FIPS Product: YES FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.28-827-gc9aa82b8a6-master-s2 XFRM(netkey) esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK LABELED_IPSEC SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:22513 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | libevent is using pluto's memory allocator Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | libevent_malloc: new ptr-libevent@0x55aabf4fe400 size 40 | libevent_malloc: new ptr-libevent@0x55aabf4ff6b0 size 40 | libevent_malloc: new ptr-libevent@0x55aabf4ff6e0 size 40 | creating event base | libevent_malloc: new ptr-libevent@0x55aabf4ff670 size 56 | libevent_malloc: new ptr-libevent@0x55aabf4ff710 size 664 | libevent_malloc: new ptr-libevent@0x55aabf4ff9b0 size 24 | libevent_malloc: new ptr-libevent@0x55aabf4f1170 size 384 | libevent_malloc: new ptr-libevent@0x55aabf4ff9d0 size 16 | libevent_malloc: new ptr-libevent@0x55aabf4ff9f0 size 40 | libevent_malloc: new ptr-libevent@0x55aabf4ffa20 size 48 | libevent_realloc: new ptr-libevent@0x55aabf483370 size 256 | libevent_malloc: new ptr-libevent@0x55aabf4ffa60 size 16 | libevent_free: release ptr-libevent@0x55aabf4ff670 | libevent initialized | libevent_realloc: new ptr-libevent@0x55aabf4ffa80 size 64 | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized | global one-shot timer EVENT_FREE_ROOT_CERTS initialized | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds | global one-shot timer EVENT_REVIVE_CONNS initialized | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case #1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case #2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case #3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case #4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case #5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case #6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case #7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 crypto helpers started thread for crypto helper 0 | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) started thread for crypto helper 1 | starting up helper thread 1 | starting up helper thread 2 started thread for crypto helper 2 | status value returned by setting the priority of this thread (crypto helper 2) 22 | crypto helper 2 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) started thread for crypto helper 3 | starting up helper thread 3 | status value returned by setting the priority of this thread (crypto helper 3) 22 | crypto helper 3 waiting (nothing to do) started thread for crypto helper 4 | starting up helper thread 4 | status value returned by setting the priority of this thread (crypto helper 4) 22 started thread for crypto helper 5 | starting up helper thread 5 | crypto helper 4 waiting (nothing to do) | status value returned by setting the priority of this thread (crypto helper 5) 22 | crypto helper 5 waiting (nothing to do) started thread for crypto helper 6 | starting up helper thread 6 | status value returned by setting the priority of this thread (crypto helper 6) 22 | crypto helper 6 waiting (nothing to do) | checking IKEv1 state table | MAIN_R0: category: half-open IKE SA flags: 0: | -> MAIN_R1 EVENT_SO_DISCARD | MAIN_I1: category: half-open IKE SA flags: 0: | -> MAIN_I2 EVENT_RETRANSMIT | MAIN_R1: category: open IKE SA flags: 200: | -> MAIN_R2 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_I2: category: open IKE SA flags: 0: | -> MAIN_I3 EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | -> UNDEFINED EVENT_RETRANSMIT | MAIN_R2: category: open IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | -> MAIN_R3 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_I3: category: open IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | -> MAIN_I4 EVENT_SA_REPLACE | -> UNDEFINED EVENT_SA_REPLACE | MAIN_R3: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | MAIN_I4: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | AGGR_R0: category: half-open IKE SA flags: 0: | -> AGGR_R1 EVENT_SO_DISCARD | AGGR_I1: category: half-open IKE SA flags: 0: | -> AGGR_I2 EVENT_SA_REPLACE | -> AGGR_I2 EVENT_SA_REPLACE | AGGR_R1: category: open IKE SA flags: 200: | -> AGGR_R2 EVENT_SA_REPLACE | -> AGGR_R2 EVENT_SA_REPLACE | AGGR_I2: category: established IKE SA flags: 200: | -> UNDEFINED EVENT_NULL | AGGR_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | QUICK_R0: category: established CHILD SA flags: 0: | -> QUICK_R1 EVENT_RETRANSMIT | QUICK_I1: category: established CHILD SA flags: 0: | -> QUICK_I2 EVENT_SA_REPLACE | QUICK_R1: category: established CHILD SA flags: 0: | -> QUICK_R2 EVENT_SA_REPLACE | QUICK_I2: category: established CHILD SA flags: 200: | -> UNDEFINED EVENT_NULL | QUICK_R2: category: established CHILD SA flags: 0: | -> UNDEFINED EVENT_NULL | INFO: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | INFO_PROTECTED: category: informational flags: 0: | -> UNDEFINED EVENT_NULL | XAUTH_R0: category: established IKE SA flags: 0: | -> XAUTH_R1 EVENT_NULL | XAUTH_R1: category: established IKE SA flags: 0: | -> MAIN_R3 EVENT_SA_REPLACE | MODE_CFG_R0: category: informational flags: 0: | -> MODE_CFG_R1 EVENT_SA_REPLACE | MODE_CFG_R1: category: established IKE SA flags: 0: | -> MODE_CFG_R2 EVENT_SA_REPLACE | MODE_CFG_R2: category: established IKE SA flags: 0: | -> UNDEFINED EVENT_NULL | MODE_CFG_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_SA_REPLACE | XAUTH_I0: category: established IKE SA flags: 0: | -> XAUTH_I1 EVENT_RETRANSMIT | XAUTH_I1: category: established IKE SA flags: 0: | -> MAIN_I4 EVENT_RETRANSMIT | checking IKEv2 state table | PARENT_I0: category: ignore flags: 0: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) | PARENT_I1: category: half-open IKE SA flags: 0: | -> PARENT_I1 EVENT_RETAIN send-request (Initiator: process SA_INIT reply notification) | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH) | PARENT_I2: category: open IKE SA flags: 0: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) | -> V2_IPSEC_I EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) | PARENT_I3: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_RETAIN (I3: Informational Request) | -> PARENT_I3 EVENT_RETAIN (I3: Informational Response) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Request) | -> PARENT_I3 EVENT_RETAIN (I3: INFORMATIONAL Response) | PARENT_R0: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SO_DISCARD send-request (Respond to IKE_SA_INIT) | PARENT_R1: category: half-open IKE SA flags: 0: | -> PARENT_R1 EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request (no SKEYSEED)) | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Responder: process IKE_AUTH request) | PARENT_R2: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Request) | -> PARENT_R2 EVENT_RETAIN (R2: process Informational Response) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Request) | -> PARENT_R2 EVENT_RETAIN (R2: process INFORMATIONAL Response) | V2_CREATE_I0: category: established IKE SA flags: 0: | -> V2_CREATE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) | V2_CREATE_I: category: established IKE SA flags: 0: | -> V2_IPSEC_I EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) | V2_REKEY_IKE_I0: category: established IKE SA flags: 0: | -> V2_REKEY_IKE_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) | V2_REKEY_IKE_I: category: established IKE SA flags: 0: | -> PARENT_I3 EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) | V2_REKEY_CHILD_I0: category: established IKE SA flags: 0: | -> V2_REKEY_CHILD_I EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) | V2_REKEY_CHILD_I: category: established IKE SA flags: 0: | V2_CREATE_R: category: established IKE SA flags: 0: | -> V2_IPSEC_R EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IPsec SA Request) | V2_REKEY_IKE_R: category: established IKE SA flags: 0: | -> PARENT_R2 EVENT_SA_REPLACE send-request (Respond to CREATE_CHILD_SA IKE Rekey) | V2_REKEY_CHILD_R: category: established IKE SA flags: 0: | V2_IPSEC_I: category: established CHILD SA flags: 0: | V2_IPSEC_R: category: established CHILD SA flags: 0: | IKESA_DEL: category: established IKE SA flags: 0: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) | CHILDSA_DEL: category: informational flags: 0: Using Linux XFRM/NETKEY IPsec interface code on 5.2.11+ | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds | setup kernel fd callback | add_fd_read_event_handler: new KERNEL_XRM_FD-pe@0x55aabf509e30 | libevent_malloc: new ptr-libevent@0x55aabf511300 size 128 | libevent_malloc: new ptr-libevent@0x55aabf4ffbc0 size 16 | add_fd_read_event_handler: new KERNEL_ROUTE_FD-pe@0x55aabf5046d0 | libevent_malloc: new ptr-libevent@0x55aabf511390 size 128 | libevent_malloc: new ptr-libevent@0x55aabf504620 size 16 | global one-shot timer EVENT_CHECK_CRLS initialized selinux support is enabled. systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | outgoing-port-avoid set 0-65535 | outgoing-port-permit set 32768-60999 | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | add_fd_read_event_handler: new PLUTO_CTL_FD-pe@0x55aabf504420 | libevent_malloc: new ptr-libevent@0x55aabf51b900 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51b990 size 16 | libevent_realloc: new ptr-libevent@0x55aabf4815b0 size 256 | libevent_malloc: new ptr-libevent@0x55aabf51b9b0 size 8 | libevent_realloc: new ptr-libevent@0x55aabf510600 size 144 | libevent_malloc: new ptr-libevent@0x55aabf51b9d0 size 152 | libevent_malloc: new ptr-libevent@0x55aabf51ba70 size 16 | signal event handler PLUTO_SIGCHLD installed | libevent_malloc: new ptr-libevent@0x55aabf51ba90 size 8 | libevent_malloc: new ptr-libevent@0x55aabf51bab0 size 152 | signal event handler PLUTO_SIGTERM installed | libevent_malloc: new ptr-libevent@0x55aabf51bb50 size 8 | libevent_malloc: new ptr-libevent@0x55aabf51bb70 size 152 | signal event handler PLUTO_SIGHUP installed | libevent_malloc: new ptr-libevent@0x55aabf51bc10 size 8 | libevent_realloc: release ptr-libevent@0x55aabf510600 | libevent_realloc: new ptr-libevent@0x55aabf51bc30 size 256 | libevent_malloc: new ptr-libevent@0x55aabf510600 size 152 | signal event handler PLUTO_SIGSYS installed | created addconn helper (pid:22595) using fork+execve | forked child 22595 | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.3.254 | Inspecting interface eth1 | found eth1 with address 192.1.3.33 Kernel supports NIC esp-hw-offload adding interface eth1/eth1 (esp-hw-offload not supported by kernel) 192.1.3.33:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.3.33:4500 adding interface eth0/eth0 (esp-hw-offload not supported by kernel) 192.0.3.