IKEv1 message padding required | emitting length of ISAKMP Message: 460 | sending 464 bytes for reply packet from quick_outI1 through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #2) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 20 01 85 ac 06 91 00 00 01 cc | 7c b6 85 7a 4c d8 ac 25 3b a9 32 86 5f 9b 12 e5 | 8c aa a4 98 ea 18 07 68 44 d9 ed 73 ec eb 2f 1b | 04 d1 9c 16 d2 26 f6 14 0d 2b c0 4e bb 4b 90 57 | 63 ec e4 4a e4 11 a5 9b e7 05 c7 3c 3f ee ef 3e | b6 ed dd 90 b3 3d c5 ef 52 7d 3c bb 6b a5 e4 a0 | cc 59 25 f2 f7 4a 47 53 2a 36 2d d3 f2 11 c2 0c | 23 19 8b 98 dd 99 4b fc c8 6d 8a eb 09 5b f9 00 | 35 bb cb 9a 5e eb c9 bb 32 44 fb 86 8e 82 33 67 | 58 d8 c9 c0 1f 5d 71 89 6a ca ce a1 f0 93 e2 f5 | 42 d1 79 e6 25 86 64 1f c1 d6 b4 22 38 73 8d 91 | 71 7d ce ce 9c 8b 87 42 28 74 86 4c b2 42 80 0b | e2 13 7c ea 72 04 a8 e2 95 2b b0 42 ee 5e dc 55 | 1e ae ee 05 09 b2 d0 83 da b0 15 15 77 bb 96 60 | 70 b8 67 e1 80 6b 68 3b be 6c 68 18 a0 02 d0 a4 | 31 b0 23 6c 0b 19 d0 a3 3b ca d7 9c 32 7c bb 5f | e5 cc bf 53 81 37 bf d3 95 d2 f5 a7 33 b9 20 35 | a5 f8 c8 b2 d8 c3 e5 f3 04 2b b5 3a 31 d8 1f 46 | ce 31 ec d3 7f 8d d6 c5 6c 52 ed 5b 71 17 a1 35 | 09 91 13 26 88 0c 6e 73 fc dd ab 11 46 e8 73 b4 | 6b e4 4d b8 d4 0a c2 37 aa 30 8c 36 25 25 31 79 | 09 e3 d5 89 74 20 8a 8a ba c7 3d 00 62 66 a6 83 | 8d 11 6b d8 46 db 07 17 51 8d ee a9 e4 fc 91 69 | 6d f6 1b 1a 57 4f 74 45 8b bd b0 c8 95 3d d3 3c | 15 da d6 d9 7a d3 6b 51 f1 a0 8d fc dd e4 f6 cb | f3 72 cf ce df 74 59 47 28 03 6a 5d e2 04 4c da | 12 8e d9 b5 31 29 26 bb f5 92 b7 da 07 ae bb 79 | c6 8f 37 dc 65 db c3 10 bf 3b bd eb 53 20 1c e9 | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fde7800b7e0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fde80002b20 | event_schedule: new EVENT_RETRANSMIT-pe@0x7fde80002b20 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | #2 STATE_QUICK_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50015.5153 | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.919 milliseconds in resume sending helper answer | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fde7c006900 | spent 0.00319 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 436 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 20 01 85 ac 06 91 00 00 01 b4 64 4c ad 9a | 9f f5 8f 17 a4 27 2e 0e fc 86 10 6c 5a 7c 48 2b | 87 20 16 0f 07 9e a6 8c e7 40 a2 e5 34 36 d4 3e | 35 ca fb 48 33 ac b7 ab 7c 8b 0f 89 c5 4d d5 b5 | 07 9b 9f 1f a8 46 7b de 23 7c 0b 78 e3 15 e0 55 | 10 a4 fa f7 ec bb 5b 45 bb 21 9d c1 c0 1b e7 34 | c8 d0 42 e6 1a 74 95 8f ef c6 e2 2c 18 af 7d ef | 00 4e ac a2 a5 46 6c 10 32 5a f4 11 af 9c 99 eb | 47 ac 89 80 e4 f4 fb 39 65 e7 c1 7e da 2b ca 8b | 80 44 46 20 1a 41 df a6 a5 a5 1e c9 1a e7 0b c5 | 0a 16 bf 9f 60 c4 e6 66 3d 10 7f 4e 25 45 f0 a0 | f2 2e 07 4c cd c6 ee 14 0c 5b 5a b9 5a c3 85 84 | 90 f4 cf 6a 02 1d f8 b0 36 02 ac 39 ea 96 41 cb | 8b a1 de 10 01 02 ab 47 9c fd 91 42 56 72 3a 64 | 3d 5b f1 54 1d 4d 96 11 ac 3d 39 ea f3 17 60 64 | 3b 99 75 f4 e6 87 c1 a6 6d b1 cb de 67 1d 4f ec | 35 57 6b 6e bb 13 4b fd c5 39 a4 3c 9f 55 48 eb | bc 5f 38 d3 b8 53 64 b1 d9 92 60 56 08 9d d8 e0 | b0 21 12 8b 2d 6d 93 4a 4a 09 0a 68 3e 8f 64 0d | 1b 16 9a 4e e6 b3 dd 51 ca 05 3f 67 1e b1 d4 04 | 97 1d 09 15 77 31 bf 23 48 85 19 39 26 d9 da 4d | fb 24 29 46 d9 2e 28 0f 07 10 f3 96 91 52 c8 7d | af 12 97 11 18 4e cc 4b c0 e1 28 98 70 fa 5a 0c | 11 b8 7e a8 04 a8 f1 2a 3e 95 ef d4 e1 b9 e3 35 | 12 75 b8 4f 0a 78 98 00 b8 f0 7a 02 33 36 88 b1 | 50 ed 69 22 d5 7a 19 4b 7a dd 07 58 7a b9 60 1f | 15 75 57 90 | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2242643601 (0x85ac0691) | length: 436 (0x1b4) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_I1 (find_state_ikev1) | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1609) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 24 (0x18) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 13 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: 00 00 00 00 00 00 00 00 | removing 4 bytes of padding | quick_inR1_outI2 HASH(2): | 33 12 0b 90 f3 08 a1 04 f3 df 73 e4 44 13 80 06 | c8 64 07 de | received 'quick_inR1_outI2' message HASH(2) data ok | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI 17 8c 03 ce | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 3 (0x3) | [3 is ENCAPSULATION_MODE_UDP_TUNNEL_RFC] | NAT-T RFC: Installing IPsec SA with ENCAP, st->hidden_variables.st_nat_traversal is RFC 3947 (NAT-Traversal)+I am behind NAT | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org of kind PKK_PSK | actually looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org of kind PKK_PSK | line 0: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org) to type PKK_RSA | line 1: key type PKK_PSK(C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding quick outI2 DH work-order 4 for state #2 | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x7fde7800b7e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fde80002b20 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fde80002b20 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | crypto helper 4 resuming | crypto helper 4 starting work-order 4 for state #2 | #2 spent 0.169 milliseconds in process_packet_tail() | crypto helper 4 doing compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.467 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 finished compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 time elapsed 0.000959 seconds | (#2) spent 0.944 milliseconds in crypto helper