FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:17922 core dump dir: /var/tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55c0cf6a9ec0 size 40 | libevent_malloc: new ptr-libevent@0x55c0cf6a9ef0 size 40 | libevent_malloc: new ptr-libevent@0x55c0cf6ab1e0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55c0cf6ab1a0 size 56 | libevent_malloc: new ptr-libevent@0x55c0cf6ab210 size 664 | libevent_malloc: new ptr-libevent@0x55c0cf6ab4b0 size 24 | libevent_malloc: new ptr-libevent@0x55c0cf69cc50 size 384 | libevent_malloc: new ptr-libevent@0x55c0cf6ab4d0 size 16 | libevent_malloc: new ptr-libevent@0x55c0cf6ab4f0 size 40 | libevent_malloc: new ptr-libevent@0x55c0cf6ab520 size 48 | libevent_realloc: new ptr-libevent@0x55c0cf62d370 size 256 | libevent_malloc: new ptr-libevent@0x55c0cf6ab560 size 16 | libevent_free: release ptr-libevent@0x55c0cf6ab1a0 | libevent initialized | libevent_realloc: new ptr-libevent@0x55c0cf6ab580 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 started thread for crypto helper 2 started thread for crypto helper 3 started thread for crypto helper 4 started thread for crypto helper 5 started thread for crypto helper 6 | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | starting up helper thread 4 | MAIN_R2: category: open IKE SA flags: 0: | status value returned by setting the priority of this thread (crypto helper 4) 22 | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | crypto helper 4 waiting (nothing to do) | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55c0cf6b0c20 | libevent_malloc: new ptr-libevent@0x55c0cf6bcd40 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6aff00 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55c0cf6b0be0 | libevent_malloc: new ptr-libevent@0x55c0cf6bcdd0 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6aff20 size 16 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) | starting up helper thread 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) | starting up helper thread 5 | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55c0cf6ab1a0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7340 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c73d0 size 16 | libevent_realloc: new ptr-libevent@0x55c0cf62b6c0 size 256 | libevent_malloc: new ptr-libevent@0x55c0cf6c73f0 size 8 | libevent_realloc: new ptr-libevent@0x55c0cf6bc140 size 144 | libevent_malloc: new ptr-libevent@0x55c0cf6c7410 size 152 | libevent_malloc: new ptr-libevent@0x55c0cf6c74b0 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55c0cf6c74d0 size 8 | libevent_malloc: new ptr-libevent@0x55c0cf6c74f0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55c0cf6c7590 size 8 | libevent_malloc: new ptr-libevent@0x55c0cf6c75b0 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55c0cf6c7650 size 8 | libevent_realloc: release ptr-libevent@0x55c0cf6bc140 | libevent_realloc: new ptr-libevent@0x55c0cf6c7670 size 256 | libevent_malloc: new ptr-libevent@0x55c0cf6bc140 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:18065) using fork+execve | forked child 18065 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c79e0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7a20 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7ab0 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7ad0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7b10 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7ba0 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7bc0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7c00 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7c90 size 16 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7cb0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7cf0 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7d80 size 16 | setup callback for interface eth0 192.0.2.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7da0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7de0 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7e70 size 16 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7e90 | libevent_malloc: new ptr-libevent@0x55c0cf6c7ed0 size 128 | libevent_malloc: new ptr-libevent@0x55c0cf6c7f60 size 16 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.482 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | no interfaces to sort | libevent_free: release ptr-libevent@0x55c0cf6c7a20 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c79e0 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c79e0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7a20 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55c0cf6c7b10 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c7ad0 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7ad0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7b10 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55c0cf6c7c00 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c7bc0 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7bc0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7c00 size 128 | setup callback for interface eth0 192.0.2.