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.3.254:4500 adding interface lo/lo (esp-hw-offload not supported by kernel) 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | no interfaces to sort | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations | add_fd_read_event_handler: new ethX-pe@0x55aabf5051a0 | libevent_malloc: new ptr-libevent@0x55aabf51bfa0 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c030 size 16 | setup callback for interface lo 127.0.0.1:4500 fd 22 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c050 | libevent_malloc: new ptr-libevent@0x55aabf51c090 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c120 size 16 | setup callback for interface lo 127.0.0.1:500 fd 21 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c140 | libevent_malloc: new ptr-libevent@0x55aabf51c180 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c210 size 16 | setup callback for interface eth0 192.0.3.254:4500 fd 20 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c230 | libevent_malloc: new ptr-libevent@0x55aabf51c270 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c300 size 16 | setup callback for interface eth0 192.0.3.254:500 fd 19 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c320 | libevent_malloc: new ptr-libevent@0x55aabf51c360 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c3f0 size 16 | setup callback for interface eth1 192.1.3.33:4500 fd 18 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c410 | libevent_malloc: new ptr-libevent@0x55aabf51c450 size 128 | libevent_malloc: new ptr-libevent@0x55aabf51c4e0 size 16 | setup callback for interface eth1 192.1.3.33:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x55aabf5114e0) PKK_PSK: @east | id type added to secret(0x55aabf5114e0) PKK_PSK: @GroupID | Processing PSK at line 1: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.379 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.3.254 | Inspecting interface eth1 | found eth1 with address 192.1.3.33 | no interfaces to sort | libevent_free: release ptr-libevent@0x55aabf51bfa0 | free_event_entry: release EVENT_NULL-pe@0x55aabf5051a0 | add_fd_read_event_handler: new ethX-pe@0x55aabf5051a0 | libevent_malloc: new ptr-libevent@0x55aabf51bfa0 size 128 | setup callback for interface lo 127.0.0.1:4500 fd 22 | libevent_free: release ptr-libevent@0x55aabf51c090 | free_event_entry: release EVENT_NULL-pe@0x55aabf51c050 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c050 | libevent_malloc: new ptr-libevent@0x55aabf51c090 size 128 | setup callback for interface lo 127.0.0.1:500 fd 21 | libevent_free: release ptr-libevent@0x55aabf51c180 | free_event_entry: release EVENT_NULL-pe@0x55aabf51c140 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c140 | libevent_malloc: new ptr-libevent@0x55aabf51c180 size 128 | setup callback for interface eth0 192.0.3.254:4500 fd 20 | libevent_free: release ptr-libevent@0x55aabf51c270 | free_event_entry: release EVENT_NULL-pe@0x55aabf51c230 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c230 | libevent_malloc: new ptr-libevent@0x55aabf51c270 size 128 | setup callback for interface eth0 192.0.3.254:500 fd 19 | libevent_free: release ptr-libevent@0x55aabf51c360 | free_event_entry: release EVENT_NULL-pe@0x55aabf51c320 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c320 | libevent_malloc: new ptr-libevent@0x55aabf51c360 size 128 | setup callback for interface eth1 192.1.3.33:4500 fd 18 | libevent_free: release ptr-libevent@0x55aabf51c450 | free_event_entry: release EVENT_NULL-pe@0x55aabf51c410 | add_fd_read_event_handler: new ethX-pe@0x55aabf51c410 | libevent_malloc: new ptr-libevent@0x55aabf51c450 size 128 | setup callback for interface eth1 192.1.3.33:500 fd 17 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | id type added to secret(0x55aabf5114e0) PKK_PSK: @east | id type added to secret(0x55aabf5114e0) PKK_PSK: @GroupID | Processing PSK at line 1: passed | certs and keys locked by 'process_secret' | certs and keys unlocked by 'process_secret' | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.284 milliseconds in whack | processing signal PLUTO_SIGCHLD | waitpid returned pid 22595 (exited with status 0) | reaped addconn helper child (status 0) | waitpid returned ECHILD (no child processes left) | spent 0.0112 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | FOR_EACH_CONNECTION_... in foreach_connection_by_alias | FOR_EACH_CONNECTION_... in conn_by_name | Added new connection north-east with policy PSK+ENCRYPT+TUNNEL+PFS+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | counting wild cards for @GroupID is 0 | counting wild cards for @east is 0 | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@(nil): none | new hp@0x55aabf4e8930 added connection description "north-east" | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | 192.1.3.33[@GroupID,+MC+XC+S=C]---192.1.3.254...192.1.2.23<192.1.2.23>[@east,MS+XS+S=C]===0.0.0.0/0 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.153 milliseconds in whack | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | dup_any(fd@16) -> fd@23 (in whack_process() at rcv_whack.c:590) | FOR_EACH_CONNECTION_... in conn_by_name | start processing: connection "north-east" (in initiate_a_connection() at initiate.c:186) | empty esp_info, returning defaults for ENCRYPT | connection 'north-east' +POLICY_UP | dup_any(fd@23) -> fd@24 (in initiate_a_connection() at initiate.c:342) | FOR_EACH_STATE_... in find_phase1_state | creating state object #1 at 0x55aabf51d310 | State DB: adding IKEv1 state #1 in UNDEFINED | pstats #1 ikev1.isakmp started | suspend processing: connection "north-east" (in main_outI1() at ikev1_main.c:118) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:118) | parent state #1: UNDEFINED(ignore) => MAIN_I1(half-open IKE SA) | dup_any(fd@24) -> fd@25 (in main_outI1() at ikev1_main.c:123) | Queuing pending IPsec SA negotiating with 192.1.2.23 "north-east" IKE SA #1 "north-east" "north-east" #1: initiating Main Mode | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 1:ISAKMP_NEXT_SA | no specific IKE algorithms specified - using defaults | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=aes=7 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP2048=14 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_256=4 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha2_512=6 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() processing ealg=3des_cbc=5 halg=sha=2 modp=MODP1536=5 eklen=0 | oakley_alg_makedb() returning 0x55aabf51e8a0 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 18 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 18 (0x12) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 1 (0x1) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 2 (0x2) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 3 (0x3) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 4 (0x4) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 5 (0x5) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 6 (0x6) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 7 (0x7) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 8 (0x8) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 9 (0x9) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 10 (0xa) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 11 (0xb) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 12 (0xc) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 13 (0xd) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 14 (0xe) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 15 (0xf) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T (0x3) | ISAKMP transform number: 16 (0x10) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 6 (0x6) | [6 is OAKLEY_SHA2_512] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP transform number: 17 (0x11) | ISAKMP transform ID: KEY_IKE (0x1) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 5 (0x5) | [5 is OAKLEY_3DES_CBC] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 2 (0x2) | [2 is OAKLEY_SHA1] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | ******emit ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 5 (0x5) | [5 is OAKLEY_GROUP_MODP1536] | emitting length of ISAKMP Transform Payload (ISAKMP): 32 | emitting length of ISAKMP Proposal Payload: 632 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ISAKMP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 644 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | out_vid(): sending [FRAGMENTATION] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [XAUTH] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 8 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 09 00 26 89 df d6 b7 12 | emitting length of ISAKMP Vendor ID Payload: 12 | out_vid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | nat add vid | sending draft and RFC NATT VIDs | out_vid(): sending [RFC 3947] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f | emitting length of ISAKMP Vendor ID Payload: 20 | skipping VID_NATT_RFC | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-03] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | next payload chain: ignoring supplied 'ISAKMP Vendor ID Payload'.'next payload type' value 13:ISAKMP_NEXT_VID | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | out_vid(): sending [draft-ietf-ipsec-nat-t-ike-02] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Vendor ID Payload'.'next payload type' to current ISAKMP Vendor ID Payload (13:ISAKMP_NEXT_VID) | next payload chain: saving location 'ISAKMP Vendor ID Payload'.'next payload type' in 