computing work-order 4: quick outI2 DH (pcr) | crypto helper 4 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7fde70001ef0 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 4 | calling continuation function 0x556675316630 | quick_inR1_outI2_continue for #2: calculated ke+nonce, calculating DH | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2242643601 (0x85ac0691) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | NAT-Traversal: received 0 NAT-OA. | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 13 | our client is 192.0.2.19/32 | our client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address 00 00 00 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask 00 00 00 00 | peer client is subnet 0.0.0.0/0 | peer client protocol/port is 0/0 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | quick_inR1_outI2 HASH(3): | 85 9d b8 dc f0 9d 72 8c 40 0f d0 c0 98 5a 81 e4 | 47 b1 3c a4 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | install_ipsec_sa() for #2: inbound and outbound | could_route called for modecfg-road-east (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn modecfg-road-east mark 0/00000000, 0/00000000 vs | conn modecfg-road-east mark 0/00000000, 0/00000000 | route owner of "modecfg-road-east" unrouted: NULL; eroute owner: NULL | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'modecfg-road-east' not available on interface eth0 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.178c03ce@192.1.2.23 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'modecfg-road-east' not available on interface eth0 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.88307d9e@192.1.3.209 included non-error error | priority calculation of connection "modecfg-road-east" is 0xfdfff | add inbound eroute 0.0.0.0/0:0 --0-> 192.0.2.19/32:0 => tun.10000@192.1.3.209 (raw_eroute) | IPsec Sa SPD priority set to 1040383 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn modecfg-road-east mark 0/00000000, 0/00000000 vs | conn modecfg-road-east mark 0/00000000, 0/00000000 | route owner of "modecfg-road-east" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: modecfg-road-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "modecfg-road-east" is 0xfdfff | eroute_connection add eroute 192.0.2.19/32:0 --0-> 0.0.0.0/0:0 => tun.0@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040383 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT | popen cmd is 1481 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' : | cmd( 80):PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO: | cmd( 160):_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.te: | cmd( 240):sting.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2: | cmd( 320):.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' : | cmd( 400):PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ES: | cmd( 480):P' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libresw: | cmd( 560):an, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libre: | cmd( 640):swan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PE: | cmd( 720):ER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_: | cmd( 800):CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan t: | cmd( 880):est CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME=': | cmd( 960):0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLO: | cmd(1040):W+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_A: | cmd(1120):DDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='192.0.2: | cmd(1200):.19' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DO: | cmd(1280):MAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1' PLUT: | cmd(1360):O_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x178c0: | cmd(1440):3ce SPI_OUT=0x88307d9e ipsec _updown 2>&1: "modecfg-road-east" #2: up-client output: updating resolvconf | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSAS | popen cmd is 1486 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-e: | cmd( 80):ast' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' : | cmd( 160):PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=ro: | cmd( 240):ad.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='19: | cmd( 320):2.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.: | cmd( 400):255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYP: | cmd( 480):E='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Li: | cmd( 560):breswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.: | cmd( 640):libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLU: | cmd( 720):TO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_: | cmd( 800):PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libres: | cmd( 880):wan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDT: | cmd( 960):IME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1: | cmd(1040):_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_C: | cmd(1120):ONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='19: | cmd(1200):2.0.2.19' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PE: | cmd(1280):ER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1': | cmd(1360): PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):178c03ce SPI_OUT=0x88307d9e ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+E | popen cmd is 1484 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-eas: | cmd( 80):t' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PL: | cmd( 160):UTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road: | cmd( 240):.