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55c0cf6c7cf0 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c7cb0 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7cb0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7cf0 size 128 | setup callback for interface eth0 192.0.2.254:500 fd 19 | libevent_free: release ptr-libevent@0x55c0cf6c7de0 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c7da0 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7da0 | libevent_malloc: new ptr-libevent@0x55c0cf6c7de0 size 128 | setup callback for interface eth1 192.1.2.23:4500 fd 18 | libevent_free: release ptr-libevent@0x55c0cf6c7ed0 | free_event_entry: release EVENT_NULL-pe@0x55c0cf6c7e90 | add_fd_read_event_handler: new ethX-pe@0x55c0cf6c7e90 | libevent_malloc: new ptr-libevent@0x55c0cf6c7ed0 size 128 | setup callback for interface eth1 192.1.2.23:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | saving Modulus | saving PublicExponent | ignoring PrivateExponent | ignoring Prime1 | ignoring Prime2 | ignoring Exponent1 | ignoring Exponent2 | ignoring Coefficient | ignoring CKAIDNSS | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 loaded private key for keyid: PKK_RSA:AQO9bJbr3 | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.346 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 18065 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0147 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection xauth-road-eastnet with policy ENCRYPT+TUNNEL+PFS+XAUTH+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | No AUTH policy was set - defaulting to RSASIG | counting wild cards for @road is 0 | counting wild cards for @east is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp@(nil): none | new hp@0x55c0cf694560 added connection description "xauth-road-eastnet" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east,+XS+S=C]...%any[@road,+XC+S=C] | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.114 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) add keyid @road | add pubkey 01 03 c7 15 fa 72 27 70 a4 e1 f3 0a 70 21 f9 0c | add pubkey 3f e2 65 12 87 d9 fd 12 cb af d4 e0 c2 e3 dd 77 | add pubkey a0 ef aa c7 d6 a2 b2 30 f2 64 b0 c5 e6 c7 a7 27 | add pubkey 17 54 7a 8e 32 c9 ac fd bf 8f b3 33 b9 74 74 73 | add pubkey dd 23 83 11 53 d6 d4 91 0e 36 7e 67 fc 89 1e 48 | add pubkey ac e9 da 2e 66 9d 6e 4f e2 98 a7 dc 41 b3 a4 37 | add pubkey f5 07 a9 9c 23 69 83 54 87 7b ea 00 a7 5b ab 2d | add pubkey 41 34 d1 a3 17 1e a7 64 2d 7f ff 45 7a 5d 85 5c | add pubkey 73 dd 63 e7 40 ad eb 71 e6 5f 21 43 80 f5 23 4c | add pubkey 3d 4a 11 2c ca 9a d6 79 c5 c2 51 6e af c3 6e 99 | add pubkey f5 26 1c 67 ee 8a 3e 30 4b c1 93 a7 92 34 36 8c | add pubkey bf e6 d0 d3 fe 78 0b 0a 64 04 44 ca 8c 83 fd f1 | add pubkey 2e b5 00 76 61 a6 de f1 59 67 2b 6d c2 57 e0 f2 | add pubkey 7d 6b 9f d3 46 41 8c 31 c2 fd c4 60 72 08 3b bb | add pubkey 56 fb 01 fc 1d 57 4e cf 7c 0f c4 6f 72 6f 2a 0e | add pubkey f3 30 db a0 80 f9 70 cc bb 07 a9 f9 d7 76 99 63 | add pubkey 4b 6a 0f 1a 37 95 cb 9b ea 17 f7 55 62 6b 8a 83 | add pubkey 05 ff 43 78 57 dd bd 08 85 9c f1 62 35 6e 69 c7 | add pubkey 04 0b 4b c4 1b d2 38 89 8c de 56 d0 c8 2c 51 54 | add pubkey 32 1b 7d 27 dc cd 37 7a 4e cb 1a ec d2 ce 48 ed | add pubkey 43 48 9c 8a fc 30 9f b1 57 1c a9 98 e5 84 93 6c | add pubkey da 4d cc 95 e3 f5 f2 a5 b3 9d 70 ae 24 8d 08 3b | add pubkey 0f 8c e9 5a a5 f0 4d 9c 3c 2f 7f bc 10 95 34 1c | add pubkey 96 74 29 fc ab fb 8f 4b 71 aa 0b 26 b5 f0 32 98 | add pubkey 90 6a fd 31 f5 ab | computed rsa CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2 | computed rsa CKAID 59 b0 ef 45 | keyid: *AQPHFfpyJ | n c7 15 fa 72 27 70 a4 e1 f3 0a 70 21 f9 0c 3f e2 | n 65 12 87 d9 fd 12 cb af d4 e0 c2 e3 dd 77 a0 ef | n aa c7 d6 a2 b2 30 f2 64 b0 c5 e6 c7 a7 27 17 54 | n 7a 8e 32 c9 ac fd bf 8f b3 33 b9 74 74 73 dd 23 | n 83 11 53 d6 d4 91 0e 36 7e 67 fc 89 1e 48 ac e9 | n da 2e 66 9d 6e 4f e2 98 a7 dc 41 b3 a4 37 f5 07 | n a9 9c 23 69 83 54 87 7b ea 00 a7 5b ab 2d 41 34 | n d1 a3 17 1e a7 64 2d 7f ff 45 7a 5d 85 5c 73 dd | n 63 e7 40 ad eb 71 e6 5f 21 43 80 f5 23 4c 3d 4a | n 11 2c ca 9a d6 79 c5 c2 51 6e af c3 6e 99 f5 26 | n 1c 67 ee 8a 3e 30 4b c1 93 a7 92 34 36 8c bf e6 | n d0 d3 fe 78 0b 0a 64 04 44 ca 8c 83 fd f1 2e b5 | n 00 76 61 a6 de f1 59 67 2b 6d c2 57 e0 f2 7d 6b | n 9f d3 46 41 8c 31 c2 fd c4 60 72 08 3b bb 56 fb | n 01 fc 1d 57 4e cf 7c 0f c4 6f 72 6f 2a 0e f3 30 | n db a0 80 f9 70 cc bb 07 a9 f9 d7 76 99 63 4b 6a | n 0f 1a 37 95 cb 9b ea 17 f7 55 62 6b 8a 83 05 ff | n 43 78 57 dd bd 08 85 9c f1 62 35 6e 69 c7 04 0b | n 4b c4 1b d2 38 89 8c de 56 d0 c8 2c 51 54 32 1b | n 7d 27 dc cd 37 7a 4e cb 1a ec d2 ce 48 ed 43 48 | n 9c 8a fc 30 9f b1 57 1c a9 98 e5 84 93 6c da 4d | n cc 95 e3 f5 f2 a5 b3 9d 70 ae 24 8d 08 3b 0f 8c | n e9 5a a5 f0 4d 9c 3c 2f 7f bc 10 95 34 1c 96 74 | n 29 fc ab fb 8f 4b 71 aa 0b 26 b5 f0 32 98 90 6a | n fd 31 f5 ab | e 03 | CKAID 1a 15 cc e8 92 73 43 9c 2b f4 20 2a c1 06 6e f2 | CKAID 59 b0 ef 45 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.156 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) add keyid @east | add pubkey 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | add pubkey e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | add pubkey 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | add pubkey 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | add pubkey 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | add pubkey d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | add pubkey 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | add pubkey 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | add pubkey bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | add pubkey ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | add pubkey e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | add pubkey 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | add pubkey 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | add pubkey 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | add pubkey d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | add pubkey 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | add pubkey 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | add pubkey 51 51 48 ef | computed rsa CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | computed rsa CKAID 8a 82 25 f1 | keyid: *AQO9bJbr3 | n bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 | n c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a | n e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca | n 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 | n f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 | n 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd | n 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 | n af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 | n 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 | n f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 | n 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 | n 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 | n 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 | n 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 | n 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc | n 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f | n 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 | n 48 ef | e 03 | CKAID 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 | CKAID 8a 82 25 f1 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.109 milliseconds in whack | spent 0.00291 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 804 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 18 ed 1e 4b 88 fb a0 90 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 24 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 fd ed 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 fd ed | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 fd ed 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 fd ed 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 fd ed 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 fd ed | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 fd ed 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 fd ed 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 fd ed 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 fd ed | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 fd ed 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 fd ed 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 fd ed 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 fd ed 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 fd ed 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 fd ed 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd ed 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 804 (0x324) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1_init) | #null state always idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 644 (0x284) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inI1_outR1' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [XAUTH] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] | Ignoring older NAT-T Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] | in statetime_start() with no state | find_host_connection local=192.1.2.23:500 remote=192.1.3.209:500 policy=IKEV1_ALLOW but ignoring ports | find_next_host_connection policy=IKEV1_ALLOW | find_next_host_connection returns empty | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 32 (0x20) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+XAUTH+IKEV1_ALLOW but ignoring ports | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports | find_next_host_connection policy=RSASIG+XAUTH+IKEV1_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+XAUTH+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (xauth-road-eastnet) | find_next_host_connection returns xauth-road-eastnet | find_next_host_connection policy=RSASIG+XAUTH+IKEV1_ALLOW | find_next_host_connection returns empty | instantiating "xauth-road-eastnet" for initial Main Mode message received on 192.1.2.23:500 | connect_to_host_pair: 192.1.2.23:500 192.1.3.209:500 -> hp@(nil): none | new hp@0x55c0cf6c8d50 | rw_instantiate() instantiated "xauth-road-eastnet"[1] 192.1.3.209 for 192.1.3.209 | creating state object #1 at 0x55c0cf6cb140 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | #1 updating local interface from to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2668) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in main_inI1_outR1() at ikev1_main.c:667) | parent state #1: UNDEFINED(ignore) => MAIN_R0(half-open IKE SA) | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | ICOOKIE-DUMP: 18 ed 1e 4b 88 fb a0 90 "xauth-road-eastnet"[1] 192.1.3.209 #1: responding to Main Mode from unknown peer 192.1.3.209:500 | **emit ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 632 (0x278) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65005 (0xfded) | [65005 is XAUTHInitRSA] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | attributes 80 03 fd ed 80 04 00 0e 80 0e 01 00 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 56 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 156 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | parent state #1: MAIN_R0(half-open IKE SA) => MAIN_R1(open IKE SA) | event_already_set, deleting event | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 156 bytes for STATE_MAIN_R0 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 01 10 02 00 00 00 00 00 00 00 00 9c 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 fd ed 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 | df d6 b7 12 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 00 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f | !event_already_set at reschedule | event_schedule: new EVENT_SO_DISCARD-pe@0x55c0cf6c8ff0 | inserting event EVENT_SO_DISCARD, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 "xauth-road-eastnet"[1] 192.1.3.209 #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 1.51 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00241 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | b6 1d 5b 4a 30 2e b8 9c 77 44 3a 1e 2a 60 a6 6c | 57 03 90 16 07 11 d0 94 24 2c 81 c6 79 e5 ba d2 | 59 a0 46 70 e2 a5 25 30 a3 d5 61 18 88 a2 f5 9a | 27 fe 33 63 1e 19 4d 01 40 be b6 df 38 a8 db 15 | e4 48 e4 bc ef af 0d 80 86 8f 45 da 8c 73 8b 9f | 9b d1 dc 69 fd a7 a8 03 2b ca 09 49 96 52 ac 70 | 1c 6a 47 23 0b 40 47 b7 b1 09 00 0c 2e 61 83 28 | f1 bc 5a 5e 6b 68 61 30 e5 40 90 f3 cc 73 22 6c | 97 9f fd 25 06 e9 d4 52 5e 6c fd a5 27 cb c7 c4 | c0 0b 60 43 bc 34 0f 83 22 2a c8 3e 7f 0f 2d 36 | 47 ad 7a 9d d2 38 ff 1d ca 0f 44 88 8b cd bc 30 | 1f fc bb b0 2e ce 72 61 e6 77 b8 cb 06 59 3d 90 | 49 b4 ed e0 bc 8d f7 bb aa ac 34 36 a3 a0 85 b1 | 60 16 a4 f0 4d 7a 04 61 f5 82 f2 d3 e6 8e 00 af | f0 88 fb 94 cb bc f5 78 b4 f1 ab 36 43 87 3b c3 | 59 54 20 e8 08 f9 76 26 91 83 76 15 2a 56 c7 b4 | 14 00 00 24 3c fd 4b d7 ab d2 fe 40 ff b5 e8 1e | 6f 06 eb d4 0a 60 2b b6 64 b2 b0 40 4e bf 5f 43 | 32 b5 1e cc 14 00 00 24 e6 ba a1 07 b6 b7 7d 83 | 10 58 fb b8 0f e4 2b 1b 18 7a 78 24 e9 b3 e2 10 | c8 0b 11 41 60 f1 f7 68 00 00 00 24 2a 64 c6 25 | 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f 1f 65 9a 60 | fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R1 (find_state_ikev1) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inI2_outR2' HASH payload not checked early | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55c0ce38ac40(32) | natd_hash: icookie= 18 ed 1e 4b 88 fb a0 90 | natd_hash: rcookie= 14 dd 6a d7 ad 65 53 88 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= e6 ba a1 07 b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b | natd_hash: hash= 18 7a 78 24 e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | natd_hash: hasher=0x55c0ce38ac40(32) | natd_hash: icookie= 18 ed 1e 4b 88 fb a0 90 | natd_hash: rcookie= 14 dd 6a d7 ad 65 53 88 | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= 2a 64 c6 25 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f | natd_hash: hash= 1f 65 9a 60 fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | expected NAT-D(me): e6 ba a1 07 b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b | expected NAT-D(me): 18 7a 78 24 e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | expected NAT-D(him): | 2a 64 c6 25 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f | 1f 65 9a 60 fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | received NAT-D: e6 ba a1 07 b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b | received NAT-D: 18 7a 78 24 e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | received NAT-D: 2a 64 c6 25 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f | received NAT-D: 1f 65 9a 60 fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.209 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | adding inI2_outR2 KE work-order 1 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_SO_DISCARD-pe@0x55c0cf6c8ff0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c0cf6c8ff0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | crypto helper 4 resuming | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 4 starting work-order 1 for state #1 | #1 spent 0.12 