'reply packet' | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48 | emitting length of ISAKMP Vendor ID Payload: 20 | no IKEv1 message padding required | emitting length of ISAKMP Message: 804 | sending 804 bytes for reply packet for main_outI1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 03 24 0d 00 02 84 | 00 00 00 01 00 00 00 01 00 00 02 78 00 01 00 12 | 03 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 fd e9 80 04 00 0e | 80 0e 01 00 03 00 00 24 01 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 04 80 03 fd e9 | 80 04 00 0e 80 0e 00 80 03 00 00 24 02 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 06 | 80 03 fd e9 80 04 00 0e 80 0e 01 00 03 00 00 24 | 03 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 06 80 03 fd e9 80 04 00 0e 80 0e 00 80 | 03 00 00 24 04 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 02 80 03 fd e9 80 04 00 0e | 80 0e 01 00 03 00 00 24 05 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 02 80 03 fd e9 | 80 04 00 0e 80 0e 00 80 03 00 00 24 06 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 04 | 80 03 fd e9 80 04 00 05 80 0e 01 00 03 00 00 24 | 07 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 04 80 03 fd e9 80 04 00 05 80 0e 00 80 | 03 00 00 24 08 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 06 80 03 fd e9 80 04 00 05 | 80 0e 01 00 03 00 00 24 09 01 00 00 80 0b 00 01 | 80 0c 0e 10 80 01 00 07 80 02 00 06 80 03 fd e9 | 80 04 00 05 80 0e 00 80 03 00 00 24 0a 01 00 00 | 80 0b 00 01 80 0c 0e 10 80 01 00 07 80 02 00 02 | 80 03 fd e9 80 04 00 05 80 0e 01 00 03 00 00 24 | 0b 01 00 00 80 0b 00 01 80 0c 0e 10 80 01 00 07 | 80 02 00 02 80 03 fd e9 80 04 00 05 80 0e 00 80 | 03 00 00 20 0c 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 fd e9 80 04 00 0e | 03 00 00 20 0d 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 fd e9 80 04 00 0e | 03 00 00 20 0e 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 0e | 03 00 00 20 0f 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 04 80 03 fd e9 80 04 00 05 | 03 00 00 20 10 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 06 80 03 fd e9 80 04 00 05 | 00 00 00 20 11 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 05 80 02 00 02 80 03 fd e9 80 04 00 05 | 0d 00 00 14 40 48 b7 d5 6e bc e8 85 25 e7 de 7f | 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 df d6 b7 12 | 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc | 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45 | 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6 | 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14 | 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | 00 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc | 68 b6 a4 48 | event_schedule: new EVENT_RETRANSMIT-pe@0x55aabf51e200 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | #1 STATE_MAIN_I1: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.099277 | #1 spent 1.59 milliseconds in main_outI1() | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in main_outI1() at ikev1_main.c:228) | resume processing: connection "north-east" (in main_outI1() at ikev1_main.c:228) | stop processing: connection "north-east" (in initiate_a_connection() at initiate.c:349) | close_any(fd@23) (in initiate_connection() at initiate.c:372) | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 1.68 milliseconds in whack | spent 0.0024 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 156 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 01 10 02 00 00 00 00 00 00 00 00 9c 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 00 01 00 01 | 00 00 00 24 00 01 00 00 80 0b 00 01 80 0c 0e 10 | 80 01 00 07 80 02 00 04 80 03 fd e9 80 04 00 0e | 80 0e 01 00 0d 00 00 14 40 48 b7 d5 6e bc e8 85 | 25 e7 de 7f 00 d6 c2 d3 0d 00 00 0c 09 00 26 89 | df d6 b7 12 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 00 00 00 14 4a 13 1c 81 | 07 03 58 45 5c 57 28 f2 0e 95 45 2f | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_SA (0x1) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 156 (0x9c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: IKEv1 state not found (find_state_ikev1) | State DB: found IKEv1 state #1 in MAIN_I1 (find_state_ikev1_init) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 12 (0xc) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID (0xd) | length: 20 (0x14) | got payload 0x2000 (ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 20 (0x14) | message 'main_inR1_outI2' HASH payload not checked early | received Vendor ID payload [FRAGMENTATION] | received Vendor ID payload [XAUTH] | received Vendor ID payload [Dead Peer Detection] | quirks.qnat_traversal_vid set to=117 [RFC 3947] | received Vendor ID payload [RFC 3947] | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_ISAKMP (0x1) | SPI size: 0 (0x0) | number of transforms: 1 (0x1) | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | ISAKMP transform number: 0 (0x0) | ISAKMP transform ID: KEY_IKE (0x1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_TYPE (0x800b) | length/value: 1 (0x1) | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_LIFE_DURATION (variable length) (0x800c) | length/value: 3600 (0xe10) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_ENCRYPTION_ALGORITHM (0x8001) | length/value: 7 (0x7) | [7 is OAKLEY_AES_CBC] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_HASH_ALGORITHM (0x8002) | length/value: 4 (0x4) | [4 is OAKLEY_SHA2_256] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_AUTHENTICATION_METHOD (0x8003) | length/value: 65001 (0xfde9) | [65001 is XAUTHInitPreShared] | started looking for secret for @GroupID->@east of kind PKK_PSK | actually looking for secret for @GroupID->@east of kind PKK_PSK | line 1: key type PKK_PSK(@GroupID) to type PKK_PSK | 1: compared key @GroupID to @GroupID / @east -> 010 | 2: compared key @east to @GroupID / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x55aabf5114e0 (line=1) | concluding with best_match=014 best=0x55aabf5114e0 (lineno=1) | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_GROUP_DESCRIPTION (0x8004) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: AF+OAKLEY_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | OAKLEY proposal verified unconditionally; no alg_info to check against | Oakley Transform 0 accepted | sender checking NAT-T: enabled; VID 117 | returning NAT-T method NAT_TRAVERSAL_METHOD_IETF_RFC | enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) | adding outI2 KE work-order 1 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55aabf51e200 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e200 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | crypto helper 0 resuming | #1 is busy; has a suspended MD | crypto helper 0 starting work-order 1 for state #1 | #1 spent 0.155 milliseconds in process_packet_tail() | crypto helper 0 doing build KE and nonce (outI2 KE); request ID 1 | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.321 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 0 finished build KE and nonce (outI2 KE); request ID 1 time elapsed 0.001059 seconds | (#1) spent 1.06 milliseconds in crypto helper computing work-order 1: outI2 KE (pcr) | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f35f8006900 size 128 | crypto helper 0 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55aabd92d630 | main_inR1_outI2_continue for #1: calculated ke+nonce, sending I2 | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value ba 1a dd 3e 50 6a c5 62 33 3c 68 f2 37 de dc 7b | keyex value 68 3b a0 73 a6 da 39 3d 29 a1 b5 e4 b0 fa 1d b7 | keyex value 03 57 c2 38 5c 3c 9f a8 ce 4a 4a d4 d9 ae 39 a6 | keyex value 70 ca ff f0 f5 1f 33 5a 5a 75 c5 61 64 56 98 c8 | keyex value 7e f7 a5 30 df 34 5c dc 07 16 1c 50 53 bf 14 d2 | keyex value 1d fa 14 2d de 7e 34 4e 7b f5 d0 a9 3f 4a 30 cd | keyex value f7 1e f2 3a 65 8c 4c 90 cd 90 0a 11 7b 41 0d 39 | keyex value ae e8 1d 9b 8f cf 82 2e 4a 59 b4 56 56 33 ec 59 | keyex value 77 4e 01 bf 68 16 b7 46 22 f3 b8 a1 ab fd 6f 3a | keyex value d7 20 3c b6 2d ae 87 17 31 51 aa b3 f3 9b 63 ec | keyex value a6 0a ee ae 3c e8 7a ee c5 ec 3d e5 f8 5c b8 0f | keyex value e2 ce cb be 47 96 e2 5c 53 61 da 74 ba 25 d6 e3 | keyex value c0 99 ed b3 c8 aa 46 19 3b 45 d4 97 1f c4 26 d6 | keyex value 78 69 9b 91 8f 0e 42 fe 10 c0 fe ab 1c 13 d2 0f | keyex value f0 01 a3 05 d7 6f fa 30 7a 91 1e 94 54 29 32 22 | keyex value 85 3d bd 24 c1 43 7f d4 f9 23 8d b7 1e 0c ea 29 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni ac 3e c2 78 89 ef b7 f2 1a 7e cf 6c 59 40 f1 38 | Ni e5 08 53 82 19 38 ca 6d 77 29 6d 8c 2f 49 00 f4 | emitting length of ISAKMP Nonce Payload: 36 | NAT-T checking st_nat_traversal | NAT-T found (implies NAT_T_WITH_NATD) | sending NAT-D payloads | natd_hash: hasher=0x55aabda03c40(32) | natd_hash: icookie= 51 d2 e6 b6 ed 34 22 b8 | natd_hash: rcookie= 64 9d c4 ed cc 8c b2 f9 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 40 a3 d3 27 45 07 63 da ce c4 bd 60 fd f5 2c 96 | natd_hash: hash= 40 60 db 16 96 4d be fd c3 d7 db 28 04 48 f0 f8 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | next payload chain: ignoring supplied 'ISAKMP NAT-D Payload'.'next payload type' value 20:ISAKMP_NEXT_NATD_RFC | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 40 a3 d3 27 45 07 63 da ce c4 bd 60 fd f5 2c 96 | NAT-D 40 60 db 16 96 4d be fd c3 d7 db 28 04 48 f0 f8 | emitting length of ISAKMP NAT-D Payload: 36 | natd_hash: hasher=0x55aabda03c40(32) | natd_hash: icookie= 51 d2 e6 b6 ed 34 22 b8 | natd_hash: rcookie= 64 9d c4 ed cc 8c b2 f9 | natd_hash: ip= c0 01 03 21 | natd_hash: port= 01 f4 | natd_hash: hash= 15 4d c4 04 36 5a e9 06 81 b8 18 80 53 3a b8 8d | natd_hash: hash= 1b d0 d3 9c 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | ***emit ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP NAT-D Payload'.'next payload type' to current ISAKMP NAT-D Payload (20:ISAKMP_NEXT_NATD_RFC) | next payload chain: saving location 'ISAKMP NAT-D Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of NAT-D into ISAKMP NAT-D Payload | NAT-D 15 4d c4 04 36 5a e9 06 81 b8 18 80 53 3a b8 8d | NAT-D 1b