Oct 31 15:24:52.884852: | newref logger@0x561a1d1b2bb8(0->1) (in main() at plutomain.c:1591) Oct 31 15:24:52.884999: | delref logger@0x561a1d1b2bb8(1->0) (in main() at plutomain.c:1592) Oct 31 15:24:52.885006: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:52.885008: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:52.885013: NSS DB directory: sql:/var/lib/ipsec/nss Oct 31 15:24:52.885144: Initializing NSS Oct 31 15:24:52.885149: Opening NSS database "sql:/var/lib/ipsec/nss" read-only Oct 31 15:24:52.925749: FIPS Mode: NO Oct 31 15:24:52.925760: NSS crypto library initialized Oct 31 15:24:52.925784: FIPS mode disabled for pluto daemon Oct 31 15:24:52.925786: FIPS HMAC integrity support [disabled] Oct 31 15:24:52.925844: libcap-ng support [enabled] Oct 31 15:24:52.925853: Linux audit support [enabled] Oct 31 15:24:52.925868: Linux audit activated Oct 31 15:24:52.925873: Starting Pluto (Libreswan Version v4.1-88-gf1d1933837ef-main IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2151555 Oct 31 15:24:52.925875: core dump dir: /tmp Oct 31 15:24:52.925877: secrets file: /etc/ipsec.secrets Oct 31 15:24:52.925878: leak-detective enabled Oct 31 15:24:52.925879: NSS crypto [enabled] Oct 31 15:24:52.925881: XAUTH PAM support [enabled] Oct 31 15:24:52.925945: | libevent is using pluto's memory allocator Oct 31 15:24:52.925953: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Oct 31 15:24:52.925965: | libevent_malloc: newref ptr-libevent@0x561a1d238408 size 40 Oct 31 15:24:52.925968: | libevent_malloc: newref ptr-libevent@0x561a1d1c88b8 size 40 Oct 31 15:24:52.925974: | libevent_malloc: newref ptr-libevent@0x561a1d2388e8 size 40 Oct 31 15:24:52.925976: | creating event base Oct 31 15:24:52.925979: | libevent_malloc: newref ptr-libevent@0x561a1d238be8 size 56 Oct 31 15:24:52.925981: | libevent_malloc: newref ptr-libevent@0x561a1d22f0a8 size 664 Oct 31 15:24:52.925991: | libevent_malloc: newref ptr-libevent@0x561a1d265a38 size 24 Oct 31 15:24:52.925993: | libevent_malloc: newref ptr-libevent@0x561a1d265a88 size 384 Oct 31 15:24:52.926001: | libevent_malloc: newref ptr-libevent@0x561a1d265c38 size 16 Oct 31 15:24:52.926003: | libevent_malloc: newref ptr-libevent@0x561a1d238868 size 40 Oct 31 15:24:52.926005: | libevent_malloc: newref ptr-libevent@0x561a1d2380c8 size 48 Oct 31 15:24:52.926008: | libevent_realloc: newref ptr-libevent@0x561a1d25c208 size 256 Oct 31 15:24:52.926010: | libevent_malloc: newref ptr-libevent@0x561a1d265c78 size 16 Oct 31 15:24:52.926014: | libevent_free: delref ptr-libevent@0x561a1d238be8 Oct 31 15:24:52.926016: | libevent initialized Oct 31 15:24:52.926019: | libevent_realloc: newref ptr-libevent@0x561a1d238be8 size 64 Oct 31 15:24:52.926022: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Oct 31 15:24:52.926026: | init_nat_traversal() initialized with keep_alive=0s Oct 31 15:24:52.926028: NAT-Traversal support [enabled] Oct 31 15:24:52.926030: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Oct 31 15:24:52.926033: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Oct 31 15:24:52.926035: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Oct 31 15:24:52.926046: | checking IKEv1 state table Oct 31 15:24:52.926050: | MAIN_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926052: | -> MAIN_R1 EVENT_SO_DISCARD (main_inI1_outR1) Oct 31 15:24:52.926055: | MAIN_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926056: | -> MAIN_I2 EVENT_RETRANSMIT (main_inR1_outI2) Oct 31 15:24:52.926058: | MAIN_R1: category: open IKE SA; flags: 0: Oct 31 15:24:52.926060: | -> MAIN_R2 EVENT_RETRANSMIT (main_inI2_outR2) Oct 31 15:24:52.926061: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:52.926062: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:52.926064: | MAIN_I2: category: open IKE SA; flags: 0: Oct 31 15:24:52.926070: | -> MAIN_I3 EVENT_RETRANSMIT (main_inR2_outI3) Oct 31 15:24:52.926072: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:52.926073: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:52.926075: | MAIN_R2: category: open IKE SA; flags: 0: Oct 31 15:24:52.926076: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:24:52.926078: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:24:52.926079: | -> MAIN_R2 EVENT_SA_REPLACE (unexpected) Oct 31 15:24:52.926080: | MAIN_I3: category: open IKE SA; flags: 0: Oct 31 15:24:52.926082: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:24:52.926083: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:24:52.926085: | -> MAIN_I3 EVENT_SA_REPLACE (unexpected) Oct 31 15:24:52.926086: | MAIN_R3: category: established IKE SA; flags: 0: Oct 31 15:24:52.926088: | -> MAIN_R3 EVENT_NULL (unexpected) Oct 31 15:24:52.926089: | MAIN_I4: category: established IKE SA; flags: 0: Oct 31 15:24:52.926090: | -> MAIN_I4 EVENT_NULL (unexpected) Oct 31 15:24:52.926092: | AGGR_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926093: | -> AGGR_R1 EVENT_SO_DISCARD (aggr_inI1_outR1) Oct 31 15:24:52.926095: | AGGR_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926096: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:24:52.926098: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:24:52.926099: | AGGR_R1: category: open IKE SA; flags: 0: Oct 31 15:24:52.926101: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:24:52.926102: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:24:52.926104: | AGGR_I2: category: established IKE SA; flags: 0: Oct 31 15:24:52.926105: | -> AGGR_I2 EVENT_NULL (unexpected) Oct 31 15:24:52.926106: | AGGR_R2: category: established IKE SA; flags: 0: Oct 31 15:24:52.926108: | -> AGGR_R2 EVENT_NULL (unexpected) Oct 31 15:24:52.926109: | QUICK_R0: category: established CHILD SA; flags: 0: Oct 31 15:24:52.926111: | -> QUICK_R1 EVENT_RETRANSMIT (quick_inI1_outR1) Oct 31 15:24:52.926112: | QUICK_I1: category: established CHILD SA; flags: 0: Oct 31 15:24:52.926114: | -> QUICK_I2 