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.: | cmd( 320):0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.25: | cmd( 400):5' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE=: | cmd( 480):'ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libr: | cmd( 560):eswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.li: | cmd( 640):breswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO: | cmd( 720):_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PE: | cmd( 800):ER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswa: | cmd( 880):n test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIM: | cmd( 960):E='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_A: | cmd(1040):LLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CON: | cmd(1120):N_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='192.: | cmd(1200):0.2.19' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER: | cmd(1280):_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1' P: | cmd(1360):LUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x17: | cmd(1440):8c03ce SPI_OUT=0x88307d9e ipsec _updown 2>&1: "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. "modecfg-road-east" #2: route-client output: Error: Peer netns reference is invalid. | route_and_eroute: instance "modecfg-road-east", setting eroute_owner {spd=0x556676d3d330,sr=0x556676d3d330} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.7 milliseconds in install_ipsec_sa() | no IKEv1 message padding required | emitting length of ISAKMP Message: 52 | inR1_outI2: instance modecfg-road-east[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 | child state #2: QUICK_I1(established CHILD SA) => QUICK_I2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fde7800b7e0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fde80002b20 | sending reply packet to 192.1.2.23:4500 (from 192.1.3.209:4500) | sending 56 bytes for STATE_QUICK_I1 through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #2) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 20 01 85 ac 06 91 00 00 00 34 | ca 9a 21 23 66 2e 21 7b 1a 23 d1 51 3e 6f 34 8b | 07 50 9a 60 77 bb 22 c4 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7fde7c002b20 | inserting event EVENT_SA_REPLACE, timeout in 28048 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | pstats #2 ikev1.ipsec established | NAT-T: NAT Traversal detected - their IKE port is '500' | NAT-T: encaps is 'auto' "modecfg-road-east" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x178c03ce <0x88307d9e xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=192.1.2.23:4500 DPD=passive username=use3} | modecfg pull: noquirk policy:pull modecfg-client | phase 1 is done, looking for phase 2 to unpend | close_any(fd@23) (in release_whack() at state.c:654) | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 2.01 milliseconds in resume sending helper answer | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fde70001ef0 | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_DELPOLICY message | xfrm netlink address change RTM_NEWADDR msg len 76 | XFRM RTM_NEWADDR 192.0.2.19 IFA_LOCAL | FOR_EACH_STATE_... in record_newaddr (for_each_state) | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in for_each_state() at state.c:1572) | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in for_each_state() at state.c:1574) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in for_each_state() at state.c:1572) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in for_each_state() at state.c:1574) | IKEv2 received address RTM_NEWADDR type 3 | IKEv2 received address RTM_NEWADDR type 8 | IKEv2 received address RTM_NEWADDR type 6 | netlink_get: XFRM_MSG_EXPIRE message | netlink_get: XFRM_MSG_EXPIRE message | netlink_get: XFRM_MSG_EXPIRE message | spent 0.0347 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00363 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00195 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00193 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_STATE_... in show_traffic_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.88307d9e@192.1.3.209 | get_sa_info esp.178c03ce@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0907 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.88307d9e@192.1.3.209 | get_sa_info esp.178c03ce@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.776 milliseconds in whack | spent 0.00314 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 68 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 05 01 8b 32 b5 c6 00 00 00 44 f4 75 e6 d6 | a6 57 02 74 63 6f f2 e8 0b e8 b2 be d1 89 75 a3 | 3d 40 2b fc 7f 86 a0 d7 c5 7c 85 38 cc 9e 53 f8 | 90 1a 22 31 | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2335356358 (0x8b32b5c6) | length: 68 (0x44) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #2; msgid=00000000 st_msgid=85ac0691 st_msgid_phase15=00000000 | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #1 in MAIN_I4 (find_v1_info_state) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1455) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 24 (0x18) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | informational HASH(1): | c9 49 84 35 4c 06 c9 b7 52 d7 dd 9c 73 a0 81 50 | 7c 6f 82 9c | received 'informational' message HASH(1) data ok | parsing 4 raw bytes of ISAKMP Delete Payload into SPI | SPI 17 8c 03 ce | FOR_EACH_STATE_... in find_phase2_state_to_delete | start processing: connection "modecfg-road-east" (BACKGROUND) (in accept_delete() at ikev1_main.c:2506) "modecfg-road-east" #1: received Delete SA payload: replace IPsec State #2 now | state #2 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x7fde7800b7e0 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fde7c002b20 | event_schedule: new EVENT_SA_REPLACE-pe@0x7fde7c002b20 | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde7800b7e0 size 128 | stop processing: connection "modecfg-road-east" (BACKGROUND) (in accept_delete() at ikev1_main.c:2550) | del: | complete v1 state transition with STF_IGNORE | #1 spent 0.00343 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:4500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.192 milliseconds in comm_handle_cb() reading and processing packet | timer_event_cb: processing event@0x7fde7c002b20 | handling event EVENT_SA_REPLACE for child state #2 | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #2 for #2 | replacing stale IPsec SA | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) | FOR_EACH_STATE_... in find_phase1_state | creating state object #3 at 0x556676d5d680 | State DB: adding IKEv1 state #3 in UNDEFINED | pstats #3 ikev1.ipsec started | duplicating state object #1 "modecfg-road-east" as #3 for IPSEC SA | #3 setting local endpoint to 192.1.3.209:4500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:683) | start processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:683) | child state #3: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "modecfg-road-east" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO to replace #2 {using isakmp#1 msgid:bf252bb1 proposal=defaults pfsgroup=MODP2048} | adding quick_outI1 KE work-order 5 for state #3 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x556676d1e1b0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 | libevent_malloc: new ptr-libevent@0x7fde70001ef0 size 128 | stop processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:762) | resume processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in quick_outI1() at ikev1_quick.c:762) | event_schedule: new EVENT_SA_EXPIRE-pe@0x556676d42680 | crypto helper 5 resuming | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #2 | libevent_malloc: new ptr-libevent@0x7fde80006900 size 128 | crypto helper 5 starting work-order 5 for state #3 | libevent_free: release ptr-libevent@0x7fde7800b7e0 | crypto helper 5 doing build KE and nonce (quick_outI1 KE); request ID 5 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7fde7c002b20 | #2 spent 0.109 milliseconds in timer_event_cb() EVENT_SA_REPLACE | stop processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in timer_event_cb() at timer.c:557) | timer_event_cb: processing event@0x556676d42680 | handling event EVENT_SA_EXPIRE for child state #2 | start processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #2 for #2 | un-established partial CHILD SA timeout (SA expired) | pstats #2 ikev1.ipsec re-failed exchange-timeout | pstats #2 ikev1.ipsec deleted completed | [RE]START processing: state #2 connection "modecfg-road-east" from 192.1.2.23:4500 (in delete_state() at state.c:879) "modecfg-road-east" #2: deleting state (STATE_QUICK_I2) aged 5.265s and sending notification | child state #2: QUICK_I2(established CHILD SA) => delete | get_sa_info esp.178c03ce@192.1.2.23 | get_sa_info esp.88307d9e@192.1.3.209 "modecfg-road-east" #2: ESP traffic information: in=336B out=336B XAUTHuser=use3 | #2 send IKEv1 delete notification for STATE_QUICK_I2 | FOR_EACH_STATE_... in find_phase1_state | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 461134513 (0x1b7c5ab1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 3 (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 4 raw bytes of delete payload into ISAKMP Delete Payload | delete payload 88 30 7d 9e | emitting length of ISAKMP Delete Payload: 16 | send delete HASH(1): | a9 8b 66 e8 f6 46 c4 cf f2 19 a8 48 cd 87 4f ad | 12 e6 b8 b1 | no IKEv1 message padding required | emitting length of ISAKMP Message: 68 | sending 72 bytes for delete notify through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 05 01 1b 7c 5a b1 00 00 00 44 | ae f8 e8 a8 e1 ac 31 f8 ee 0a 79 93 5e e3 6f eb | 70 f2 64 ec 83 eb 95 a4 19 d5 b3 fe d9 19 56 fd | 46 86 19 65 59 4a 23 9a | running updown command "ipsec _updown" for verb down | command executing down-client | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | trusted_ca_nss: trustor B = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1569051369' PLUTO_CONN_POLICY='R | popen cmd is 1492 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east: | cmd( 80):' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLU: | cmd( 160):TO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.: | cmd( 240):testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0: | cmd( 320):.