d0 d3 9c 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | emitting length of ISAKMP NAT-D Payload: 36 | no IKEv1 message padding required | emitting length of ISAKMP Message: 396 | State DB: re-hashing IKEv1 state #1 IKE SPIi and SPI[ir] | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | peer supports fragmentation | peer supports DPD | IKEv1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 | parent state #1: MAIN_I1(half-open IKE SA) => MAIN_I2(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e200 | sending reply packet to 192.1.2.23:500 (from 192.1.3.33:500) | sending 396 bytes for STATE_MAIN_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | ba 1a dd 3e 50 6a c5 62 33 3c 68 f2 37 de dc 7b | 68 3b a0 73 a6 da 39 3d 29 a1 b5 e4 b0 fa 1d b7 | 03 57 c2 38 5c 3c 9f a8 ce 4a 4a d4 d9 ae 39 a6 | 70 ca ff f0 f5 1f 33 5a 5a 75 c5 61 64 56 98 c8 | 7e f7 a5 30 df 34 5c dc 07 16 1c 50 53 bf 14 d2 | 1d fa 14 2d de 7e 34 4e 7b f5 d0 a9 3f 4a 30 cd | f7 1e f2 3a 65 8c 4c 90 cd 90 0a 11 7b 41 0d 39 | ae e8 1d 9b 8f cf 82 2e 4a 59 b4 56 56 33 ec 59 | 77 4e 01 bf 68 16 b7 46 22 f3 b8 a1 ab fd 6f 3a | d7 20 3c b6 2d ae 87 17 31 51 aa b3 f3 9b 63 ec | a6 0a ee ae 3c e8 7a ee c5 ec 3d e5 f8 5c b8 0f | e2 ce cb be 47 96 e2 5c 53 61 da 74 ba 25 d6 e3 | c0 99 ed b3 c8 aa 46 19 3b 45 d4 97 1f c4 26 d6 | 78 69 9b 91 8f 0e 42 fe 10 c0 fe ab 1c 13 d2 0f | f0 01 a3 05 d7 6f fa 30 7a 91 1e 94 54 29 32 22 | 85 3d bd 24 c1 43 7f d4 f9 23 8d b7 1e 0c ea 29 | 14 00 00 24 ac 3e c2 78 89 ef b7 f2 1a 7e cf 6c | 59 40 f1 38 e5 08 53 82 19 38 ca 6d 77 29 6d 8c | 2f 49 00 f4 14 00 00 24 40 a3 d3 27 45 07 63 da | ce c4 bd 60 fd f5 2c 96 40 60 db 16 96 4d be fd | c3 d7 db 28 04 48 f0 f8 00 00 00 24 15 4d c4 04 | 36 5a e9 06 81 b8 18 80 53 3a b8 8d 1b d0 d3 9c | 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x55aabf51e200 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | #1 STATE_MAIN_I2: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.10264 "north-east" #1: STATE_MAIN_I2: sent MI2, expecting MR2 | XAUTH client is not yet authenticated | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.308 milliseconds in resume sending helper answer | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f35f8006900 | spent 0.00257 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 396 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 04 10 02 00 00 00 00 00 00 00 01 8c 0a 00 01 04 | 61 a0 d6 3d d8 62 a7 06 ae a5 63 64 e5 74 d6 af | 7f 31 cf 58 2d a6 68 6f 8a 68 fd 6d 22 bf 59 83 | e3 86 6b 57 22 9e f1 c6 0b 59 a9 69 a3 3e 65 ad | af b4 5a 71 9b fc 1a bd 8d 46 cd d1 39 a0 56 b8 | da ff 4f 8a 61 04 f4 77 b3 9e 3c 0c 95 77 c5 9c | c5 ce d0 b1 dc 1f d5 44 84 52 c3 84 9e c1 ea 7c | 78 03 b2 7b 06 89 ee 06 6d d1 cd 8e 97 ce 2b 45 | 13 1b 96 9e 68 24 8e 82 c9 09 3d 8e 9f 28 82 e4 | b9 da 92 33 e0 94 32 89 e7 d2 09 ae b0 ac a6 d7 | 1f 84 41 0a 3e c4 0a 3f 3e c3 eb 4a 10 49 ab cc | d3 ba 4f df ea f7 c3 bf a2 ad 5e d3 84 13 c6 fd | ad e4 e5 df 57 36 d3 90 4d a1 8d 1d b4 aa 3b d7 | d0 31 e5 ca 54 72 ea 49 c8 ae 3f 8b 72 35 21 08 | e9 f7 8d 22 12 85 99 67 56 0b b2 c7 66 ea cf 5b | 61 86 44 52 80 70 3c a3 69 d1 ff 9e a3 7e 25 ab | c0 f6 b0 67 bd 51 87 14 75 58 49 7d 9d 69 f7 19 | 14 00 00 24 ea 35 96 67 75 54 1c 2f 09 5e 75 96 | 2c 97 c5 9c 11 42 83 04 2e 2d 67 d2 2b a7 be 76 | b5 7e 3a 64 14 00 00 24 15 4d c4 04 36 5a e9 06 | 81 b8 18 80 53 3a b8 8d 1b d0 d3 9c 42 0c 70 66 | 9a 5c 07 c0 18 cb ea f0 00 00 00 24 40 a3 d3 27 | 45 07 63 da ce c4 bd 60 fd f5 2c 96 40 60 db 16 | 96 4d be fd c3 d7 db 28 04 48 f0 f8 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_KE (0x4) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: none (0x0) | Message ID: 0 (0x0) | length: 396 (0x18c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I2 (find_state_ikev1) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 260 (0x104) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NATD_RFC (0x14) | length: 36 (0x24) | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR2_outI3' HASH payload not checked early | started looking for secret for @GroupID->@east of kind PKK_PSK | actually looking for secret for @GroupID->@east of kind PKK_PSK | line 1: key type PKK_PSK(@GroupID) to type PKK_PSK | 1: compared key @GroupID to @GroupID / @east -> 010 | 2: compared key @east to @GroupID / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x55aabf5114e0 (line=1) | concluding with best_match=014 best=0x55aabf5114e0 (lineno=1) | adding aggr outR1 DH work-order 2 for state #1 | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I2: retransmits: cleared | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55aabf51e200 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7f35f8002b20 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #1 and saving MD | #1 is busy; has a suspended MD | crypto helper 2 resuming | #1 spent 0.0616 milliseconds in process_packet_tail() | crypto helper 2 starting work-order 2 for state #1 | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 2 doing compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.212 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 2 finished compute dh+iv (V1 Phase 1) (aggr outR1 DH); request ID 2 time elapsed 0.000677 seconds | (#1) spent 0.682 milliseconds in crypto helper computing work-order 2: aggr outR1 DH (pcr) | crypto helper 2 sending results from work-order 2 for state #1 to event queue | scheduling resume sending helper answer for #1 | libevent_malloc: new ptr-libevent@0x7f35f0008420 size 128 | crypto helper 2 waiting (nothing to do) | processing resume sending helper answer for #1 | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 2 replies to request ID 2 | calling continuation function 0x55aabd92d630 | main_inR2_outI3_cryptotail for #1: calculated DH, sending R1 | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 5:ISAKMP_NEXT_ID | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0?? | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | I am not sending a certificate request | I will NOT send an initial contact payload | init checking NAT-T: enabled; RFC 3947 (NAT-Traversal) | natd_hash: hasher=0x55aabda03c40(32) | natd_hash: icookie= 51 d2 e6 b6 ed 34 22 b8 | natd_hash: rcookie= 64 9d c4 ed cc 8c b2 f9 | natd_hash: ip= c0 01 03 21 | natd_hash: port= 01 f4 | natd_hash: hash= 15 4d c4 04 36 5a e9 06 81 b8 18 80 53 3a b8 8d | natd_hash: hash= 1b d0 d3 9c 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | natd_hash: hasher=0x55aabda03c40(32) | natd_hash: icookie= 51 d2 e6 b6 ed 34 22 b8 | natd_hash: rcookie= 64 9d c4 ed cc 8c b2 f9 | natd_hash: ip= c0 01 02 17 | natd_hash: port= 01 f4 | natd_hash: hash= 40 a3 d3 27 45 07 63 da ce c4 bd 60 fd f5 2c 96 | natd_hash: hash= 40 60 db 16 96 4d be fd c3 d7 db 28 04 48 f0 f8 | expected NAT-D(me): 15 4d c4 04 36 5a e9 06 81 b8 18 80 53 3a b8 8d | expected NAT-D(me): 1b d0 d3 9c 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | expected NAT-D(him): | 40 a3 d3 27 45 07 63 da ce c4 bd 60 fd f5 2c 96 | 40 60 db 16 96 4d be fd c3 d7 db 28 04 48 f0 f8 | received NAT-D: 15 4d c4 04 36 5a e9 06 81 b8 18 80 53 3a b8 8d | received NAT-D: 1b d0 d3 9c 42 0c 70 66 9a 5c 07 c0 18 cb ea f0 | received NAT-D: 40 a3 d3 27 45 07 63 da ce c4 bd 60 fd f5 2c 96 | received NAT-D: 40 60 db 16 96 4d be fd c3 d7 db 28 04 48 f0 f8 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected | NAT_T_WITH_KA detected | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_HASH (0x8) | ID type: ID_FQDN (0x2) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 8:ISAKMP_NEXT_HASH | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 7 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 47 72 6f 75 70 49 44 | emitting length of ISAKMP Identification Payload (IPsec DOI): 15 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of HASH_I into ISAKMP Hash Payload | HASH_I 20 cf e8 e8 4b 47 84 2e c2 83 93 a2 3f 1a 3e b9 | HASH_I a6 44 6a f1 81 c1 77 41 9c 0d de 7d b3 e0 51 c3 | emitting length of ISAKMP Hash Payload: 36 | Not sending INITIAL_CONTACT | emitting 13 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 | parent state #1: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7f35f8002b20 | sending reply packet to 192.1.2.23:500 (from 192.1.3.33:500) | sending 92 bytes for STATE_MAIN_I2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 05 10 02 01 00 00 00 00 00 00 00 5c 83 ba 21 ba | 01 aa 53 84 47 45 27 31 75 f1 a3 24 66 f2 a1 e0 | 2d ac af e0 63 d6 23 fa 47 63 ea 3d 98 93 d6 fe | 1d d7 e4 0c 7c b2 9e 31 ae 0a 6a 6c c9 4d f2 e5 | 8c 53 48 fb 9b 33 f1 41 1b cc 92 1f | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f35f8002b20 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | #1 STATE_MAIN_I3: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.106812 "north-east" #1: STATE_MAIN_I3: sent MI3, expecting MR3 | XAUTH client is not yet authenticated | resume sending helper answer for #1 suppresed complete_v1_state_transition() | #1 spent 0.285 milliseconds in resume sending helper answer | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f35f0008420 | spent 0.00211 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 05 10 02 01 00 00 00 00 00 00 00 4c 8b fd ce 82 | 0a b2 43 89 fc cc a2 f0 60 6b b5 8e 6c 26 ca 5d | d5 d2 06 20 e4 51 ae bc b9 5e d6 7a e5 5d 65 de | 7a d3 48 53 3c 6a de 24 76 e5 93 ba | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_ID (0x5) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_IDPROT (0x2) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 0 (0x0) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | State DB: found IKEv1 state #1 in MAIN_I3 (find_state_ikev1) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1435) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080 | ***parse ISAKMP Identification Payload: | next payload type: ISAKMP_NEXT_HASH (0x8) | length: 12 (0xc) | ID type: ID_FQDN (0x2) | DOI specific A: 0 (0x0) | DOI specific B: 0 (0x0) | obj: 65 61 73 74 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x2080 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 36 (0x24) | message 'main_inR3' HASH payload