EVENT_SA_REPLACE (quick_inR1_outI2) Oct 31 15:24:52.926115: | QUICK_R1: category: established CHILD SA; flags: 0: Oct 31 15:24:52.926117: | -> QUICK_R2 EVENT_SA_REPLACE (quick_inI2) Oct 31 15:24:52.926118: | QUICK_I2: category: established CHILD SA; flags: 0: Oct 31 15:24:52.926120: | -> QUICK_I2 EVENT_NULL (unexpected) Oct 31 15:24:52.926121: | QUICK_R2: category: established CHILD SA; flags: 0: Oct 31 15:24:52.926123: | -> QUICK_R2 EVENT_NULL (unexpected) Oct 31 15:24:52.926124: | INFO: category: informational; flags: 0: Oct 31 15:24:52.926125: | -> INFO EVENT_NULL (informational) Oct 31 15:24:52.926127: | INFO_PROTECTED: category: informational; flags: 0: Oct 31 15:24:52.926128: | -> INFO_PROTECTED EVENT_NULL (informational) Oct 31 15:24:52.926130: | XAUTH_R0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926131: | -> XAUTH_R1 EVENT_NULL (xauth_inR0) Oct 31 15:24:52.926133: | XAUTH_R1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926134: | -> MAIN_R3 EVENT_SA_REPLACE (xauth_inR1) Oct 31 15:24:52.926136: | MODE_CFG_R0: category: informational; flags: 0: Oct 31 15:24:52.926137: | -> MODE_CFG_R1 EVENT_SA_REPLACE (modecfg_inR0) Oct 31 15:24:52.926139: | MODE_CFG_R1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926140: | -> MODE_CFG_R2 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:24:52.926142: | MODE_CFG_R2: category: established IKE SA; flags: 0: Oct 31 15:24:52.926143: | -> MODE_CFG_R2 EVENT_NULL (unexpected) Oct 31 15:24:52.926145: | MODE_CFG_I1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926146: | -> MAIN_I4 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:24:52.926148: | XAUTH_I0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926149: | -> XAUTH_I1 EVENT_RETRANSMIT (xauth_inI0) Oct 31 15:24:52.926152: | XAUTH_I1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926153: | -> MAIN_I4 EVENT_RETRANSMIT (xauth_inI1) Oct 31 15:24:52.926158: | checking IKEv2 state table Oct 31 15:24:52.926160: | V2_REKEY_IKE_I0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926163: | -> V2_REKEY_IKE_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Oct 31 15:24:52.926167: | V2_REKEY_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926168: | -> V2_REKEY_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Oct 31 15:24:52.926170: | V2_NEW_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926172: | -> V2_NEW_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Oct 31 15:24:52.926173: | PARENT_I0: category: ignore; flags: 0: Oct 31 15:24:52.926175: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Oct 31 15:24:52.926176: | PARENT_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926178: | -> PARENT_I0 EVENT_SO_DISCARD (received anti-DDOS COOKIE notify response; resending IKE_SA_INIT request with cookie payload added) Oct 31 15:24:52.926180: | -> PARENT_I0 EVENT_SO_DISCARD (received IKE_SA_INIT INVALID_KE_PAYLOAD notify response; resending IKE_SA_INIT with new KE payload) Oct 31 15:24:52.926181: | -> IKESA_DEL EVENT_v2_REDIRECT (received REDIRECT notify response; resending IKE_SA_INIT request to new destination) Oct 31 15:24:52.926183: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:24:52.926185: | PARENT_I2: category: open IKE SA; flags: 0: Oct 31 15:24:52.926186: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_INTERMEDIATE reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:24:52.926188: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Oct 31 15:24:52.926189: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Oct 31 15:24:52.926191: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Oct 31 15:24:52.926192: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Oct 31 15:24:52.926193: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Oct 31 15:24:52.926195: | PARENT_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926197: | -> PARENT_R1 EVENT_SO_DISCARD send-response (Respond to IKE_SA_INIT) Oct 31 15:24:52.926215: | PARENT_R1: category: half-open IKE SA; flags: 0: Oct 31 15:24:52.926223: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request (no SKEYSEED)) Oct 31 15:24:52.926225: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (no SKEYSEED)) Oct 31 15:24:52.926228: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (with SKEYSEED)) Oct 31 15:24:52.926230: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request) Oct 31 15:24:52.926233: | V2_REKEY_IKE_R0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926235: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IKE Rekey) Oct 31 15:24:52.926238: | V2_REKEY_IKE_I1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926240: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Oct 31 15:24:52.926241: | V2_NEW_CHILD_I1: category: established IKE SA; flags: 0: Oct 31 15:24:52.926243: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Oct 31 15:24:52.926244: | V2_REKEY_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926246: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA rekey CHILD SA request) Oct 31 15:24:52.926248: | V2_NEW_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:24:52.926251: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IPsec SA Request) Oct 31 15:24:52.926253: | ESTABLISHED_IKE_SA: category: established IKE SA; flags: 0: Oct 31 15:24:52.926255: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request (liveness probe)) Oct 31 15:24:52.926257: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response (liveness probe)) Oct 31 15:24:52.926263: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request) Oct 31 15:24:52.926265: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response) Oct 31 15:24:52.926268: | IKESA_DEL: category: established IKE SA; flags: 0: Oct 31 15:24:52.926271: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:24:52.926274: | CHILDSA_DEL: category: informational; flags: 0: Oct 31 15:24:52.926276: | -> CHILDSA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:24:52.926280: | global one-shot timer EVENT_REVIVE_CONNS initialized Oct 31 15:24:52.926284: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Oct 31 15:24:52.926287: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Oct 31 15:24:52.926424: Encryption algorithms: Oct 31 15:24:52.926434: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Oct 31 15:24:52.926440: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Oct 31 15:24:52.926445: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Oct 31 15:24:52.926450: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Oct 31 15:24:52.926455: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP Oct 31 15:24:52.926459: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Oct 31 15:24:52.926464: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Oct 31 15:24:52.926468: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Oct 31 15:24:52.926474: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Oct 31 15:24:52.926478: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Oct 31 15:24:52.926483: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Oct 31 15:24:52.926487: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Oct 31 15:24:52.926490: NULL [] IKEv1: ESP IKEv2: ESP Oct 31 15:24:52.926494: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Oct 31 15:24:52.926496: Hash algorithms: Oct 31 15:24:52.926500: MD5 IKEv1: IKE IKEv2: NSS Oct 31 15:24:52.926502: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Oct 31 15:24:52.926505: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Oct 31 15:24:52.926508: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Oct 31 15:24:52.926511: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Oct 31 15:24:52.926512: PRF algorithms: Oct 31 15:24:52.926515: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Oct 31 15:24:52.926518: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Oct 31 15:24:52.926522: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Oct 31 15:24:52.926528: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Oct 31 15:24:52.926531: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Oct 31 15:24:52.926534: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Oct 31 15:24:52.926536: Integrity algorithms: Oct 31 15:24:52.926540: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Oct 31 15:24:52.926544: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Oct 31 15:24:52.926549: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Oct 31 15:24:52.926553: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Oct 31 15:24:52.926557: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Oct 31 15:24:52.926561: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Oct 31 15:24:52.926565: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Oct 31 15:24:52.926568: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Oct 31 15:24:52.926571: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Oct 31 15:24:52.926573: DH algorithms: Oct 31 15:24:52.926577: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Oct 31 15:24:52.926580: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Oct 31 15:24:52.926584: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Oct 31 15:24:52.926587: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Oct 31 15:24:52.926591: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Oct 31 15:24:52.926595: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Oct 31 15:24:52.926598: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Oct 31 15:24:52.926602: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Oct 31 15:24:52.926606: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Oct 31 15:24:52.926610: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Oct 31 15:24:52.926614: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Oct 31 15:24:52.926617: testing CAMELLIA_CBC: Oct 31 15:24:52.926619: Camellia: 16 bytes with 128-bit key Oct 31 15:24:52.926687: Camellia: 16 bytes with 128-bit key Oct 31 15:24:52.926708: Camellia: 16 bytes with 256-bit key Oct 31 15:24:52.926728: Camellia: 16 bytes with 256-bit key Oct 31 15:24:52.926747: testing AES_GCM_16: Oct 31 15:24:52.926749: empty string Oct 31 15:24:52.926770: one block Oct 31 15:24:52.926788: two blocks Oct 31 15:24:52.926806: two blocks with associated data Oct 31 15:24:52.926825: testing AES_CTR: Oct 31 15:24:52.926827: Encrypting 16 octets using AES-CTR with 128-bit key Oct 31 15:24:52.926845: Encrypting 32 octets using AES-CTR with 128-bit key Oct 31 15:24:52.926865: Encrypting 36 octets using AES-CTR with 128-bit key Oct 31 15:24:52.926885: Encrypting 16 octets using AES-CTR with 192-bit key Oct 31 15:24:52.926906: Encrypting 32 octets using AES-CTR with 192-bit key Oct 31 15:24:52.926925: Encrypting 36 octets using AES-CTR with 192-bit key Oct 31 15:24:52.926945: Encrypting 16 octets using AES-CTR with 256-bit key Oct 31 15:24:52.926975: Encrypting 32 octets using AES-CTR with 256-bit key Oct 31 15:24:52.927015: Encrypting 36 octets using AES-CTR with 256-bit key Oct 31 15:24:52.927037: testing AES_CBC: Oct 31 15:24:52.927039: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Oct 31 15:24:52.927058: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Oct 31 15:24:52.927078: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Oct 31 15:24:52.927098: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Oct 31 15:24:52.927122: testing AES_XCBC: Oct 31 15:24:52.927125: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Oct 31 15:24:52.927211: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Oct 31 15:24:52.927309: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Oct 31 15:24:52.927446: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Oct 31 15:24:52.927584: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Oct 31 