milliseconds in process_packet_tail() | crypto helper 4 doing build KE and nonce (inI2_outR2 KE); request ID 1 | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.274 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 4 finished build KE and nonce (inI2_outR2 KE); request ID 1 time elapsed 0.001013 seconds | (#1) spent 1.02 milliseconds in crypto helper computing work-order 1: inI2_outR2 KE (pcr) | crypto helper 4 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fd3c8006900 size 128 | crypto helper 4 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 4 replies to request ID 1 | calling continuation function 0x55c0ce2b4630 | main_inI2_outR2_continue for #1: calculated ke+nonce, sending R2 | **emit ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value a4 bc 13 31 72 94 82 94 48 f5 47 78 a0 8f d8 8b | keyex value c9 52 08 9d 66 79 35 b3 77 e9 a7 61 6c 98 db 36 | keyex value 2d e4 1e 43 53 d7 ce 1f ee 93 76 df 9c e3 ac e3 | keyex value 6d ba 47 c1 b6 06 43 e8 ae d6 ce 35 8e 44 03 f5 | keyex value 67 99 fa 41 39 cd f8 8f e4 77 67 05 bc 9b ac 55 | keyex value 7f 89 96 27 a6 62 4a 9e 09 d5 33 0f 41 27 39 5d | keyex value 44 2a f1 40 d4 3c e6 56 0c a3 ab 77 10 cb ee d5 | keyex value f2 d8 cc 33 12 5a e9 54 08 d5 c7 db 6f 20 ea 8c | keyex value 35 c5 bf 07 4e d4 bc 18 35 70 1f b1 33 71 af a8 | keyex value f3 ae 92 91 3b a8 a8 44 55 da ca 77 28 64 41 79 | keyex value ad dd ae 8b ec 26 4a 71 49 c4 6c c9 00 ae eb 0f | keyex value af 83 51 86 74 3b eb f0 26 11 84 92 ce d6 7b 35 | keyex value 88 e6 2c cf d0 13 ad c0 0a 0d fb 5c 43 7a d8 8e | keyex value 48 ec a2 16 90 cd a7 09 bb 72 61 67 aa ea 56 de | keyex value 2a a8 24 ca d8 90 f8 95 c8 f4 64 eb bd 01 e7 b6 | keyex value 21 ce 1f 39 b2 22 52 57 a9 7b b6 fd bb 33 a3 ed | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Nr into ISAKMP Nonce Payload | Nr fa 3c 21 ca f9 6d d3 8b 59 6a 8e 06 cf 4c e1 92 | Nr 6e 6b 9a 20 24 bf fd e0 49 aa 45 9b fb 93 43 71 | emitting length of ISAKMP Nonce Payload: 36 | sending NAT-D payloads | natd_hash: hasher=0x55c0ce38ac40(32) | natd_hash: icookie= 18 ed 1e 4b 88 fb a0 90 | natd_hash: rcookie= 14 dd 6a d7 ad 65 53 88 | natd_hash: ip= c0 01 03 d1 | natd_hash: port= 01 f4 | natd_hash: hash= 2a 64 c6 25 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f | natd_hash: hash= 1f 65 9a 60 fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 2a 64 c6 25 1f df 71 c7 e9 6c 6e ae 9e a0 26 3f | NAT-D 1f 65 9a 60 fc 04 05 13 fd 4d b1 1b 18 fd 7b 4b | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55c0ce38ac40(32) | natd_hash: icookie= 18 ed 1e 4b 88 fb a0 90 | natd_hash: rcookie= 14 dd 6a d7 ad 65 53 88 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= e6 ba a1 07 b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b | natd_hash: hash= 18 7a 78 24 e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D e6 ba a1 07 b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b | NAT-D 18 7a 78 24 e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | main inI2_outR2: starting async DH calculation (group=14) | started looking for secret for @east->@road of kind PKK_PSK | actually looking for secret for @east->@road of kind PKK_PSK | line 1: key type PKK_PSK(@east) to type PKK_RSA | concluding with best_match=000 best=(nil) (lineno=-1) | no PreShared Key Found | adding main_inI2_outR2_tail work-order 2 for state #1 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c0cf6c8ff0 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55c0cf6c8ff0 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | #1 main_inI2_outR2_continue1_tail:1158 st->st_calculating = FALSE; | complete v1 state transition with STF_OK | crypto helper 0 resuming | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle; has background offloaded task | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 | crypto helper 0 starting work-order 2 for state #1 | parent state #1: MAIN_R1(open IKE SA) => MAIN_R2(open IKE SA) | crypto helper 0 doing compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55c0cf6c8ff0 | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 396 bytes for STATE_MAIN_R1 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | a4 bc 13 31 72 94 82 94 48 f5 47 78 a0 8f d8 8b | c9 52 08 9d 66 79 35 b3 77 e9 a7 61 6c 98 db 36 | 2d e4 1e 43 53 d7 ce 1f ee 93 76 df 9c e3 ac e3 | 6d ba 47 c1 b6 06 43 e8 ae d6 ce 35 8e 44 03 f5 | 67 99 fa 41 39 cd f8 8f e4 77 67 05 bc 9b ac 55 | 7f 89 96 27 a6 62 4a 9e 09 d5 33 0f 41 27 39 5d | 44 2a f1 40 d4 3c e6 56 0c a3 ab 77 10 cb ee d5 | f2 d8 cc 33 12 5a e9 54 08 d5 c7 db 6f 20 ea 8c | 35 c5 bf 07 4e d4 bc 18 35 70 1f b1 33 71 af a8 | f3 ae 92 91 3b a8 a8 44 55 da ca 77 28 64 41 79 | ad dd ae 8b ec 26 4a 71 49 c4 6c c9 00 ae eb 0f | af 83 51 86 74 3b eb f0 26 11 84 92 ce d6 7b 35 | 88 e6 2c cf d0 13 ad c0 0a 0d fb 5c 43 7a d8 8e | 48 ec a2 16 90 cd a7 09 bb 72 61 67 aa ea 56 de | 2a a8 24 ca d8 90 f8 95 c8 f4 64 eb bd 01 e7 b6 | 21 ce 1f 39 b2 22 52 57 a9 7b b6 fd bb 33 a3 ed | 14 00 00 24 fa 3c 21 ca f9 6d d3 8b 59 6a 8e 06 | cf 4c e1 92 6e 6b 9a 20 24 bf fd e0 49 aa 45 9b | fb 93 43 71 14 00 00 24 2a 64 c6 25 