not checked early "north-east" #1: Peer ID is ID_FQDN: '@east' | X509: no CERT payloads to process | received 'Main' message HASH_R data ok | FOR_EACH_CONNECTION_... in ISAKMP_SA_established | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 | parent state #1: MAIN_I3(open IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f35f8002b20 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f35f8002b20 | inserting event EVENT_SA_REPLACE, timeout in 2607 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | pstats #1 ikev1.isakmp established "north-east" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | #1 spent 0.179 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.29 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00305 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 92 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 ab f2 3c f6 00 00 00 5c b9 97 8c 62 | 1a f0 f3 43 b8 fb d1 7b 9e 8c d1 07 11 12 85 6e | 05 5a f0 9b d8 56 29 b2 ac ef d7 85 2a f4 08 b0 | 17 52 a9 0f be 45 61 a9 21 08 35 07 58 bb 5e 67 | 31 3f ec ca 2b 30 ec e6 a7 36 69 f4 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2884779254 (0xabf23cf6) | length: 92 (0x5c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=abf23cf6 st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_MAIN_I4 | State DB: found IKEv1 state #1 in MAIN_I4 (find_v1_info_state) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1654) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient modecfgclient | call init_phase2_iv | set from_state to STATE_MAIN_I4 this is xauthclient and IS_PHASE1() is TRUE | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 36 (0x24) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | removing 12 bytes of padding | xauth_inI0 HASH(1): | cc 41 65 39 06 97 e8 83 1a 93 fe 09 b8 b6 8e c8 | e0 97 09 b1 af 3c 65 94 f9 8d 0d 64 96 ae b1 53 | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 2884779254 (0xabf23cf6) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | length/value: 0 (0x0) | Received Cisco XAUTH username | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | length/value: 0 (0x0) | Received Cisco XAUTH password | XAUTH: Username or password request received | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-NAME (0x4089) | prompting for Username: | emitting 4 raw bytes of XAUTH username into ISAKMP ModeCfg attribute | XAUTH username 75 73 65 33 | emitting length of ISAKMP ModeCfg attribute: 4 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: XAUTH-USER-PASSWORD (0x408a) | started looking for xauth secret for use3 | line 1: key type PKK_XAUTH(@use3) to type PKK_PSK | concluding with best_match=000 best=(nil) (lineno=-1) | looked up username=use3, got=(nil) | prompting for Password: | emitting 8 raw bytes of XAUTH password into ISAKMP ModeCfg attribute | XAUTH password 75 73 65 31 70 61 73 73 | emitting length of ISAKMP ModeCfg attribute: 8 | emitting length of ISAKMP Mode Attribute: 28 "north-east" #1: XAUTH: Answering XAUTH challenge with user='use3' | XAUTH: client response HASH(1): | fd bb 13 ab 7f 74 fd e4 6a 9c e8 c2 69 d1 4b 09 | 27 75 38 dd f7 38 7c d6 d4 9a 6a 81 ad 60 06 0c | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | no IKEv1 message padding required | emitting length of ISAKMP Message: 92 | xauth_inI0(STF_OK) | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:yes, t_xauth_client_done:no | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 | parent state #1: MAIN_I4(established IKE SA) => XAUTH_I1(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_SA_REPLACE to be deleted | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_SA_REPLACE-pe@0x7f35f8002b20 | sending reply packet to 192.1.2.23:500 (from 192.1.3.33:500) | sending 92 bytes for STATE_XAUTH_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 ab f2 3c f6 00 00 00 5c 2c 08 b5 f7 | ae c5 56 93 36 29 7c 51 50 6d a1 f5 14 50 54 80 | cf db 41 3a ee fb 3e 30 19 c2 fc 39 6c a6 49 01 | 8d c3 05 a1 75 e7 97 59 9d 8b 9f 80 af fd 0d 1d | 5c 60 a9 dd 77 8f 17 07 7e 6f 25 a9 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f35f8002b20 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | #1 STATE_XAUTH_I1: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.188065 | pstats #1 ikev1.isakmp established "north-east" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | XAUTH client is not yet authenticated | #1 spent 0.227 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.359 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00184 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 76 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 5c e8 db af 00 00 00 4c 74 25 fc ca | 19 52 39 c3 f3 c2 d0 56 64 83 f8 f4 22 a8 82 c0 | 36 5e 77 27 dc 4e ed bf 1d 3f 79 43 16 19 2a 14 | ca 32 e3 cb 06 9c 34 65 18 aa 94 71 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1558764463 (0x5ce8dbaf) | length: 76 (0x4c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=5ce8dbaf st_msgid=00000000 st_msgid_phase15=00000000 | State DB: IKEv1 state not found (find_v1_info_state) | No appropriate Mode Config state yet. See if we have a Main Mode state | peer and cookies match on #1; msgid=00000000 st_msgid=00000000 st_msgid_phase15=00000000 | p15 state object #1 found, in STATE_XAUTH_I1 | State DB: found IKEv1 state #1 in XAUTH_I1 (find_v1_info_state) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1654) | processing received isakmp_xchg_type ISAKMP_XCHG_MODE_CFG. | this is a xauthclient modecfgclient | call init_phase2_iv | set from_state to STATE_XAUTH_I1 this is xauthclient and state == STATE_XAUTH_I1 | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 36 (0x24) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 12 (0xc) | Attr Msg Type: ISAKMP_CFG_SET (0x3) | Identifier: 0 (0x0) | xauth_inI0 HASH(1): | a7 e1 0d be 45 fe 10 97 f5 ac 53 da bb 09 f6 62 | 4e b4 ee 9e 83 3f b7 5e 9c ad 04 bf e0 f8 3b 70 | received 'xauth_inI0' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 1558764463 (0x5ce8dbaf) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | arrived in xauth_inI0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | Received Cisco XAUTH status: OK | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_ACK (0x4) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'reply packet' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: AF+XAUTH-STATUS (0xc08f) | length/value: 1 (0x1) | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 12 | XAUTH: ack status HASH(1): | d9 9e 46 5a 84 00 5b 4c c4 2b fb 46 c2 9e 3d e3 | fa df e2 a0 77 e9 e2 8e 65 53 e6 63 45 7a 02 b1 | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 "north-east" #1: XAUTH: Successfully Authenticated | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_XAUTH_I0 to state STATE_XAUTH_I1 | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_XAUTH_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f35f8002b20 | sending reply packet to 192.1.2.23:500 (from 192.1.3.33:500) | sending 76 bytes for STATE_XAUTH_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 5c e8 db af 00 00 00 4c 66 99 f3 21 | 1c fa 36 4b a1 f3 e4 72 8f dc 90 39 da c2 66 7c | f3 36 b0 c0 d7 1b 23 7c 79 d1 7b e9 e7 b3 1f 54 | 18 21 1f 7f 9a a3 9b 27 b1 db 35 99 | !event_already_set at reschedule | event_schedule: new EVENT_RETRANSMIT-pe@0x7f35f8002b20 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | #1 STATE_XAUTH_I1: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.188549 | pstats #1 ikev1.isakmp established "north-east" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:pull modecfg-client | modecfg client is starting due to policy "north-east" #1: modecfg: Sending IP request (MODECFG_I1) | parent state #1: XAUTH_I1(established IKE SA) => MODE_CFG_I1(established IKE SA) | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4108762422 (0xf4e6bd36) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'xauth_buf' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | ***emit ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | Attr Msg Type: ISAKMP_CFG_REQUEST (0x1) | Identifier: 0 (0x0) | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Mode Attribute (14:ISAKMP_NEXT_MODECFG) | next payload chain: saving location 'ISAKMP Mode Attribute'.'next payload type' in 'xauth_buf' | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_ADDRESS (0x1) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_NETMASK (0x2) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: MODECFG_BANNER (0x7000) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: MODECFG_DOMAIN (0x7002) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | ****emit ISAKMP ModeCfg attribute: | ModeCfg attr type: CISCO_SPLIT_INC (0x7004) | length/value: 0 (0x0) | emitting length of ISAKMP ModeCfg attribute: 0 | no IKEv1 message padding required | emitting length of ISAKMP Mode Attribute: 32 | XAUTH: mode config request HASH(1): | 8f 22 e1 50 9a e8 a5 00 cb c6 20 d6 13 43 b3 97 | c4 a5 49 f2 2c 32 53 42 0a 67 81 8b ce 39 5a 50 | no IKEv1 message padding required | emitting length of ISAKMP Message: 96 | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 108 | sending 108 bytes for modecfg: req through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #1) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 f4 e6 bd 36 00 00 00 6c cf 5c b3 1d | ec 58 8f 3a 97 0f d8 e8 69 ab fa 45 69 8e ee 38 | ef 4f 9d 14 03 49 27 a8 ea 4d 5c b8 e2 e2 1f f7 | 67 ba 89 4e 76 de 5a a3 e0 1c 3f 31 0d a8 57 04 | f4 b9 98 1f 33 f3 40 65 b5 ce 5e 61 78 94 37 fc | 24 f8 e5 ab 7a b9 0c 3a f3 56 34 bb | #1 spent 0.278 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.379 milliseconds in comm_handle_cb() reading and processing packet | spent 0.00156 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 108 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 06 01 f4 e6 bd 36 00 00 00 6c ac 68 72 d6 | fc 89 40 2d 72 d3 f0 fb 8c ba 1c d1 35 75 31 2c | 06 79 4b b5 c8 63 75 fe 85 6c f4 09 87 4e 22 d7 | 3a 18 6d 14 3a da 8c 1f 36 8d 1b 6c 5e d8 15 83 | 11 fe e8 04 26 30 27 fa 78 03 95 cd 14 59 eb 41 | 34 fe f9 5a 20 1c db 1e 5c 76 d5 50 