15:24:52.927745: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Oct 31 15:24:52.927840: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Oct 31 15:24:52.928023: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Oct 31 15:24:52.928112: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Oct 31 15:24:52.928197: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Oct 31 15:24:52.928427: testing HMAC_MD5: Oct 31 15:24:52.928433: RFC 2104: MD5_HMAC test 1 Oct 31 15:24:52.928579: RFC 2104: MD5_HMAC test 2 Oct 31 15:24:52.928698: RFC 2104: MD5_HMAC test 3 Oct 31 15:24:52.928833: 8 CPU cores online Oct 31 15:24:52.928837: starting up 7 helper threads Oct 31 15:24:52.928880: started thread for helper 0 Oct 31 15:24:52.928890: | starting helper thread 1 Oct 31 15:24:52.928896: seccomp security disabled for crypto helper 1 Oct 31 15:24:52.928904: | status value returned by setting the priority of this helper thread 1: 22 Oct 31 15:24:52.928908: | helper thread 1 has nothing to do Oct 31 15:24:52.928912: started thread for helper 1 Oct 31 15:24:52.928921: | starting helper thread 2 Oct 31 15:24:52.928929: seccomp security disabled for crypto helper 2 Oct 31 15:24:52.928935: | status value returned by setting the priority of this helper thread 2: 22 Oct 31 15:24:52.928939: | helper thread 2 has nothing to do Oct 31 15:24:52.928930: started thread for helper 2 Oct 31 15:24:52.928935: | starting helper thread 3 Oct 31 15:24:52.928954: seccomp security disabled for crypto helper 3 Oct 31 15:24:52.928958: | status value returned by setting the priority of this helper thread 3: 22 Oct 31 15:24:52.928960: | helper thread 3 has nothing to do Oct 31 15:24:52.928967: started thread for helper 3 Oct 31 15:24:52.928972: | starting helper thread 4 Oct 31 15:24:52.928976: seccomp security disabled for crypto helper 4 Oct 31 15:24:52.928979: | status value returned by setting the priority of this helper thread 4: 22 Oct 31 15:24:52.928981: | helper thread 4 has nothing to do Oct 31 15:24:52.928989: started thread for helper 4 Oct 31 15:24:52.928993: | starting helper thread 5 Oct 31 15:24:52.928997: seccomp security disabled for crypto helper 5 Oct 31 15:24:52.929001: | status value returned by setting the priority of this helper thread 5: 22 Oct 31 15:24:52.929003: | helper thread 5 has nothing to do Oct 31 15:24:52.929011: started thread for helper 5 Oct 31 15:24:52.929015: | starting helper thread 6 Oct 31 15:24:52.929024: seccomp security disabled for crypto helper 6 Oct 31 15:24:52.929027: | status value returned by setting the priority of this helper thread 6: 22 Oct 31 15:24:52.929029: | helper thread 6 has nothing to do Oct 31 15:24:52.929034: started thread for helper 6 Oct 31 15:24:52.929053: Using Linux XFRM/NETKEY IPsec kernel support code on 5.8.15-201.fc32.x86_64 Oct 31 15:24:52.929105: | Hard-wiring algorithms Oct 31 15:24:52.929108: | adding AES_CCM_16 to kernel algorithm db Oct 31 15:24:52.929114: | adding AES_CCM_12 to kernel algorithm db Oct 31 15:24:52.929117: | adding AES_CCM_8 to kernel algorithm db Oct 31 15:24:52.929119: | adding 3DES_CBC to kernel algorithm db Oct 31 15:24:52.929121: | adding CAMELLIA_CBC to kernel algorithm db Oct 31 15:24:52.929123: | adding AES_GCM_16 to kernel algorithm db Oct 31 15:24:52.929125: | adding AES_GCM_12 to kernel algorithm db Oct 31 15:24:52.929127: | adding AES_GCM_8 to kernel algorithm db Oct 31 15:24:52.929129: | adding AES_CTR to kernel algorithm db Oct 31 15:24:52.929131: | adding AES_CBC to kernel algorithm db Oct 31 15:24:52.929133: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Oct 31 15:24:52.929135: | adding NULL to kernel algorithm db Oct 31 15:24:52.929137: | adding CHACHA20_POLY1305 to kernel algorithm db Oct 31 15:24:52.929139: | adding HMAC_MD5_96 to kernel algorithm db Oct 31 15:24:52.929141: | adding HMAC_SHA1_96 to kernel algorithm db Oct 31 15:24:52.929143: | adding HMAC_SHA2_512_256 to kernel algorithm db Oct 31 15:24:52.929145: | adding HMAC_SHA2_384_192 to kernel algorithm db Oct 31 15:24:52.929147: | adding HMAC_SHA2_256_128 to kernel algorithm db Oct 31 15:24:52.929149: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Oct 31 15:24:52.929152: | adding AES_XCBC_96 to kernel algorithm db Oct 31 15:24:52.929153: | adding AES_CMAC_96 to kernel algorithm db Oct 31 15:24:52.929155: | adding NONE to kernel algorithm db Oct 31 15:24:52.929215: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Oct 31 15:24:52.929227: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Oct 31 15:24:52.929229: | setup kernel fd callback Oct 31 15:24:52.929232: | add_fd_read_event_handler: newref KERNEL_XRM_FD-pe@0x561a1d270d68 Oct 31 15:24:52.929235: | libevent_malloc: newref ptr-libevent@0x561a1d236378 size 128 Oct 31 15:24:52.929237: | libevent_malloc: newref ptr-libevent@0x561a1d269a78 size 16 Oct 31 15:24:52.929243: | add_fd_read_event_handler: newref KERNEL_ROUTE_FD-pe@0x561a1d272d88 Oct 31 15:24:52.929246: | libevent_malloc: newref ptr-libevent@0x561a1d236428 size 128 Oct 31 15:24:52.929242: | starting helper thread 7 Oct 31 15:24:52.929249: | libevent_malloc: newref ptr-libevent@0x561a1d269438 size 16 Oct 31 15:24:52.929259: seccomp security disabled for crypto helper 7 Oct 31 15:24:52.929269: | status value returned by setting the priority of this helper thread 7: 22 Oct 31 15:24:52.929273: | helper thread 7 has nothing to do Oct 31 15:24:52.929493: | global one-shot timer EVENT_CHECK_CRLS initialized Oct 31 15:24:52.929521: SELinux support is enabled in PERMISSIVE mode. Oct 31 15:24:52.929704: | unbound context created - setting debug level to 5 Oct 31 15:24:52.929738: | /etc/hosts lookups activated Oct 31 15:24:52.929756: | /etc/resolv.conf usage activated Oct 31 15:24:52.929819: | outgoing-port-avoid set 0-65535 Oct 31 15:24:52.929850: | outgoing-port-permit set 32768-60999 Oct 31 15:24:52.929853: | loading dnssec root key from:/var/lib/unbound/root.key