NSS DB directory: sql:/var/lib/ipsec/nss Initializing NSS Opening NSS database "sql:/var/lib/ipsec/nss" read-only FIPS Mode: NO NSS crypto library initialized FIPS mode disabled for pluto daemon FIPS HMAC integrity support [disabled] libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v4.1-88-gf1d1933837ef-main IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2080654 core dump dir: /tmp secrets file: /etc/ipsec.secrets leak-detective enabled NSS crypto [enabled] XAUTH PAM support [enabled] Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) NAT-Traversal support [enabled] Encryption algorithms: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac NULL [] IKEv1: ESP IKEv2: ESP CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: NSS SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: IKE ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 testing CAMELLIA_CBC: Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 128-bit key Camellia: 16 bytes with 256-bit key Camellia: 16 bytes with 256-bit key testing AES_GCM_16: empty string one block two blocks two blocks with associated data testing AES_CTR: Encrypting 16 octets using AES-CTR with 128-bit key Encrypting 32 octets using AES-CTR with 128-bit key Encrypting 36 octets using AES-CTR with 128-bit key Encrypting 16 octets using AES-CTR with 192-bit key Encrypting 32 octets using AES-CTR with 192-bit key Encrypting 36 octets using AES-CTR with 192-bit key Encrypting 16 octets using AES-CTR with 256-bit key Encrypting 32 octets using AES-CTR with 256-bit key Encrypting 36 octets using AES-CTR with 256-bit key testing AES_CBC: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key testing AES_XCBC: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) testing HMAC_MD5: RFC 2104: MD5_HMAC test 1 RFC 2104: MD5_HMAC test 2 RFC 2104: MD5_HMAC test 3 8 CPU cores online starting up 7 helper threads started thread for helper 0 started thread for helper 1 started thread for helper 2 started thread for helper 3 started thread for helper 4 started thread for helper 5 started thread for helper 6 Using Linux XFRM/NETKEY IPsec kernel support code on 5.8.15-201.fc32.x86_64 SELinux support is enabled in PERMISSIVE mode. seccomp security disabled for crypto helper 1 seccomp security disabled for crypto helper 3 seccomp security disabled seccomp security disabled for crypto helper 2 seccomp security disabled for crypto helper 4 seccomp security disabled for crypto helper 5 seccomp security disabled for crypto helper 6 seccomp security disabled for crypto helper 7 listening for IKE messages Kernel supports NIC esp-hw-offload adding UDP interface eth1 192.1.2.23:500 adding UDP interface eth1 192.1.2.23:4500 adding UDP interface eth0 192.0.2.254:500 adding UDP interface eth0 192.0.2.254:4500 adding UDP interface lo 127.0.0.1:500 adding UDP interface lo 127.0.0.1:4500 loading secrets from "/etc/ipsec.secrets" no secrets filename matched "/etc/ipsec.d/*.secrets" connection "westnet-eastnet-first": loaded private key matching right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 added IKEv1 connection "westnet-eastnet-first" add keyid @west | 01 03 a6 f5 d6 3f e3 8f 6c 01 6a fc 7b 7c 6d 57 | 8b 49 39 0d 77 f7 ac e2 85 f1 98 1e 4b 6d a5 3e | b3 96 9a d1 99 5a bc 10 f2 97 de f2 28 f9 5f 92 | 09 f0 c8 d4 12 e4 60 6e 9c 60 98 10 01 7d 26 b7 | 8f 95 62 2d 87 dd cd de f6 d3 8f 35 b0 50 d0 18 | f5 99 f8 04 f1 ff 61 5b bc 7f 1f c0 04 d8 e4 8c | ac 34 ad 7a c1 da 3c 2d 8c 30 ae d6 3c 59 b1 3a | 94 d3 d5 2a 73 91 bd 59 5f 3e 72 bf 4a 1b 9d c5 | b2 2b 4d e7 0d 24 3e 77 f9 7f 2d d6 9d 29 ef 70 | 7d 7a 6d a2 b8 61 0c 4b 09 4a 06 71 84 70 85 9a | 8f 52 a1 80 06 fd c6 fc 3e 27 fa 16 fa 32 83 a9 | ca 80 db 0f 4a bf f7 e9 55 8e bd 29 4d 23 a6 dc | 2a b3 5d 62 a9 21 1e be 83 d8 69 3c 03 0a 48 8e | d3 3a 11 f2 86 5a d1 30 65 bd c8 f4 83 87 ff 04 | 87 33 05 4f e0 d8 8c fe b3 19 4c dd 85 40 f3 4d | 6e e8 49 14 06 2c 1f 59 59 05 8f 20 b0 ca 46 3f | c9 20 7e 04 30 7d 9a 80 6c 3f 0a 89 f7 d3 af d8 | 15 04 37 f9 add keyid @east | 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b | e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 | 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c | 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 | 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d | d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 | 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce | 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e | bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d | ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce | e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a | 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 | 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 | 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 | d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c | 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 | 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 | 51 51 48 ef "westnet-eastnet-first" #1: responding to Main Mode "westnet-eastnet-first" #1: sent Main Mode R1 "westnet-eastnet-first" #1: sent Main Mode R2 "westnet-eastnet-first" #1: Peer ID is ID_FQDN: '@west' "westnet-eastnet-first" #1: authenticated using RSA with SHA-1 "westnet-eastnet-first" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} "westnet-eastnet-first" #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 "westnet-eastnet-first" #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 "westnet-eastnet-first" #2: responding to Quick Mode proposal {msgid:4f9f4b20} "westnet-eastnet-first" #2: us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-first" #2: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 "westnet-eastnet-first" #2: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0x3d501165 <0x1051e25b xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} "westnet-eastnet-first" #3: responding to Quick Mode proposal {msgid:7dccaa97} "westnet-eastnet-first" #3: us: 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east] "westnet-eastnet-first" #3: them: 192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24 "westnet-eastnet-first" #3: sent Quick Mode reply, inbound IPsec SA installed, expecting confirmation tunnel mode {ESP=>0x73f5c114 <0xc9ca60f8 xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: route-client output: Error: Peer netns reference is invalid. "westnet-eastnet-first" #2: IPsec SA established tunnel mode {ESP=>0x3d501165 <0x1051e25b xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} "westnet-eastnet-first" #3: STATE_QUICK_R1: retransmission; will wait 0.5 seconds for response "westnet-eastnet-first" #3: STATE_QUICK_R1: retransmission; will wait 1 seconds for response shutting down 7 helper threads shutdown forgetting secrets "westnet-eastnet-first" #3: deleting state (STATE_QUICK_R1) aged 1.689824s and sending notification "westnet-eastnet-first" #3: ESP traffic information: in=0B out=0B "westnet-eastnet-first" #2: deleting state (STATE_QUICK_R2) aged 1.692321s and sending notification "westnet-eastnet-first" #2: ESP traffic information: in=0B out=0B "westnet-eastnet-first" #1: deleting state (STATE_MAIN_R3) aged 1.732662s and sending notification unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. unroute-client output: Error: Peer netns reference is invalid. shutting down interface lo 127.0.0.1:4500 shutting down interface lo 127.0.0.1:500 shutting down interface eth0 192.0.2.254:4500 shutting down interface eth0 192.0.2.254:500 shutting down interface eth1 192.1.2.23:4500 shutting down interface eth1 192.1.2.23:500 leak detective found no leaks