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4108762422 (0xf4e6bd36) | length: 108 (0x6c) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_MODE_CFG (6) | peer and cookies match on #1; msgid=f4e6bd36 st_msgid=00000000 st_msgid_phase15=f4e6bd36 | p15 state object #1 found, in STATE_MODE_CFG_I1 | State DB: found IKEv1 state #1 in MODE_CFG_I1 (find_v1_info_state) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1778) | #1 is idle | #1 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x4100 opt: 0x2000 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_MODECFG (0xe) | length: 36 (0x24) | got payload 0x4000 (ISAKMP_NEXT_MODECFG) needed: 0x4000 opt: 0x2000 | ***parse ISAKMP Mode Attribute: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 40 (0x28) | Attr Msg Type: ISAKMP_CFG_REPLY (0x2) | Identifier: 0 (0x0) | removing 4 bytes of padding | modecfg_inR1 HASH(1): | dc bf f8 6e ec 97 b8 38 0a 48 d9 f4 72 48 e4 98 | f3 19 5b c5 4c e8 0a bb 45 28 7a e2 78 79 27 2b | received 'modecfg_inR1' message HASH(1) data ok | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_MODE_CFG (0x6) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 4108762422 (0xf4e6bd36) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | next payload chain: ignoring supplied 'ISAKMP Message'.'next payload type' value 8:ISAKMP_NEXT_HASH | modecfg_inR1: received mode cfg reply | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_ADDRESS (0x1) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr c0 00 02 64 "north-east" #1: Received IPv4 address: 192.0.2.100/32 | setting ip source address to 192.0.2.100/32 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_NETMASK (0x2) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 00 00 00 00 | Received IP4 NETMASK 0.0.0.0 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 01 02 03 04 "north-east" #1: Received DNS server 1.2.3.4 | ****parse ISAKMP ModeCfg attribute: | ModeCfg attr type: INTERNAL_IP4_DNS (0x3) | length/value: 4 (0x4) | parsing 4 raw bytes of ISAKMP ModeCfg attribute into addr | addr 05 06 07 08 "north-east" #1: Received DNS server 5.6.7.8 | modecfg_inR1(STF_OK) | complete v1 state transition with STF_OK | [RE]START processing: state #1 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #1 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_MODE_CFG_I1 to state STATE_MAIN_I4 | parent state #1: MODE_CFG_I1(established IKE SA) => MAIN_I4(established IKE SA) | event_already_set, deleting event | state #1 requesting EVENT_RETRANSMIT to be deleted | #1 STATE_MAIN_I4: retransmits: cleared | libevent_free: release ptr-libevent@0x55aabf51f960 | free_event_entry: release EVENT_RETRANSMIT-pe@0x7f35f8002b20 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x7f35f8002b20 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | libevent_malloc: new ptr-libevent@0x55aabf51f960 size 128 | pstats #1 ikev1.isakmp established "north-east" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} | DPD: dpd_init() called on ISAKMP SA | DPD: Peer supports Dead Peer Detection | DPD: not initializing DPD because DPD is disabled locally | modecfg pull: noquirk policy:pull modecfg-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | creating state object #2 at 0x55aabf520dd0 | State DB: adding IKEv1 state #2 in UNDEFINED | pstats #2 ikev1.ipsec started | duplicating state object #1 "north-east" as #2 for IPSEC SA | #2 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1481) | suspend processing: state #1 connection "north-east" from 192.1.2.23:500 (in quick_outI1() at ikev1_quick.c:683) | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in quick_outI1() at ikev1_quick.c:683) | child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA) "north-east" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:1caec306 proposal=defaults pfsgroup=MODP2048} | adding quick_outI1 KE work-order 3 for state #2 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e140 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f35f0008420 size 128 | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in quick_outI1() at ikev1_quick.c:762) | resume processing: state #1 connection "north-east" from 192.1.2.23:500 (in quick_outI1() at ikev1_quick.c:762) | unqueuing pending Quick Mode with 192.1.2.23 "north-east" | removing pending policy for no connection {0x55aabf4ad3b0} | crypto helper 1 resuming | crypto helper 1 starting work-order 3 for state #2 | close_any(fd@24) (in release_whack() at state.c:654) | crypto helper 1 doing build KE and nonce (quick_outI1 KE); request ID 3 | #1 spent 0.188 milliseconds in process_packet_tail() | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.291 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 1 finished build KE and nonce (quick_outI1 KE); request ID 3 time elapsed 0.000553 seconds | (#2) spent 0.556 milliseconds in crypto helper computing work-order 3: quick_outI1 KE (pcr) | crypto helper 1 sending results from work-order 3 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f35f4007fa0 size 128 | libevent_realloc: release ptr-libevent@0x55aabf4ffa80 | libevent_realloc: new ptr-libevent@0x55aabf51f2d0 size 128 | crypto helper 1 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 1 replies to request ID 3 | calling continuation function 0x55aabd92d630 | quick_outI1_continue for #2: calculated ke+nonce, sending I1 | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 481215238 (0x1caec306) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | emitting quick defaults using policy none | empty esp_info, returning defaults for ENCRYPT | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | DOI: ISAKMP_DOI_IPSEC (0x1) | next payload chain: ignoring supplied 'ISAKMP Security Association Payload'.'next payload type' value 10:ISAKMP_NEXT_NONCE | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA) | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet' | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ikev1_out_sa pcn: 0 has 1 valid proposals | ikev1_out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2 | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 2 (0x2) | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' | netlink_get_spi: allocated 0x2ef9e9c1 for esp.0@192.1.3.33 | emitting 4 raw bytes of SPI into ISAKMP Proposal Payload | SPI 2e f9 e9 c1 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T (0x3) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | emitting length of ISAKMP Transform Payload (ESP): 32 | *****emit ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | ESP transform number: 1 (0x1) | ESP transform ID: ESP_3DES (0x3) | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is ISAKMP_NEXT_T (0x3) | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******emit ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | emitting length of ISAKMP Transform Payload (ESP): 28 | emitting length of ISAKMP Proposal Payload: 72 | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0 | emitting length of ISAKMP Security Association Payload: 84 | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | next payload chain: ignoring supplied 'ISAKMP Nonce Payload'.'next payload type' value 4:ISAKMP_NEXT_KE | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE) | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload | Ni 05 b2 b2 bc 0d 70 87 fd 8e 42 bd 96 02 3e 18 a3 | Ni ce 29 a4 8b 71 1f 83 52 e4 25 b5 fe 30 03 7e 36 | emitting length of ISAKMP Nonce Payload: 36 | ***emit ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | next payload chain: ignoring supplied 'ISAKMP Key Exchange Payload'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE) | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload | keyex value 11 18 ef 10 23 78 22 6a a5 c9 b0 29 16 d1 e1 94 | keyex value b9 51 ae 24 87 32 7b da 44 19 ce 07 53 ec ec d5 | keyex value 7e 68 27 9a 67 76 d7 5f ed 89 ab af f5 84 78 bf | keyex value fe f0 bf bd 9b a8 22 94 98 70 94 20 16 01 9e 27 | keyex value 0b 25 3b 96 ac 7a 7e 6e 4d a9 62 04 61 e7 95 41 | keyex value 9e 8f c3 dd e3 fd a5 ce 99 a6 49 f7 a7 61 e4 67 | keyex value 97 77 33 e8 37 a7 e9 57 73 0d 21 d9 5c f8 c1 12 | keyex value 29 3c b9 d7 66 4e 35 cf ad 6f f9 39 12 3e 6e d3 | keyex value c8 ad 71 e2 84 8f 40 1a 32 04 9c 1e 0e df 61 d6 | keyex value f3 54 06 58 8e 30 56 00 2d aa ef 93 1a 57 83 29 | keyex value a4 8c 5a e2 d7 2e 43 a3 7a 22 e3 eb b3 16 59 df | keyex value 6b 8d ea 0c 43 0a 06 f2 03 2b ea 8f 36 69 36 36 | keyex value f0 0b 96 6f 06 f4 2f df bf 0f dd 5d 37 5f a0 f0 | keyex value d6 32 7d 3a 6a ef c1 49 02 80 93 9f f7 db f4 29 | keyex value 3b a1 57 9e 2c 62 ae 57 9e cd 07 f5 a9 ad 4f 2c | keyex value e6 73 90 36 b4 d4 e7 3a 34 df 33 5d 35 2f f1 59 | emitting length of ISAKMP Key Exchange Payload: 260 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: ignoring supplied 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' value 5:ISAKMP_NEXT_ID | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network c0 00 02 64 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID) | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet' | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI) | client network 00 00 00 00 | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI) | client mask 00 00 00 00 | emitting length of ISAKMP Identification Payload (IPsec DOI): 16 | outI1 HASH(1): | 3e 94 57 2e 49 2d 60 9b 12 78 00 29 09 9e c7 29 | 03 42 e1 c6 6f 9b be 83 29 75 3e 08 9b 78 45 98 | emitting 4 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 476 | sending 476 bytes for reply packet from quick_outI1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 20 01 1c ae c3 06 00 00 01 dc 36 77 37 a2 | 96 d0 2a 8b b4 92 4d 6d 2b 80 40 21 ee 84 64 57 | 5b 4d 91 5d a3 07 08 83 f5 62 e2 73 ae 89 be c7 | 92 ef a9 2c cb 99 ee 48 40 86 12 44 81 59 ac 9d | 2c 35 4b 07 33 26 8d ce 7b 4d 05 b7 05 a8 ca ff | 79 52 f3 16 ce 43 00 17 ef 5d 8e 7d cb 66 01 26 | a1 77 e6 83 ce 4e dd a8 15 07 44 38 be 50 ca df | e1 aa cc 18 7b 40 4c 86 83 e4 b9 fc 26 9c fa 5f | 1e 4f 17 ee 95 65 18 e4 40 89 0c 79 aa e7 4c d3 | 7e 9a c3 bf 0b 66 15 66 41 8c 75 48 73 d8 