Oct 31 15:24:52.929856: | no additional dnssec trust anchors defined via dnssec-trusted= option Oct 31 15:24:52.929859: | Setting up events, loop start Oct 31 15:24:52.929862: | add_fd_read_event_handler: newref PLUTO_CTL_FD-pe@0x561a1d276368 Oct 31 15:24:52.929866: | libevent_malloc: newref ptr-libevent@0x561a1d272ea8 size 128 Oct 31 15:24:52.929869: | libevent_malloc: newref ptr-libevent@0x561a1d269e58 size 16 Oct 31 15:24:52.929875: | libevent_realloc: newref ptr-libevent@0x561a1d2763d8 size 256 Oct 31 15:24:52.929878: | libevent_malloc: newref ptr-libevent@0x561a1d269ab8 size 8 Oct 31 15:24:52.929880: | libevent_realloc: newref ptr-libevent@0x561a1d2690f8 size 144 Oct 31 15:24:52.929883: | libevent_malloc: newref ptr-libevent@0x561a1d1c90f8 size 152 Oct 31 15:24:52.929886: | libevent_malloc: newref ptr-libevent@0x561a1d269c68 size 16 Oct 31 15:24:52.929890: | signal event handler PLUTO_SIGCHLD installed Oct 31 15:24:52.929896: | libevent_malloc: newref ptr-libevent@0x561a1d276508 size 8 Oct 31 15:24:52.929899: | libevent_malloc: newref ptr-libevent@0x561a1d1c8918 size 152 Oct 31 15:24:52.929902: | signal event handler PLUTO_SIGTERM installed Oct 31 15:24:52.929904: | libevent_malloc: newref ptr-libevent@0x561a1d276548 size 8 Oct 31 15:24:52.929907: | libevent_malloc: newref ptr-libevent@0x561a1d276588 size 152 Oct 31 15:24:52.929909: | signal event handler PLUTO_SIGHUP installed Oct 31 15:24:52.929912: | libevent_malloc: newref ptr-libevent@0x561a1d276658 size 8 Oct 31 15:24:52.929915: | libevent_realloc: delref ptr-libevent@0x561a1d2690f8 Oct 31 15:24:52.929917: | libevent_realloc: newref ptr-libevent@0x561a1d276698 size 256 Oct 31 15:24:52.929920: | libevent_malloc: newref ptr-libevent@0x561a1d2767c8 size 152 Oct 31 15:24:52.929922: | signal event handler PLUTO_SIGSYS installed Oct 31 15:24:52.930345: | created addconn helper (pid:2151608) using fork+execve Oct 31 15:24:52.930365: | forked child 2151608 Oct 31 15:24:52.930379: seccomp security disabled Oct 31 15:24:52.937275: | newref struct fd@0x561a1d276928(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:52.937287: | fd_accept: new fd-fd@0x561a1d276928 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:52.937296: | whack: listen Oct 31 15:24:52.937299: listening for IKE messages Oct 31 15:24:52.942785: | Inspecting interface lo Oct 31 15:24:52.942804: | found lo with address 127.0.0.1 Oct 31 15:24:52.942811: | Inspecting interface eth0 Oct 31 15:24:52.942817: | found eth0 with address 192.0.3.254 Oct 31 15:24:52.942822: | Inspecting interface eth1 Oct 31 15:24:52.942826: | found eth1 with address 192.1.3.33 Oct 31 15:24:52.942836: | newref struct iface_dev@0x561a1d276dc8(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:52.942851: Kernel supports NIC esp-hw-offload Oct 31 15:24:52.942863: | iface: marking eth1 add Oct 31 15:24:52.942867: | newref struct iface_dev@0x561a1d276ef8(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:52.942870: | iface: marking eth0 add Oct 31 15:24:52.942873: | newref struct iface_dev@0x561a1d276fc8(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:52.942877: | iface: marking lo add Oct 31 15:24:52.942925: | no interfaces to sort Oct 31 15:24:52.942944: | MSG_ERRQUEUE enabled on fd 18 Oct 31 15:24:52.942962: | addref ifd@0x561a1d276dc8(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.942968: adding UDP interface eth1 192.1.3.33:500 Oct 31 15:24:52.942982: | MSG_ERRQUEUE enabled on fd 19 Oct 31 15:24:52.942990: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:52.942994: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:52.942997: | addref ifd@0x561a1d276dc8(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.943000: adding UDP interface eth1 192.1.3.33:4500 Oct 31 15:24:52.943012: | MSG_ERRQUEUE enabled on fd 20 Oct 31 15:24:52.943020: | addref ifd@0x561a1d276ef8(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.943023: adding UDP interface eth0 192.0.3.254:500 Oct 31 15:24:52.943036: | MSG_ERRQUEUE enabled on fd 21 Oct 31 15:24:52.943045: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:52.943049: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:52.943052: | addref ifd@0x561a1d276ef8(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.943057: adding UDP interface eth0 192.0.3.254:4500 Oct 31 15:24:52.943071: | MSG_ERRQUEUE enabled on fd 22 Oct 31 15:24:52.943080: | addref ifd@0x561a1d276fc8(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.943084: adding UDP interface lo 127.0.0.1:500 Oct 31 15:24:52.943096: | MSG_ERRQUEUE enabled on fd 23 Oct 31 15:24:52.943102: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:52.943105: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:52.943107: | addref ifd@0x561a1d276fc8(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:52.943110: adding UDP interface lo 127.0.0.1:4500 Oct 31 15:24:52.943117: | updating interfaces - listing interfaces that are going down Oct 31 15:24:52.943119: | updating interfaces - checking orientation Oct 31 15:24:52.943121: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:24:52.943142: | libevent_malloc: newref ptr-libevent@0x561a1d272df8 size 128 Oct 31 15:24:52.943146: | libevent_malloc: newref ptr-libevent@0x561a1d277978 size 16 Oct 31 15:24:52.943154: | setup callback for interface lo 127.0.0.1:4500 fd 23 on UDP Oct 31 15:24:52.943158: | libevent_malloc: newref ptr-libevent@0x561a1d236528 size 128 Oct 31 15:24:52.943160: | libevent_malloc: newref ptr-libevent@0x561a1d2779b8 size 16 Oct 31 15:24:52.943165: | setup callback for interface lo 127.0.0.1:500 fd 22 on UDP Oct 31 15:24:52.943169: | libevent_malloc: newref ptr-libevent@0x561a1d22b7e8 size 128 Oct 31 15:24:52.943171: | libevent_malloc: newref ptr-libevent@0x561a1d2779f8 size 16 Oct 31 15:24:52.943185: | setup callback for interface eth0 192.0.3.254:4500 fd 21 on UDP Oct 31 15:24:52.943188: | libevent_malloc: newref ptr-libevent@0x561a1d236628 size 128 Oct 31 15:24:52.943191: | libevent_malloc: newref ptr-libevent@0x561a1d277a38 size 16 Oct 31 15:24:52.943196: | setup callback for interface eth0 192.0.3.254:500 fd 20 on UDP Oct 31 15:24:52.943218: | libevent_malloc: newref ptr-libevent@0x561a1d233048 size 128 Oct 31 15:24:52.943224: | libevent_malloc: newref ptr-libevent@0x561a1d277a78 size 16 Oct 31 15:24:52.943229: | setup callback for interface eth1 192.1.3.33:4500 fd 19 on UDP Oct 31 15:24:52.943233: | libevent_malloc: newref ptr-libevent@0x561a1d232f98 size 128 Oct 31 15:24:52.943236: | libevent_malloc: newref ptr-libevent@0x561a1d277ab8 size 16 Oct 31 15:24:52.943241: | setup callback for interface eth1 192.1.3.33:500 fd 18 on UDP Oct 31 15:24:52.945663: | no stale xfrmi interface 'ipsec1' found Oct 31 15:24:52.945677: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:24:52.945681: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:24:52.945709: loading secrets from "/etc/ipsec.secrets" Oct 31 15:24:52.945749: no secrets filename matched "/etc/ipsec.d/*.secrets" Oct 31 15:24:52.945767: | old food groups: Oct 31 15:24:52.945770: | new food groups: Oct 31 15:24:52.945776: | delref fd@0x561a1d276928(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:52.945782: | freeref fd-fd@0x561a1d276928 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:52.945789: | spent 0.683 (8.52) milliseconds in whack Oct 31 15:24:52.945806: | newref struct fd@0x561a1d276e98(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:52.945810: | fd_accept: new fd-fd@0x561a1d276e98 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:52.945821: | whack: options (impair|debug) Oct 31 15:24:52.945826: | old debugging base+cpu-usage + none Oct 31 15:24:52.945829: | new debugging = base+cpu-usage Oct 31 15:24:52.945834: | delref fd@0x561a1d276e98(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:52.945841: | freeref fd-fd@0x561a1d276e98 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:52.945847: | spent 0.047 (0.047) milliseconds in whack Oct 31 15:24:52.946437: | processing signal PLUTO_SIGCHLD Oct 31 15:24:52.946456: | waitpid returned pid 2151608 (exited with status 0) Oct 31 15:24:52.946460: | reaped addconn helper child (status 0) Oct 31 15:24:52.946465: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:52.946470: | spent 0.0199 (0.0198) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.302318: | spent 0.00254 (0.00264) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:53.302337: | newref struct msg_digest@0x561a1d277b38(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.302344: | newref alloc logger@0x561a1d26a218(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.302351: | *received 454 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:53.302353: | 12 ba 70 b3 26 aa 96 82 00 00 00 00 00 00 00 00 Oct 31 15:24:53.302355: | 21 20 22 08 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:53.302361: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:53.302363: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:53.302365: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:53.302367: | 00 0e 00 00 f2 3c 68 2b c5 9c 9b b5 5f 42 4f 9a Oct 31 15:24:53.302370: | 87 ef cc fd c2 61 70 ed 2f f4 d2 10 7f ec c4 98 Oct 31 15:24:53.302372: | 55 8d 23 ae a9 95 ca 9f c9 8b b5 65 55 34 ff b4 Oct 31 15:24:53.302375: | 75 17 13 1a 9a e2 66 71 1c d7 4e 05 50 cf b6 a1 Oct 31 15:24:53.302377: | 62 e8 0d 0f 53 c1 da 66 25 ed 62 22 3d cf a9 87 Oct 31 15:24:53.302380: | 56 7b eb bb 74 44 ae 98 00 c4 80 99 bf e1 49 e4 Oct 31 15:24:53.302382: | b4 ff c3 36 2b 5b f2 ef 4f 2e f4 ec 24 33 f9 e7 Oct 31 15:24:53.302385: | f7 ce 19 f3 6b 0b 97 ce 1e 3b 96 99 21 46 47 69 Oct 31 15:24:53.302387: | b4 f8 58 1a b2 f3 71 f2 e3 63 3e 03 d1 dc 5d 7d Oct 31 15:24:53.302389: | b8 7a fe be 50 3f f4 27 8d 64 d0 89 3e 8a ae 6b Oct 31 15:24:53.302392: | ca 8d 72 29 a2 2f 5b 10 2e 3e b8 c4 7b ef ea ad Oct 31 15:24:53.302395: | d2 f7 0f e0 b1 44 b4 63 2e 54 e2 b5 b4 7e a2 07 Oct 31 15:24:53.302397: | 33 82 72 2f 25 21 d5 3b 19 95 48 c1 3b ad db e1 Oct 31 15:24:53.302399: | 5f cd 1a b2 4c d6 17 6e 49 e9 35 5e 21 ce b1 f8 Oct 31 15:24:53.302402: | 16 08 6b 5f 72 d0 36 cb 5b fc 12 a5 18 33 8a 81 Oct 31 15:24:53.302404: | d0 4b e5 d1 15 83 fb 36 6d 64 bd 63 af 7d 1a 3a Oct 31 15:24:53.302407: | db 50 2e 0d 29 00 00 24 8d c7 87 84 f0 d7 55 a4 Oct 31 15:24:53.302409: | 7a f9 00 c5 af f9 6e 1d b3 03 2b 31 f7 9e c1 ce Oct 31 15:24:53.302412: | 3d a1 d6 1c 5c d2 24 f5 29 00 00 08 00 00 40 2e Oct 31 15:24:53.302414: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:53.302417: | 00 1c 00 00 40 04 f9 e3 79 3b 97 04 ea 9f 37 17 Oct 31 15:24:53.302419: | a1 07 8d de e4 0c 5b ac 1e 40 00 00 00 1c 00 00 Oct 31 15:24:53.302422: | 40 05 55 bb ff 2f 57 4f f1 1e cd 3f dd 32 38 c0 Oct 31 15:24:53.302424: | d1 cb dc e2 35 2f Oct 31 15:24:53.302432: | **parse ISAKMP Message: Oct 31 15:24:53.302438: | initiator SPI: 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:53.302443: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:53.302446: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:53.302449: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.302451: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:53.302455: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.302460: | Message ID: 0 (00 00 00 00) Oct 31 15:24:53.302464: | length: 454 (00 00 01 c6) Oct 31 15:24:53.302468: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:24:53.302472: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Oct 31 15:24:53.302475: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Oct 31 15:24:53.302479: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:53.302483: | ***parse IKEv2 Security Association Payload: Oct 31 15:24:53.302486: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:53.302489: | flags: none (0x0) Oct 31 15:24:53.302492: | length: 48 (00 30) Oct 31 15:24:53.302495: | processing payload: ISAKMP_NEXT_v2SA (len=44) Oct 31 15:24:53.302498: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:53.302502: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:24:53.302504: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:53.302507: | flags: none (0x0) Oct 31 15:24:53.302511: | length: 264 (01 08) Oct 31 15:24:53.302514: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:53.302517: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:24:53.302520: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:53.302523: | ***parse IKEv2 Nonce Payload: Oct 31 15:24:53.302526: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.302532: | flags: none (0x0) Oct 31 15:24:53.302536: | length: 36 (00 24) Oct 31 15:24:53.302539: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:53.302542: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.302545: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.302548: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.302553: | flags: none (0x0) Oct 31 15:24:53.302556: | length: 8 (00 08) Oct 31 15:24:53.302559: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.302563: | SPI size: 0 (00) Oct 31 15:24:53.302566: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:53.302568: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:24:53.302571: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.302575: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.302578: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.302581: | flags: none (0x0) Oct 31 15:24:53.302584: | length: 14 (00 0e) Oct 31 15:24:53.302587: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.302593: | SPI size: 0 (00) Oct 31 15:24:53.302596: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:53.302601: | processing payload: ISAKMP_NEXT_v2N (len=6) Oct 31 15:24:53.302604: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.302607: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.302609: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.302612: | flags: none (0x0) Oct 31 15:24:53.302615: | length: 28 (00 1c) Oct 31 15:24:53.302618: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.302621: | SPI size: 0 (00) Oct 31 15:24:53.302624: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:53.302627: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:53.302629: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.302632: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.302635: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.302638: | flags: none (0x0) Oct 31 15:24:53.302641: | length: 28 (00 1c) Oct 31 15:24:53.302644: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.302647: | SPI size: 0 (00) Oct 31 15:24:53.302650: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:53.302652: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:53.302656: | DDOS disabled and no cookie sent, continuing Oct 31 15:24:53.302664: | looking for message matching transition from STATE_PARENT_R0 Oct 31 15:24:53.302667: | trying Respond to IKE_SA_INIT Oct 31 15:24:53.302670: | matched unencrypted message Oct 31 15:24:53.302677: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302681: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:24:53.302683: | find_next_host_connection returns Oct 31 15:24:53.302688: | find_host_connection local=192.1.3.33:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302691: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:24:53.302694: | find_next_host_connection returns Oct 31 15:24:53.302698: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.3.33:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Oct 31 15:24:53.302705: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302708: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:24:53.302710: | find_next_host_connection returns Oct 31 15:24:53.302715: | find_host_connection local=192.1.3.33:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302718: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:24:53.302720: | find_next_host_connection returns Oct 31 15:24:53.302724: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.3.33:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Oct 31 15:24:53.302733: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=PSK+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302736: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:24:53.302739: | find_next_host_connection returns Oct 31 15:24:53.302743: | find_host_connection local=192.1.3.33:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302746: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:24:53.302749: | find_next_host_connection returns Oct 31 15:24:53.302753: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.3.33:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW Oct 31 15:24:53.302759: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=AUTHNULL+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302762: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW Oct 31 15:24:53.302764: | find_next_host_connection returns Oct 31 15:24:53.302769: | find_host_connection local=192.1.3.33:500 remote= policy=AUTHNULL+IKEV2_ALLOW but ignoring ports Oct 31 15:24:53.302772: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW Oct 31 15:24:53.302774: | find_next_host_connection returns Oct 31 15:24:53.302779: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.3.33:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW Oct 31 15:24:53.302785: packet from 192.1.2.23:500: ISAKMP_v2_IKE_SA_INIT message received on 192.1.3.33:500 but no suitable connection found with IKEv2 policy Oct 31 15:24:53.302791: packet from 192.1.2.23:500: responding to IKE_SA_INIT (34) message (Message ID 0) with unencrypted notification NO_PROPOSAL_CHOSEN Oct 31 15:24:53.302794: | opening output PBS unencrypted notification