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255: | cmd( 400):' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE=': | cmd( 480):ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libre: | cmd( 560):swan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.lib: | cmd( 640):reswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_: | cmd( 720):PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEE: | cmd( 800):R_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan: | cmd( 880): test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME: | cmd( 960):='1569051369' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL: | cmd(1040):+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' P: | cmd(1120):LUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCE: | cmd(1200):IP='192.0.2.19' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PL: | cmd(1280):UTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIE: | cmd(1360):NT='1' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI: | cmd(1440):_IN=0x178c03ce SPI_OUT=0x88307d9e ipsec _updown 2>&1: | crypto helper 5 finished build KE and nonce (quick_outI1 KE); request ID 5 time elapsed 0.000956 seconds | (#3) spent 0.9 milliseconds in crypto helper computing work-order 5: quick_outI1 KE (pcr) | crypto helper 5 sending results from work-order 5 for state #3 to event queue | scheduling resume sending helper answer for #3 | libevent_malloc: new ptr-libevent@0x7fde74006900 size 128 | crypto helper 5 waiting (nothing to do) "modecfg-road-east" #2: down-client output: restoring resolvconf | shunt_eroute() called for connection 'modecfg-road-east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.19/32:0 --0->- 0.0.0.0/0:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.19/32:0 dest 0.0.0.0/0:0 | priority calculation of connection "modecfg-road-east" is 0xfdfff | IPsec Sa SPD priority set to 1040383 | delete esp.178c03ce@192.1.2.23 | netlink response for Del SA esp.178c03ce@192.1.2.23 included non-error error | priority calculation of connection "modecfg-road-east" is 0xfdfff | delete inbound eroute 0.0.0.0/0:0 --0-> 192.0.2.19/32:0 => unk255.10000@192.1.3.209 (raw_eroute) | raw_eroute result=success | delete esp.88307d9e@192.1.3.209 | netlink response for Del SA esp.88307d9e@192.1.3.209 included non-error error | in connection_discard for connection modecfg-road-east | State DB: deleting IKEv1 state #2 in QUICK_I2 | child state #2: QUICK_I2(established CHILD SA) => UNDEFINED(ignore) | stop processing: state #2 from 192.1.2.23:4500 (in delete_state() at state.c:1143) | libevent_free: release ptr-libevent@0x7fde80006900 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x556676d42680 | in statetime_stop() and could not find #2 | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | spent 0.00241 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 84 bytes from 192.1.2.23:4500 on eth0 (192.1.3.209:4500) | 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 e5 70 a7 b4 | 08 10 05 01 c8 63 aa a9 00 00 00 54 0b 8a 7b d2 | 12 01 0f 6c ed 4a 93 42 55 12 de ca fc 47 15 5b | 02 37 a4 ee 33 30 fc 4c 0f 6f 9b 87 24 5b 94 6f | ef 72 88 26 d1 31 54 2b 3e e8 2b 8c 1a 97 2a 47 | d0 5f 5d c3 | start processing: from 192.1.2.23:4500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 3361974953 (0xc863aaa9) | length: 84 (0x54) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | peer and cookies match on #3; msgid=00000000 st_msgid=bf252bb1 st_msgid_phase15=00000000 | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #1 in MAIN_I4 (find_v1_info_state) | start processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in process_v1_packet() at ikev1.c:1455) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:4500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_D (0xc) | length: 24 (0x18) | got payload 0x1000 (ISAKMP_NEXT_D) needed: 0x0 opt: 0x0 | ***parse ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 28 (0x1c) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | removing 4 bytes of padding | informational HASH(1): | d4 1d bf 49 bc b9 ae 0c 28 cd f4 6d db 2c 9f 40 | 83 19 a9 3b | received 'informational' message HASH(1) data ok | parsing 8 raw bytes of ISAKMP Delete Payload into iCookie | iCookie 58 c3 42 63 35 b8 ec 66 | parsing 8 raw bytes of ISAKMP Delete Payload into rCookie | rCookie 2b 0f c0 d2 e5 70 a7 b4 | State DB: found IKEv1 state #1 in MAIN_I4 (find_state_ikev1) | del: "modecfg-road-east" #1: received Delete SA payload: self-deleting ISAKMP State #1 | pstats #1 ikev1.isakmp deleted completed | [RE]START processing: state #1 connection "modecfg-road-east" from 192.1.2.23:4500 (in delete_state() at state.c:879) "modecfg-road-east" #1: deleting state (STATE_MAIN_I4) aged 5.425s and sending notification | parent state #1: MAIN_I4(established IKE SA) => delete | #1 send IKEv1 delete notification for STATE_MAIN_I4 | **emit ISAKMP Message: | initiator cookie: | 58 c3 42 63 35 b8 ec 66 | responder cookie: | 2b 0f c0 d2 e5 70 a7 b4 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_INFO (0x5) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2982093082 (0xb1bf211a) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'delete msg' | emitting 20 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 24 | ***emit ISAKMP Delete Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | DOI: ISAKMP_DOI_IPSEC (0x1) | protocol ID: 1 (0x1) | SPI size: 16 (0x10) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete Payload (12:ISAKMP_NEXT_D) | next payload chain: saving location 'ISAKMP Delete Payload'.'next payload type' in 'delete msg' | emitting 8 raw bytes of initiator SPI into ISAKMP Delete Payload | initiator SPI 58 c3 42 63 35 b8 ec 66 | emitting 8 raw bytes of responder SPI into ISAKMP Delete Payload | responder SPI 2b 0f c0 d2 e5 70 a7 b4 | emitting length of ISAKMP Delete Payload: 28 | send delete HASH(1): | 14 fe a6 c9 2c 5c b0 b2 1d cd 68 a1 c5 d7 4e 11 | 55 21 97 39 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 84 | sending 88 bytes for delete notify through eth0 from 192.1.3.209:4500 to 192.1.2.23:4500 (using #1) | 00 00 00 00 58 c3 42 63 35 b8 ec 66 2b 