91 90 | b4 10 bf be cc 24 c2 27 a6 5e f0 72 f6 57 40 af | fd 31 58 a8 b0 c5 94 50 c1 63 e2 31 03 34 18 ef | 16 7c 75 28 9e af 86 91 ee 2c 75 12 97 2c 8a 50 | 21 1e d1 a1 87 ee e9 68 2a 24 b9 d9 34 47 3f 52 | df bf 0b 4c 9a 7b ff 78 a4 59 67 5f c1 10 93 6e | e3 1a 02 04 57 03 45 0b 94 1d 81 72 a2 32 e5 90 | 58 e8 44 3e 18 14 21 1b 50 07 f3 8b 56 8e 00 fa | f8 31 a9 ae 23 31 6e cb 7e 91 dc b8 62 45 1c cc | 49 c9 d9 1b b5 92 9a 51 06 6d 33 9a 1e 28 8f d0 | a2 99 e2 a9 59 c6 6d 82 69 22 4b b4 61 75 d7 85 | 37 3f 26 fb 98 f1 e9 15 bc 63 60 7b 22 53 85 c2 | ab f7 e7 e2 cf 56 d8 05 17 c2 e1 a6 f0 7d 4e 56 | 57 f1 2c c0 15 ff 2a ae 1b 64 89 6b 3b 21 a5 e5 | 88 c3 ba 42 e4 d3 94 fc 9f 4f ed f3 9e 99 8a 4b | 8a 3f 2a 7d 14 76 6d f2 cc f3 50 8b 1b 10 72 a5 | 34 96 b1 f7 9b 53 12 5d 44 93 52 e4 2e 7b 63 88 | be d1 45 2c e2 c0 7a 72 c2 08 aa 43 b2 ad 6f 38 | b5 da cb ad 35 5c 15 e1 11 32 4a f6 b3 59 dd 27 | e4 9e 77 aa 80 94 2c 86 d3 d1 e2 bb | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f35f0008420 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e140 | event_schedule: new EVENT_RETRANSMIT-pe@0x55aabf51e140 | inserting event EVENT_RETRANSMIT, timeout in 15 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f35f0008420 size 128 | #2 STATE_QUICK_I1: retransmits: first event in 15 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 50025.190196 | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 0.321 milliseconds in resume sending helper answer | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f35f4007fa0 | spent 0.00181 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | *received 444 bytes from 192.1.2.23:500 on eth1 (192.1.3.33:500) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 20 01 1c ae c3 06 00 00 01 bc ae 84 3f 76 | cc 10 b4 40 81 c0 aa 5f fc bd 97 fe 73 04 a0 16 | 0c 3a 44 60 6f 03 2f c6 92 9b f9 cc cd 5b 1f ce | 53 63 c5 f8 dc 85 1c d9 a9 e3 01 a3 02 96 79 ca | 38 21 83 f7 a0 3a e7 ce 5b 3f 34 78 d3 3c 97 01 | 05 bf 50 c9 9a f6 d0 62 79 d3 2c 2b f3 3b b3 ea | 57 ba 52 12 62 b3 74 bd 67 43 97 41 f0 ef f8 55 | c5 3d 22 db 95 c6 31 30 8c e0 84 44 ff 81 dd 4a | 04 06 b2 f7 67 5c 03 ab d7 f7 69 97 5d 2e c5 88 | 04 cc d0 d6 dc ce a3 c2 dd 59 83 b6 7f 5d 8d 61 | 8a d4 b6 88 70 60 cf 3d dc 82 89 47 c6 d4 fc a4 | 5b bd 4b ac b9 46 7f 98 5e f2 79 2d 7c 40 b1 36 | 80 6e 30 bc 24 c7 c0 68 94 4e 86 4e 7a e2 80 9d | 1a 26 02 34 63 0b 62 66 89 f5 2a fd e3 5d 5f fd | 2f b5 1a 3e 58 ac 90 de 29 04 51 da 34 06 09 94 | 3a 77 5e 83 75 68 8e ed ca e4 98 ab 77 0d 88 8f | 2b ce 67 68 e3 40 ff 59 c5 43 54 e6 ae 87 c4 b1 | b9 b8 d0 e8 3c c0 0b 2b 15 d5 2e ef a6 4b a7 f0 | 8a 65 da 3f d7 e0 f2 6f 7d b0 f0 6e f5 af 4e 02 | f5 c3 4d 62 dc 17 5f f5 d4 3b 31 13 b2 f2 f4 4b | 58 4e e9 c8 b2 92 39 a1 52 8e 0e 70 df 2f f1 c4 | e5 d3 6e 35 87 0d c1 49 fb d8 55 b4 2c 05 43 1e | a4 ba f6 82 f6 80 da 96 63 e8 00 2d f8 0b 05 62 | d4 8f dc ff ba a7 da 58 82 c0 4a ed e5 6c 9b b9 | 9a ac 91 4e ad b1 3a af c7 7b b7 e7 2c 71 22 83 | ce 87 f4 09 55 78 c9 2f 8e db 9e b9 13 91 5f 6a | 5a 6d dd d3 a5 25 72 3c c8 ef 25 72 | start processing: from 192.1.2.23:500 (in process_md() at demux.c:378) | **parse ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_HASH (0x8) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 481215238 (0x1caec306) | length: 444 (0x1bc) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | State DB: found IKEv1 state #2 in QUICK_I1 (find_state_ikev1) | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in process_v1_packet() at ikev1.c:1609) | #2 is idle | #2 idle | received encrypted packet from 192.1.2.23:500 | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA (0x1) | length: 36 (0x24) | got payload 0x2 (ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE (0xa) | length: 56 (0x38) | DOI: ISAKMP_DOI_IPSEC (0x1) | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_KE (0x4) | length: 36 (0x24) | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_ID (0x5) | length: 260 (0x104) | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID (0x5) | length: 12 (0xc) | ID type: ID_IPV4_ADDR (0x1) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: c0 00 02 64 | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 16 (0x10) | ID type: ID_IPV4_ADDR_SUBNET (0x4) | Protocol ID: 0 (0x0) | port: 0 (0x0) | obj: 00 00 00 00 00 00 00 00 | quick_inR1_outI2 HASH(2): | 8b ce 9a 5f 83 64 0a 5f 3e 17 26 72 01 e7 e8 6c | 62 e6 9a f8 a9 e1 b5 eb 67 03 dc 29 2a d5 52 a7 | received 'quick_inR1_outI2' message HASH(2) data ok | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1) | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 44 (0x2c) | proposal number: 0 (0x0) | protocol ID: PROTO_IPSEC_ESP (0x3) | SPI size: 4 (0x4) | number of transforms: 1 (0x1) | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI ed 75 43 33 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_NONE (0x0) | length: 32 (0x20) | ESP transform number: 0 (0x0) | ESP transform ID: ESP_AES (0xc) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+GROUP_DESCRIPTION (0x8003) | length/value: 14 (0xe) | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+ENCAPSULATION_MODE (0x8004) | length/value: 1 (0x1) | [1 is ENCAPSULATION_MODE_TUNNEL] | NAT-T non-encap: Installing IPsec SA without ENCAP, st->hidden_variables.st_nat_traversal is none | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_TYPE (0x8001) | length/value: 1 (0x1) | [1 is SA_LIFE_TYPE_SECONDS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+SA_LIFE_DURATION (variable length) (0x8002) | length/value: 28800 (0x7080) | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+AUTH_ALGORITHM (0x8005) | length/value: 2 (0x2) | [2 is AUTH_ALGORITHM_HMAC_SHA1] | ******parse ISAKMP IPsec DOI attribute: | af+type: AF+KEY_LENGTH (0x8006) | length/value: 128 (0x80) | ESP IPsec Transform verified unconditionally; no alg_info to check against | started looking for secret for @GroupID->@east of kind PKK_PSK | actually looking for secret for @GroupID->@east of kind PKK_PSK | line 1: key type PKK_PSK(@GroupID) to type PKK_PSK | 1: compared key @GroupID to @GroupID / @east -> 010 | 2: compared key @east to @GroupID / @east -> 014 | line 1: match=014 | match 014 beats previous best_match 000 match=0x55aabf5114e0 (line=1) | concluding with best_match=014 best=0x55aabf5114e0 (lineno=1) | adding quick outI2 DH work-order 4 for state #2 | state #2 requesting EVENT_RETRANSMIT to be deleted | #2 STATE_QUICK_I1: retransmits: cleared | libevent_free: release ptr-libevent@0x7f35f0008420 | free_event_entry: release EVENT_RETRANSMIT-pe@0x55aabf51e140 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e140 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f35f0008420 size 128 | complete v1 state transition with STF_SUSPEND | [RE]START processing: state #2 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2624) | suspending state #2 and saving MD | #2 is busy; has a suspended MD | crypto helper 3 resuming | #2 spent 0.101 milliseconds in process_packet_tail() | crypto helper 3 starting work-order 4 for state #2 | stop processing: from 192.1.2.23:500 (BACKGROUND) (in process_md() at demux.c:380) | crypto helper 3 doing compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in process_md() at demux.c:382) | processing: STOP connection NULL (in process_md() at demux.c:383) | spent 0.263 milliseconds in comm_handle_cb() reading and processing packet | crypto helper 3 finished compute dh (V1 Phase 2 PFS) (quick outI2 DH); request ID 4 time elapsed 0.000534 seconds | (#2) spent 0.537 milliseconds in crypto helper computing work-order 4: quick outI2 DH (pcr) | crypto helper 3 sending results from work-order 4 for state #2 to event queue | scheduling resume sending helper answer for #2 | libevent_malloc: new ptr-libevent@0x7f35e8001ef0 size 128 | crypto helper 3 waiting (nothing to do) | processing resume sending helper answer for #2 | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:797) | crypto helper 3 replies to request ID 4 | calling continuation function 0x55aabd92d630 | quick_inR1_outI2_continue for #2: calculated ke+nonce, calculating DH | **emit ISAKMP Message: | initiator cookie: | 51 d2 e6 b6 ed 34 22 b8 | responder cookie: | 64 9d c4 ed cc 8c b2 f9 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10) | exchange type: ISAKMP_XCHG_QUICK (0x20) | flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1) | Message ID: 481215238 (0x1caec306) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address c0 00 02 64 | our client is 192.0.2.100/32 | our client protocol/port is 0/0 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID address | ID address 00 00 00 00 | parsing 4 raw bytes of ISAKMP Identification Payload (IPsec DOI) into ID mask | ID mask 00 00 00 00 | peer client is subnet 0.0.0.0/0 | peer client protocol/port is 0/0 | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH) | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet' | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload | emitting length of ISAKMP Hash Payload: 36 | quick_inR1_outI2 HASH(3): | 8d 41 98 fb 4e 19 9f 19 30 5c 4f f5 7d 88 3a 52 | 28 41 bb 9f 11 7b 32 57 a8 58 a9 bd 51 bc e2 f4 | compute_proto_keymat: needed_len (after ESP enc)=16 | compute_proto_keymat: needed_len (after ESP auth)=36 | install_ipsec_sa() for #2: inbound and outbound | could_route called for north-east (kind=CK_PERMANENT) | FOR_EACH_CONNECTION_... in route_owner | conn north-east mark 0/00000000, 0/00000000 vs | conn north-east mark 0/00000000, 0/00000000 | route owner of "north-east" unrouted: NULL; eroute owner: NULL | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.ed754333@192.1.2.23 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA1_96 | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 | st->st_esp.keymat_len=36 is encrypt_keymat_size=16 + integ_keymat_size=20 | setting IPsec SA replay-window to 32 | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink: esp-hw-offload not set for IPsec SA | netlink response for Add SA esp.2ef9e9c1@192.1.3.33 included non-error error | priority calculation of connection "north-east" is 0xfdfff | add