1f df 71 c7 | e9 6c 6e ae 9e a0 26 3f 1f 65 9a 60 fc 04 05 13 | fd 4d b1 1b 18 fd 7b 4b 00 00 00 24 e6 ba a1 07 | b6 b7 7d 83 10 58 fb b8 0f e4 2b 1b 18 7a 78 24 | e9 b3 e2 10 c8 0b 11 41 60 f1 f7 68 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55c0cf6c8ff0 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | #1 STATE_MAIN_R2: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50020.697616 "xauth-road-eastnet"[1] 192.1.3.209 #1: STATE_MAIN_R2: sent MR2, expecting MI3 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.353 milliseconds in resume sending helper answer | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd3c8006900 | crypto helper 0 finished compute dh+iv (V1 Phase 1) (main_inI2_outR2_tail); request ID 2 time elapsed 0.001564 seconds | (#1) spent 1.22 milliseconds in crypto helper computing work-order 2: main_inI2_outR2_tail (pcr) | crypto helper 0 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7fd3c0004f00 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 2 | calling continuation function 0x55c0ce2b4630 | main_inI2_outR2_calcdone for #1: calculate DH finished | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1008) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in main_inI2_outR2_continue2() at ikev1_main.c:1021) | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.022 milliseconds in resume sending helper answer | processing: STOP state #0 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7fd3c0004f00 | spent 0.00319 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 444 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 05 10 02 01 00 00 00 00 00 00 01 bc 86 ba 05 41 | dc ab f0 77 e0 61 c8 7c c1 d3 9c 1c 86 8d b4 06 | c3 b7 86 b2 53 61 f4 f7 79 c7 02 04 98 7e a6 ff | a2 bb 95 37 b8 02 87 1c 0f b1 bc 5d 99 ea 7e fa | 60 68 90 58 d2 c7 26 69 28 00 7f 85 81 46 e6 f8 | a4 a7 13 db 29 13 10 29 e3 ba 6f 6c dd 5a 53 c7 | 33 a8 e3 55 87 79 63 b8 f9 17 ea c4 1e c7 2a f9 | d6 ae 4f 4f d0 c7 c1 57 47 4a 4d 70 89 b5 2f 73 | 72 7b 71 06 06 24 bc f9 f7 8a af 6a d2 5c 7e 5a | 2a 94 fe d7 25 fa f5 cc 24 1c 4f 41 e3 a9 ec 6b | 3f f6 5f ef 0d 59 71 4d 01 f7 2f 61 54 4e 0a b3 | 78 3d 4e e3 b9 0d ee 44 0a 71 73 65 02 d8 a8 52 | 94 2d 15 8e 2c a3 64 bc 86 05 42 4c 2b 18 d3 8b | a0 f7 41 39 4c 5c e3 5e 9c 53 a0 78 cf 2c 42 f4 | 16 8f 21 be 1f d0 34 63 7c e0 9d ea 8d 93 a9 61 | 58 cb 9f 86 79 13 65 68 a5 f6 21 c4 ff 8a d1 64 | c9 f2 62 27 aa 70 f7 65 43 9f 50 76 70 37 83 c9 | 76 49 37 f5 e3 6a ec d9 18 dc 50 b8 5f 11 d1 43 | 19 02 2a 3e eb 67 70 9c 96 eb 23 33 98 81 49 0c | c7 cb 04 45 62 2e a4 56 26 e9 95 e3 f9 14 44 23 | d7 27 2e 2b 63 7a b7 47 9e 78 5b 4a 97 34 3c cf | be cd 77 bd c8 05 0b f4 bf a6 33 d1 5b 33 0b 45 | 41 3b 95 3a e0 ab 97 7e fa 14 51 ea 62 65 55 82 | e1 ca 99 29 e2 5d 4f d5 56 04 e1 75 a4 71 da 50 | 71 0e 3e 5f fa 2d ec 38 c5 c8 af 23 ff dd 67 6c | 84 c3 a7 23 fb 56 36 9f bc a9 28 12 54 a8 6a ce | 22 32 cd 1d 02 99 4a fe 96 15 ab 39 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 444 (0x1bc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_R2 (find_state_ikev1) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x220 opt: 0x20c0 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_SIG (0x9) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 72 6f 61 64 | got payload 0x200 (ISAKMP_NEXT_SIG) needed: 0x200 opt: 0x20c0 | ***parse ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 392 (0x188) | removing 12 bytes of padding | message 'main_inI3_outR3' HASH payload not checked early "xauth-road-eastnet"[1] 192.1.3.209 #1: Peer ID is ID_FQDN: '@road' | X509: no CERT payloads to process | refine_host_connection for IKEv1: starting with "xauth-road-eastnet"[1] 192.1.3.209 | match_id a=@road | b=@road | results matched | refine_host_connection: checking "xauth-road-eastnet"[1] 192.1.3.209 against "xauth-road-eastnet"[1] 192.1.3.209, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked xauth-road-eastnet[1] 192.1.3.209 against xauth-road-eastnet[1] 192.1.3.209, now for see if best | started looking for secret for @east->@road of kind PKK_RSA | actually looking for secret for @east->@road of kind PKK_RSA | line 1: key type PKK_RSA(@east) to type PKK_RSA | 1: compared key (none) to @east / @road -> 002 | 2: compared key (none) to @east / @road -> 002 | line 1: match=002 | match 002 beats previous best_match 000 match=0x55c0cf6bcf20 (line=1) | concluding with best_match=002 best=0x55c0cf6bcf20 (lineno=1) | returning because exact peer id match | offered CA: '%none' | required RSA CA is '%any' | checking RSA keyid '@east' for match with '@road' | checking RSA keyid '@road' for match with '@road' | RSA key issuer CA is '%any' | an RSA Sig check passed with *AQPHFfpyJ [preloaded keys] | #1 spent 0.0673 milliseconds in try_all_keys() trying a pubkey "xauth-road-eastnet"[1] 192.1.3.209 #1: Authenticated using RSA | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because I do not have one. | **emit ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_SIG (0x9) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 9:ISAKMP_NEXT_SIG | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | started looking for secret for @east->@road of kind PKK_RSA | actually looking for secret for @east->@road of kind PKK_RSA | line 1: key type PKK_RSA(@east) to type PKK_RSA | 1: compared key (none) to @east / @road -> 002 | 2: compared key (none) to @east / @road -> 002 | line 1: match=002 | match 002 beats previous best_match 000 match=0x55c0cf6bcf20 (line=1) | concluding with best_match=002 best=0x55c0cf6bcf20 (lineno=1) | ***emit ISAKMP Signature Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Signature Payload (9:ISAKMP_NEXT_SIG) | next payload chain: saving location 'ISAKMP Signature Payload'.'next payload type' in 'reply packet' | emitting 274 raw bytes of SIG_R into ISAKMP Signature Payload | SIG_R 7c 8c 0b 94 5a 35 12 ad 93 89 6a dc 5c 4c d8 e1 | SIG_R 3d 3b 17 03 17 fe 58 7c 02 a0 e8 72 88 f4 11 23 | SIG_R 88 e8 07 b8 71 1b 31 12 86 e1 0c 56 5a 31 ca 6f | SIG_R 59 e6 e1 ef 1e 09 42 70 ed 35 64 14 7c 4d 05 71 | SIG_R 07 b1 cd 91 c0 59 b0 cf d3 cd e4 dd ad 75 b8 3e | SIG_R 38 38 de 32 71 13 a8 e8 c0 51 4e 89 b2 15 59 1d | SIG_R d9 9d e9 39 d9 71 89 14 26 a7 8f 2f e7 08 fb 2f | SIG_R 74 da 2e da db 4d 8b c2 a0 f0 ff fa 91 92 88 88 | SIG_R 6a 2f f5 c4 ed 04 e2 b5 0e 89 d2 f5 e9 38 88 e8 | SIG_R d3 e5 f6 4f 08 da 33 ff 3a 92 ba 59 f2 93 fd fc | SIG_R 0e d0 b6 ca 2c 82 9c ee 1b 49 63 1f a8 93 7a 24 | SIG_R 93 9d 56 c3 da 58 0d 8c 28 4c 69 92 99 73 39 eb | SIG_R e0 af 41 ee 7c db af 1a c3 9a 8a bf 86 f7 58 61 | SIG_R 1a 41 53 5f d4 d9 75 c7 e3 a8 fa b6 2b 6c 25 ac | SIG_R cb 60 71 16 9c f6 b6 96 1b 45 9c ac 9a 9f be 9b | SIG_R 53 b9 54 e5 fa 14 3f e9 b9 bd 43 d4 96 2b 7b 0c | SIG_R fe 52 f9 1c 4b 98 63 fc fb ea b1 11 77 b5 b0 2c | SIG_R 93 8a | emitting length of ISAKMP Signature Payload: 278 | emitting 14 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 332 | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | parent state #1: MAIN_R2(open IKE SA) => MAIN_R3(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_R3: retransmits: cleared | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c0cf6c8ff0 | sending reply packet to 192.1.3.209:500 (from 192.1.2.23:500) | sending 332 bytes for STATE_MAIN_R2 through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 05 10 02 01 00 00 00 00 00 00 01 4c c4 43 b9 d9 | f2 87 8d d6 f1 14 76 56 7b 89 95 ca be 67 1c 6b | 71 2d 2a 4f 9f fb e4 21 9f 64 e5 a9 75 85 f8 fe | e7 94 8b 75 4b e6 f7 bb 24 bf 73 8b 78 c4 30 8b | b5 14 56 cb 11 2d 3a c4 29 fb 2e 8c 06 46 91 7b | b5 57 10 71 9d 32 cc ff 54 39 4b 79 5d d2 ee 1c | 69 0d 1c d4 70 a0 eb 82 cb 33 4a cd 9d 29 7d 54 | a3 ec f9 b9 71 46 ca 06 6a 44 59 ab ad 1f 9b 32 | 78 f0 00 92 46 4e 68 8d 80 dd 2e c9 d4 48 fa 18 | fc af 4d 8a 05 a0 c7 df bb 0e 0a bc 7a 2f fe 45 | b8 09 0f dc f7 ef 01 23 03 c2 24 90 2b 90 7b 4e | 59 20 88 fe e7 4d a2 04 0d 40 6b b2 f8 96 fd 24 | 7c 0e 36 f4 74 77 22 ac 2b dd a8 7f 63 4a 41 c9 | ea b0 2e a6 ec 61 20 dd 16 d5 00 ba d7 ab ca f5 | 52 f4 d8 79 28 28 92 2f 8e b2 79 72 9b 91 66 84 | 43 11 5c 5a d6 de 0b 1d 4c 11 40 23 5b ee 5f 8a | f1 68 f4 12 ce 4f d8 be 80 c2 09 fc fd ec 34 10 | 83 1d 5a 66 7e f6 ac 59 ad 76 01 99 9a 75 e9 29 | 16 06 20 08 b3 31 e7 17 1e 8a 0d 9e aa 2a 86 7c | f5 ca 19 4a bf 2b a7 9f c9 6b 2c 6a | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55c0cf6d34a0 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | pstats #1 ikev1.isakmp established "xauth-road-eastnet"[1] 192.1.3.209 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH: Sending XAUTH Login/Password Request | event_schedule: new EVENT_v1_SEND_XAUTH-pe@0x55c0cf6ce740 | inserting event EVENT_v1_SEND_XAUTH, timeout in 0.08 seconds for #1 | libevent_malloc: new ptr-libevent@0x7fd3c8006900 size 128 | #1 spent 4.04 milliseconds | #1 spent 4.18 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 4.33 milliseconds in comm_handle_cb() reading and processing packet | timer_event_cb: processing event@0x55c0cf6ce740 | handling event EVENT_v1_SEND_XAUTH for parent state #1 | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in timer_event_cb() at timer.c:250) | XAUTH: event EVENT_v1_SEND_XAUTH #1 STATE_MAIN_R3 "xauth-road-eastnet"[1] 192.1.3.209 #1: XAUTH: Sending Username/Password request (MAIN_R3->XAUTH_R0) | parent state #1: MAIN_R3(established IKE SA) => XAUTH_R0(established IKE SA) | **emit ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 953433321 (0x38d43ce9) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'xauth_buf' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'xauth_buf' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 16 | XAUTH: send request HASH(1): | 4c f6 50 11 1f f0 0e 88 1e 81 0b c9 a6 23 fa 1d | 3d ab 25 e1 71 4c 10 b7 f4 cb d6 7e c2 fd 35 16 | no IKEv1 message padding required | emitting length of ISAKMP Message: 80 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | sending 92 bytes for XAUTH: req through eth1 from 192.1.2.23:500 to 192.1.3.209:500 (using #1) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 08 10 06 01 38 d4 3c e9 00 00 00 5c 40 85 79 a1 | b5 27 49 23 b6 63 54 b6 06 75 86 20 f9 f7 f9 0c | bc c8 5e d8 43 82 62 a5 fc d1 