0f c0 d2 | e5 70 a7 b4 08 10 05 01 b1 bf 21 1a 00 00 00 54 | 08 14 9f 92 87 f1 46 ec eb ac 0a b1 b7 43 3f 62 | 9f 6c 5d 05 44 99 47 a3 d8 5f 36 cb ab 20 af 6b | 2e 6c b6 cb d6 df 13 64 ae 41 95 bf 44 cd bc f1 | 4d 97 a9 63 e7 b9 88 58 | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_SA_REPLACE-pe@0x556676d41e80 "modecfg-road-east" #1: reschedule pending child #3 STATE_QUICK_I1 of connection "modecfg-road-east" - the parent is going away | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7fde70001ef0 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x556676d1e1b0 | event_schedule: new EVENT_SA_REPLACE-pe@0x556676d41e80 | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #3 | libevent_malloc: new ptr-libevent@0x7fde70001ef0 size 128 | State DB: IKEv1 state not found (flush_incomplete_children) | picked newest_isakmp_sa #0 for #1 "modecfg-road-east" #1: deleting IKE SA for connection 'modecfg-road-east' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS | add revival: connection 'modecfg-road-east' added to the list and scheduled for 0 seconds | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds | in connection_discard for connection modecfg-road-east | State DB: deleting IKEv1 state #1 in MAIN_I4 | parent state #1: MAIN_I4(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x556676d5bf90 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 2-- | stop processing: state #1 from 192.1.2.23:4500 (in delete_state() at state.c:1143) | unreference key: 0x556676d5bf90 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d5ee70 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d19b30 @east.testing.libreswan.org cnt 1-- | unreference key: 0x556676d4e430 east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d45de0 192.1.2.23 cnt 1-- | in statetime_start() with no state | complete v1 state transition with STF_IGNORE | stop processing: from 192.1.2.23:4500 (in process_md() at demux.c:380) | processing: STOP state #0 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.908 milliseconds in comm_handle_cb() reading and processing packet | processing resume sending helper answer for #3 | start processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:797) | crypto helper 5 replies to request ID 5 | calling continuation function 0x556675316630 | work-order 5 state #3 crypto result suppressed | resume sending helper answer for #3 suppresed complete_v1_state_transition() | #3 spent 0.0132 milliseconds in resume sending helper answer | stop processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fde74006900 | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00372 milliseconds in signal handler PLUTO_SIGCHLD | timer_event_cb: processing event@0x556676d41e80 | handling event EVENT_SA_REPLACE for child state #3 | start processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #0 for #3 | replacing stale IPsec SA | dup_any(fd@-1) -> fd@-1 (in ipsecdoi_replace() at ipsec_doi.c:351) | FOR_EACH_STATE_... in find_phase1_state | creating state object #4 at 0x556676d48380 | State DB: adding IKEv1 state #4 in UNDEFINED | pstats #4 ikev1.isakmp started | suspend processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in main_outI1() at ikev1_main.c:118) | start processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:118) | parent state #4: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) | dup_any(fd@-1) -> fd@-1 (in main_outI1() at ikev1_main.c:123) | Queuing pending IPsec SA negotiating with 192.1.2.23 "modecfg-road-east" IKE SA #4 "modecfg-road-east" "modecfg-road-east" #4: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | 8c 54 19 1f 12 54 30 77 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x556676d42610 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 2 (0x2) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 72 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 84 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 244 | sending 244 bytes for reply packet for main_outI1 through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #4) | 8c 54 19 1f 12 54 30 77 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 54 | 00 00 00 01 00 00 00 01 00 00 00 48 00 01 00 02 | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 0e | 00 00 00 20 01 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 | event_schedule: new EVENT_RETRANSMIT-pe@0x7fde74002b20 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x7fde74006900 size 128 | #4 STATE_MAIN_I1: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50020.830836 | #4 spent 0.301 milliseconds in main_outI1() | stop processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:228) | event_schedule: new EVENT_SA_EXPIRE-pe@0x556676d42680 | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #3 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 | libevent_free: release ptr-libevent@0x7fde70001ef0 | free_event_entry: release EVENT_SA_REPLACE-pe@0x556676d41e80 | #3 spent 0.326 milliseconds in timer_event_cb() EVENT_SA_REPLACE | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | processing global timer EVENT_REVIVE_CONNS Initiating connection modecfg-road-east which received a Delete/Notify but must remain up per local policy | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "modecfg-road-east" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'modecfg-road-east' +POLICY_UP | dup_any(fd@-1) -> fd@-1 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "modecfg-road-east" | stop processing: connection "modecfg-road-east" (in initiate_a_connection() at initiate.c:349) | spent 0.019 milliseconds in global timer EVENT_REVIVE_CONNS | timer_event_cb: processing event@0x556676d42680 | handling event EVENT_SA_EXPIRE for child state #3 | start processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in timer_event_cb() at timer.c:250) | picked newest_ipsec_sa #0 for #3 | un-established partial CHILD SA timeout (SA expired) | pstats #3 ikev1.ipsec failed exchange-timeout | pstats #3 ikev1.ipsec deleted exchange-timeout | [RE]START processing: state #3 connection "modecfg-road-east" from 192.1.2.23:4500 (in delete_state() at state.c:879) "modecfg-road-east" #3: deleting state (STATE_QUICK_I1) aged 0.052s and NOT sending notification | child state #3: QUICK_I1(established CHILD SA) => delete | child state #3: QUICK_I1(established CHILD SA) => CHILDSA_DEL(informational) | priority calculation of connection "modecfg-road-east" is 0xfdfff | delete inbound eroute 0.0.0.0/0:0 --0-> 192.0.2.19/32:0 => unk255.10000@192.1.3.209 (raw_eroute) | raw_eroute result=success | in connection_discard for connection modecfg-road-east | State DB: deleting IKEv1 state #3 in CHILDSA_DEL | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) | stop processing: state #3 from 192.1.2.23:4500 (in delete_state() at state.c:1143) | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_SA_EXPIRE-pe@0x556676d42680 | in statetime_stop() and could not find #3 | processing: STOP state #0 (in timer_event_cb() at timer.c:557) | timer_event_cb: processing event@0x7fde74002b20 | handling event EVENT_RETRANSMIT for parent state #4 | start processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in timer_event_cb() at timer.c:250) | IKEv1 retransmit event | [RE]START processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in retransmit_v1_msg() at retry.c:61) | handling event EVENT_RETRANSMIT for 192.1.2.23 "modecfg-road-east" #4 keying attempt 1 of 0; retransmit 1 | retransmits: current time 50021.331101; retransmit count 0 exceeds limit? NO; deltatime 0.5 exceeds limit? NO; monotime 0.500265 exceeds limit? NO | event_schedule: new EVENT_RETRANSMIT-pe@0x556676d42680 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #4 | libevent_malloc: new ptr-libevent@0x556676d3e3e0 size 128 "modecfg-road-east" #4: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response | sending 244 bytes for EVENT_RETRANSMIT through eth0 from 192.1.3.209:500 to 192.1.2.23:500 (using #4) | 8c 54 19 1f 12 54 30 77 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 00 f4 0d 00 00 54 | 00 00 00 01 00 00 00 01 00 00 00 48 00 01 00 02 | 03 00 00 20 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 0e | 00 00 00 20 01 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 | libevent_free: release ptr-libevent@0x7fde74006900 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7fde74002b20 | #4 spent 0.115 milliseconds in timer_event_cb() EVENT_RETRANSMIT | stop processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in timer_event_cb() at timer.c:557) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1825) | pluto_sd: executing action action: stopping(6), status 0 destroying root certificate cache | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x556676d482c0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d47ce0 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d47920 @east.testing.libreswan.org cnt 1-- | unreference key: 0x556676d46e30 east@testing.libreswan.org cnt 1-- | unreference key: 0x556676d46390 192.1.2.23 cnt 1-- | unreference key: 0x556676d42a60 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org cnt 1-- | unreference key: 0x556676d42490 user-road@testing.libreswan.org cnt 1-- | unreference key: 0x556676d42010 @road.testing.libreswan.org cnt 1-- | start processing: connection "modecfg-road-east" (in delete_connection() at connections.c:189) | removing pending policy for no connection {0x556676ce5200} | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | state #4 | suspend processing: connection "modecfg-road-east" (in foreach_state_by_connection_func_delete() at state.c:1310) | start processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in foreach_state_by_connection_func_delete() at state.c:1310) | pstats #4 ikev1.isakmp deleted other | [RE]START processing: state #4 connection "modecfg-road-east" from 192.1.2.23:500 (in delete_state() at state.c:879) "modecfg-road-east" #4: deleting state (STATE_MAIN_I1) aged 0.727s and NOT sending notification | parent state #4: MAIN_I1(half-open IKE SA) => delete | state #4 requesting EVENT_RETRANSMIT to be deleted | #4 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x556676d3e3e0 | free_event_entry: release EVENT_RETRANSMIT-pe@0x556676d42680 | State DB: IKEv1 state not found (flush_incomplete_children) | picked newest_isakmp_sa #0 for #4 "modecfg-road-east" #4: deleting IKE SA for connection 'modecfg-road-east' but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS | add revival: connection 'modecfg-road-east' added to the list and scheduled for 5 seconds | global one-shot timer EVENT_REVIVE_CONNS scheduled in 5 seconds | stop processing: connection "modecfg-road-east" (BACKGROUND) (in update_state_connection() at connections.c:4037) | start processing: connection NULL (in update_state_connection() at connections.c:4038) | in connection_discard for connection modecfg-road-east | State DB: deleting IKEv1 state #4 in MAIN_I1 | parent state #4: MAIN_I1(half-open IKE