inbound eroute 0.0.0.0/0:0 --0-> 192.0.2.100/32:0 => tun.10000@192.1.3.33 (raw_eroute) | IPsec Sa SPD priority set to 1040383 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | FOR_EACH_CONNECTION_... in route_owner | conn north-east mark 0/00000000, 0/00000000 vs | conn north-east mark 0/00000000, 0/00000000 | route owner of "north-east" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: north-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "north-east" is 0xfdfff | eroute_connection add eroute 192.0.2.100/32:0 --0-> 0.0.0.0/0:0 => tun.0@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1040383 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1' PLUTO | popen cmd is 1116 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_I: | cmd( 80):NTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY_ID=': | cmd( 160):@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100' PLU: | cmd( 240):TO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUT: | cmd( 320):O_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@e: | cmd( 400):ast' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CL: | cmd( 480):IENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='': | cmd( 560): PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PF: | cmd( 640):S+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CON: | cmd( 720):N_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME: | cmd( 800):='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_I: | cmd( 880):NFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: | cmd( 960):ERVER='0' PLUTO_CFG_CLIENT='1' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: | cmd(1040):'no' VTI_SHARED='no' SPI_IN=0xed754333 SPI_OUT=0x2ef9e9c1 ipsec _updown 2>&1: "north-east" #2: up-client output: updating resolvconf | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT | popen cmd is 1121 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: | cmd( 80):UTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY: | cmd( 160):_ID='@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0': | cmd( 320): PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_I: | cmd( 400):D='@east' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PE: | cmd( 480):ER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_: | cmd( 560):CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNN: | cmd( 640):EL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUT: | cmd( 720):O_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USE: | cmd( 800):RNAME='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_: | cmd( 880):DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_: | cmd( 960):CFG_SERVER='0' PLUTO_CFG_CLIENT='1' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU: | cmd(1040):TING='no' VTI_SHARED='no' SPI_IN=0xed754333 SPI_OUT=0x2ef9e9c1 ipsec _updown 2>&: | cmd(1120):1: | running updown command "ipsec _updown" for verb route | command executing route-client | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERNAME='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='1' | popen cmd is 1119 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUT: | cmd( 80):O_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.3.254' PLUTO_ME='192.1.3.33' PLUTO_MY_I: | cmd( 160):D='@GroupID' PLUTO_MY_CLIENT='192.0.2.100/32' PLUTO_MY_CLIENT_NET='192.0.2.100' : | cmd( 240):PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' P: | cmd( 320):LUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID=: | cmd( 400):'@east' PLUTO_PEER_CLIENT='0.0.0.0/0' PLUTO_PEER_CLIENT_NET='0.0.0.0' PLUTO_PEER: | cmd( 480):_CLIENT_MASK='0.0.0.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA: | cmd( 560):='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL: | cmd( 640):+PFS+UP+XAUTH+MODECFG_PULL+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_: | cmd( 720):CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_USERN: | cmd( 800):AME='use3' PLUTO_MY_SOURCEIP='192.0.2.100' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DN: | cmd( 880):S_INFO='1.2.3.4 5.6.7.8' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: | cmd( 960):G_SERVER='0' PLUTO_CFG_CLIENT='1' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTI: | cmd(1040):NG='no' VTI_SHARED='no' SPI_IN=0xed754333 SPI_OUT=0x2ef9e9c1 ipsec _updown 2>&1: "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. "north-east" #2: route-client output: Error: Peer netns reference is invalid. | route_and_eroute: instance "north-east", setting eroute_owner {spd=0x55aabf51ce70,sr=0x55aabf51ce70} to #2 (was #0) (newest_ipsec_sa=#0) | #1 spent 1.16 milliseconds in install_ipsec_sa() | emitting 12 zero bytes of encryption padding into ISAKMP Message | no IKEv1 message padding required | emitting length of ISAKMP Message: 76 | inR1_outI2: instance north-east[0], setting IKEv1 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | DPD: dpd_init() called on IPsec SA | DPD: Peer does not support Dead Peer Detection | complete v1 state transition with STF_OK | [RE]START processing: state #2 connection "north-east" from 192.1.2.23:500 (in complete_v1_state_transition() at ikev1.c:2649) | #2 is idle | doing_xauth:no, t_xauth_client_done:yes | IKEv1: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 | child state #2: QUICK_I1(established CHILD SA) => QUICK_I2(established CHILD SA) | event_already_set, deleting event | state #2 requesting EVENT_CRYPTO_TIMEOUT to be deleted | libevent_free: release ptr-libevent@0x7f35f0008420 | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55aabf51e140 | sending reply packet to 192.1.2.23:500 (from 192.1.3.33:500) | sending 76 bytes for STATE_QUICK_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) | 51 d2 e6 b6 ed 34 22 b8 64 9d c4 ed cc 8c b2 f9 | 08 10 20 01 1c ae c3 06 00 00 00 4c ac 78 36 a6 | 94 b4 f7 9c 83 40 d0 9c 96 5a 72 f4 74 3d 86 19 | 98 1f 0e 75 f5 40 a3 71 aa b3 80 3b 38 86 6e 6b | b1 e3 9e 2d cb 97 a2 cf 7e 91 f7 07 | !event_already_set at reschedule | event_schedule: new EVENT_SA_REPLACE-pe@0x55aabf51e140 | inserting event EVENT_SA_REPLACE, timeout in 28048 seconds for #2 | libevent_malloc: new ptr-libevent@0x7f35f0008420 size 128 | pstats #2 ikev1.ipsec established | NAT-T: encaps is 'auto' "north-east" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xed754333 <0x2ef9e9c1 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive username=use3} | modecfg pull: noquirk policy:pull modecfg-client | phase 1 is done, looking for phase 2 to unpend | close_any(fd@25) (in release_whack() at state.c:654) | resume sending helper answer for #2 suppresed complete_v1_state_transition() | #2 spent 1.48 milliseconds in resume sending helper answer | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in resume_handler() at server.c:833) | libevent_free: release ptr-libevent@0x7f35e8001ef0 | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_DELPOLICY message | xfrm netlink address change RTM_NEWADDR msg len 76 | XFRM RTM_NEWADDR 192.0.2.100 IFA_LOCAL | FOR_EACH_STATE_... in record_newaddr (for_each_state) | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1572) | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1574) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1572) | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1574) | IKEv2 received address RTM_NEWADDR type 3 | IKEv2 received address RTM_NEWADDR type 8 | IKEv2 received address RTM_NEWADDR type 6 | netlink_get: XFRM_MSG_EXPIRE message | netlink_get: XFRM_MSG_EXPIRE message | netlink_get: XFRM_MSG_EXPIRE message | spent 0.0436 milliseconds in kernel message | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00438 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.0151 milliseconds in signal handler PLUTO_SIGCHLD | processing signal PLUTO_SIGCHLD | waitpid returned ECHILD (no child processes left) | spent 0.00243 milliseconds in signal handler PLUTO_SIGCHLD | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_STATE_... in show_traffic_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.2ef9e9c1@192.1.3.33 | get_sa_info esp.ed754333@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.0824 milliseconds in whack | processing global timer EVENT_SHUNT_SCAN | expiring aged bare shunts from shunt table | spent 0.00439 milliseconds in global timer EVENT_SHUNT_SCAN | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:721) | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_CONNECTION_... in show_connections_status | FOR_EACH_STATE_... in show_states_status (sort_states) | FOR_EACH_STATE_... in sort_states | get_sa_info esp.2ef9e9c1@192.1.3.33 | get_sa_info esp.ed754333@192.1.2.23 | close_any(fd@16) (in whack_process() at rcv_whack.c:700) | spent 0.337 milliseconds in whack | spent 0.00239 milliseconds in comm_handle_cb() calling check_incoming_msg_errqueue() | NAT-T keep-alive (bogus ?) should not reach this point. Ignored. Sender: 192.1.2.23:500 | spent 0.00818 milliseconds in comm_handle_cb() reading and processing packet | processing global timer EVENT_NAT_T_KEEPALIVE | FOR_EACH_STATE_... in nat_traversal_ka_event (for_each_state) | start processing: state #2 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1572) | not behind NAT: no NAT-T KEEP-ALIVE required for conn north-east | [RE]START processing: state #2 connection "north-east" from 192.1.2.23:500 (in nat_traversal_send_ka() at nat_traversal.c:773) | ka_event: send NAT-KA to 192.1.2.23:500 (state=#2) | sending NAT-T Keep Alive | sending 1 bytes for NAT-T Keep Alive through eth1 from 192.1.3.33:500 to 192.1.2.23:500 (using #2) | ff | stop processing: state #2 connection "north-east" from 192.1.2.23:500 (in nat_traversal_send_ka() at nat_traversal.c:782) | processing: STOP state #0 (in for_each_state() at state.c:1574) | start processing: state #1 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1572) | not behind NAT: no NAT-T KEEP-ALIVE required for conn north-east | stop processing: state #1 connection "north-east" from 192.1.2.23:500 (in for_each_state() at state.c:1574) | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds | spent 0.0651 milliseconds in global timer EVENT_NAT_T_KEEPALIVE