32 2e db 1c 7a 5f | 4c 2f e3 4a d6 ef 36 83 7a b6 da dd 6d 4f 8e c0 | 71 f2 50 c1 c2 87 66 bb 27 1d 8a 15 | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_SA_REPLACE-pe@0x55c0cf6d34a0 | event_schedule: new EVENT_RETRANSMIT-pe@0x55c0cf6d34a0 | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | #1 STATE_XAUTH_R0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50020.791364 | libevent_free: release ptr-libevent@0x7fd3c8006900 | free_event_entry: release EVENT_v1_SEND_XAUTH-pe@0x55c0cf6ce740 | #1 spent 0.239 milliseconds in timer_event_cb() EVENT_v1_SEND_XAUTH | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in timer_event_cb() at timer.c:557) | spent 0.00203 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 108 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 08 10 06 01 38 d4 3c e9 00 00 00 6c 06 55 a7 33 | 23 19 fc c0 c8 63 fe 36 63 6f bd dc 0c 89 9f c1 | 6d 6d 0e 0f 60 bf 86 50 bd 67 2a 99 b6 e3 f6 1b | 97 c5 68 02 e0 e7 0a f5 5e 11 66 84 3d 11 b0 86 | 22 a0 73 42 47 9a fc 36 50 b8 f2 f5 c4 81 41 b7 | f1 b3 cc 28 35 72 88 6f 23 90 88 78 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 953433321 (0x38d43ce9) | length: 108 (0x6c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=38d43ce9 st_msgid=00000000 st_msgid_phase15=38d43ce9 | p15 state object #1 found, in STATE_XAUTH_R0 | State DB: found IKEv1 state #1 in XAUTH_R0 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1778) | #1 is idle | #1 idle | received encrypted packet from 192.1.3.209:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 36 (0x24) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 34 (0x22) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | removing 10 bytes of padding | xauth_inR0 HASH(1): | 5d de c7 e4 f4 d1 89 cf 47 5b ee 3c 42 20 19 5e | ce 2f c9 36 2c d0 9b a8 e2 63 d6 d4 ee 3a 43 aa | received 'xauth_inR0' message HASH(1) data ok | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 10 (0xa) | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 8 (0x8) | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_XAUTH_R0: retransmits: cleared | libevent_free: release ptr-libevent@0x55c0cf6c9470 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55c0cf6d34a0 "xauth-road-eastnet"[1] 192.1.3.209 #1: XAUTH: PAM authentication method requested to authenticate user 'gooduser90' | PAM: #1: main-process starting PAM-process for authenticating user 'gooduser90' | forked child 19029 | event_schedule: new EVENT_PAM_TIMEOUT-pe@0x55c0cf6d34a0 | inserting event EVENT_PAM_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55c0cf6c9470 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | #1 spent 0.474 milliseconds in process_packet_tail() | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.613 milliseconds in comm_handle_cb() reading and processing packet | RESET processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in pluto_fork() at server.c:1183) | RESET processing: from 192.1.3.209:500 (in pluto_fork() at server.c:1183) | PAM: #1: PAM-process authenticating user 'gooduser90' | XAUTH helper thread pam_start for state #1, xauth-road-eastnet[1] user=gooduser90. | XAUTH helper thread pam_set_item for state #1, xauth-road-eastnet[1] user=gooduser90. | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00458 milliseconds in global timer EVENT_SHUNT_SCAN | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in for_each_state() at state.c:1572) | not behind NAT: no NAT-T KEEP-ALIVE required for conn xauth-road-eastnet | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in for_each_state() at state.c:1574) | spent 0.0276 milliseconds in global timer EVENT_NAT_T_KEEPALIVE | spent 0.00269 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 108 bytes from 192.1.3.209:500 on eth1 (192.1.2.23:500) | 18 ed 1e 4b 88 fb a0 90 14 dd 6a d7 ad 65 53 88 | 08 10 06 01 38 d4 3c e9 00 00 00 6c 06 55 a7 33 | 23 19 fc c0 c8 63 fe 36 63 6f bd dc 0c 89 9f c1 | 6d 6d 0e 0f 60 bf 86 50 bd 67 2a 99 b6 e3 f6 1b | 97 c5 68 02 e0 e7 0a f5 5e 11 66 84 3d 11 b0 86 | 22 a0 73 42 47 9a fc 36 50 b8 f2 f5 c4 81 41 b7 | f1 b3 cc 28 35 72 88 6f 23 90 88 78 | start processing: from 192.1.3.209:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 18 ed 1e 4b 88 fb a0 90 | responder cookie: | 14 dd 6a d7 ad 65 53 88 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 953433321 (0x38d43ce9) | length: 108 (0x6c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=38d43ce9 st_msgid=00000000 st_msgid_phase15=38d43ce9 | p15 state object #1 found, in STATE_XAUTH_R0 | State DB: found IKEv1 state #1 in XAUTH_R0 (find_v1_info_state) | start processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_v1_packet() at ikev1.c:1778) | #1 is busy; has a suspended MD "xauth-road-eastnet"[1] 192.1.3.209 #1: discarding packet received during asynchronous work (DNS or crypto) in STATE_XAUTH_R0 | stop processing: from 192.1.3.209:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "xauth-road-eastnet"[1] 192.1.3.209 from 192.1.3.209:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.108 milliseconds in comm_handle_cb() reading and processing packet