SA) => UNDEFINED(ignore) | stop processing: state #4 from 192.1.2.23:500 (in delete_state() at state.c:1143) | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1312) | pass 1 | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete | shunt_eroute() called for connection 'modecfg-road-east' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.19/32:0 --0->- 0.0.0.0/0:0 | netlink_shunt_eroute for proto 0, and source 192.0.2.19/32:0 dest 0.0.0.0/0:0 | priority calculation of connection "modecfg-road-east" is 0xfdfff | priority calculation of connection "modecfg-road-east" is 0xfdfff | FOR_EACH_CONNECTION_... in route_owner | conn modecfg-road-east mark 0/00000000, 0/00000000 vs | conn modecfg-road-east mark 0/00000000, 0/00000000 | route owner of "modecfg-road-east" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-east' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMAN | popen cmd is 1318 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='modecfg-road-e: | cmd( 80):ast' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.209' : | cmd( 160):PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=ro: | cmd( 240):ad.testing.libreswan.org, E=user-road@testing.libreswan.org' PLUTO_MY_CLIENT='19: | cmd( 320):2.0.2.19/32' PLUTO_MY_CLIENT_NET='192.0.2.19' PLUTO_MY_CLIENT_MASK='255.255.255.: | cmd( 400):255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYP: | cmd( 480):E='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PL: | cmd( 720):UTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO: | cmd( 800):_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENC: | cmd( 880):RYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN: | cmd( 960):_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 : | cmd(1040):PLUTO_MY_SOURCEIP='192.0.2.19' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PL: | cmd(1120):UTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIE: | cmd(1200):NT='1' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI: | cmd(1280):_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. | free hp@0x556676d46fa0 | flush revival: connection 'modecfg-road-east' revival flushed | processing: STOP connection NULL (in discard_connection() at connections.c:249) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.1.3.209:4500 shutting down interface eth0/eth0 192.1.3.209:500 | FOR_EACH_STATE_... in delete_states_dead_interfaces | libevent_free: release ptr-libevent@0x556676d3c4b0 | free_event_entry: release EVENT_NULL-pe@0x556676d249e0 | libevent_free: release ptr-libevent@0x556676d3c560 | free_event_entry: release EVENT_NULL-pe@0x556676d25a00 | libevent_free: release ptr-libevent@0x556676d3c650 | free_event_entry: release EVENT_NULL-pe@0x556676d3c610 | libevent_free: release ptr-libevent@0x556676d3c740 | free_event_entry: release EVENT_NULL-pe@0x556676d3c700 | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | libevent_free: release ptr-libevent@0x556676d3bd70 | free_event_entry: release EVENT_NULL-pe@0x556676d24900 | libevent_free: release ptr-libevent@0x556676d317f0 | free_event_entry: release EVENT_NULL-pe@0x556676d24b40 | libevent_free: release ptr-libevent@0x556676d31760 | free_event_entry: release EVENT_NULL-pe@0x556676d2a690 | global timer EVENT_REINIT_SECRET uninitialized | global timer EVENT_SHUNT_SCAN uninitialized | global timer EVENT_PENDING_DDNS uninitialized | global timer EVENT_PENDING_PHASE2 uninitialized | global timer EVENT_CHECK_CRLS uninitialized | global timer EVENT_REVIVE_CONNS uninitialized | global timer EVENT_FREE_ROOT_CERTS uninitialized | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized | global timer EVENT_NAT_T_KEEPALIVE uninitialized | libevent_free: release ptr-libevent@0x556676d3bf50 | signal event handler PLUTO_SIGCHLD uninstalled | libevent_free: release ptr-libevent@0x556676d3c030 | signal event handler PLUTO_SIGTERM uninstalled | libevent_free: release ptr-libevent@0x556676d3c0f0 | signal event handler PLUTO_SIGHUP uninstalled | libevent_free: release ptr-libevent@0x556676d30a60 | signal event handler PLUTO_SIGSYS uninstalled | releasing event base | libevent_free: release ptr-libevent@0x556676d3c1b0 | libevent_free: release ptr-libevent@0x556676cd9280 | libevent_free: release ptr-libevent@0x556676d1fcc0 | libevent_free: release ptr-libevent@0x556676d51ee0 | libevent_free: release ptr-libevent@0x556676d1fce0 | libevent_free: release ptr-libevent@0x556676d3be00 | libevent_free: release ptr-libevent@0x556676d3bff0 | libevent_free: release ptr-libevent@0x556676d1fe80 | libevent_free: release ptr-libevent@0x556676d2a5f0 | libevent_free: release ptr-libevent@0x556676d2a5d0 | libevent_free: release ptr-libevent@0x556676d3c7d0 | libevent_free: release ptr-libevent@0x556676d3c6e0 | libevent_free: release ptr-libevent@0x556676d3c5f0 | libevent_free: release ptr-libevent@0x556676d3c540 | libevent_free: release ptr-libevent@0x556676d1fd70 | libevent_free: release ptr-libevent@0x556676d3c0d0 | libevent_free: release ptr-libevent@0x556676d3c010 | libevent_free: release ptr-libevent@0x556676d3bf30 | libevent_free: release ptr-libevent@0x556676d3c190 | libevent_free: release ptr-libevent@0x556676d3be20 | libevent_free: release ptr-libevent@0x556676d1fd00 | libevent_free: release ptr-libevent@0x556676d1fd30 | libevent_free: release ptr-libevent@0x556676d1fa20 | releasing global libevent data | libevent_free: release ptr-libevent@0x556676d1e260 | libevent_free: release ptr-libevent@0x556676d1e290 | libevent_free: release ptr-libevent@0x556676d1f9f0