Oct 31 15:24:53.302798: | **emit ISAKMP Message: Oct 31 15:24:53.302803: | initiator SPI: 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:53.302808: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:53.302810: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:53.302813: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.302816: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:53.302819: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:53.302823: | Message ID: 0 (00 00 00 00) Oct 31 15:24:53.302826: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:53.302830: | adding a v2N Payload Oct 31 15:24:53.302833: | ***emit IKEv2 Notify Payload: Oct 31 15:24:53.302836: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.302838: | flags: none (0x0) Oct 31 15:24:53.302841: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.302844: | SPI size: 0 (00) Oct 31 15:24:53.302847: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe) Oct 31 15:24:53.302850: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:53.302853: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'unencrypted notification' Oct 31 15:24:53.302856: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:24:53.302859: | emitting length of ISAKMP Message: 36 Oct 31 15:24:53.302869: | sending 36 bytes for v2 notify through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #0) Oct 31 15:24:53.302872: | 12 ba 70 b3 26 aa 96 82 00 00 00 00 00 00 00 00 Oct 31 15:24:53.302874: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 Oct 31 15:24:53.302877: | 00 00 00 0e Oct 31 15:24:53.302915: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:53.302920: | delref mdp@0x561a1d277b38(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.302924: | delref logger@0x561a1d26a218(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.302927: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.302930: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.302940: | spent 0.614 (0.635) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:53.342701: | newref struct fd@0x561a1d276b68(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.342716: | fd_accept: new fd-fd@0x561a1d276b68 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.342730: | whack: delete 'north-eastnets/0x1' Oct 31 15:24:53.342733: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.342736: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:53.342738: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.342741: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:53.342743: | whack: connection 'north-eastnets/0x1' Oct 31 15:24:53.342747: | addref fd@0x561a1d276b68(1->2) (in string_logger() at log.c:838) Oct 31 15:24:53.342753: | newref string logger@0x561a1d26a218(0->1) (in add_connection() at connections.c:1998) Oct 31 15:24:53.342757: | Connection DB: adding connection "north-eastnets/0x1" $1 Oct 31 15:24:53.342763: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.342773: | added new connection north-eastnets/0x1 with policy RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:24:53.342812: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Oct 31 15:24:53.342815: | from whack: got --esp=aes128-sha2_512;modp3072 Oct 31 15:24:53.342840: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Oct 31 15:24:53.342937: | computed rsa CKAID Oct 31 15:24:53.342943: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.342946: | 88 aa 7c 5d Oct 31 15:24:53.343002: | keyid: *AQPl33O2P Oct 31 15:24:53.343008: | size: 274 Oct 31 15:24:53.343011: | n Oct 31 15:24:53.343013: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:24:53.343016: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:24:53.343018: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:24:53.343021: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:24:53.343023: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:24:53.343025: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:24:53.343028: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:24:53.343030: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:24:53.343032: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:24:53.343034: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:24:53.343037: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:24:53.343039: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:24:53.343041: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:24:53.343044: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:24:53.343046: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:24:53.343048: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:24:53.343051: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:24:53.343053: | a5 99 Oct 31 15:24:53.343055: | e Oct 31 15:24:53.343057: | 03 Oct 31 15:24:53.343060: | CKAID Oct 31 15:24:53.343062: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.343064: | 88 aa 7c 5d Oct 31 15:24:53.343073: | saving left CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d extracted from raw RSA public key Oct 31 15:24:53.343515: | loaded private key matching CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d Oct 31 15:24:53.343841: | copying key using reference slot Oct 31 15:24:53.348155: | certs and keys locked by 'lsw_add_rsa_secret' Oct 31 15:24:53.348169: | certs and keys unlocked by 'lsw_add_rsa_secret' Oct 31 15:24:53.348182: | spent 2.81 (5.1) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.348191: connection "north-eastnets/0x1": loaded private key matching left CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d Oct 31 15:24:53.348195: | counting wild cards for @north is 0 Oct 31 15:24:53.348235: | computed rsa CKAID Oct 31 15:24:53.348241: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.348243: | 8a 82 25 f1 Oct 31 15:24:53.348249: | keyid: *AQO9bJbr3 Oct 31 15:24:53.348252: | size: 274 Oct 31 15:24:53.348254: | n Oct 31 15:24:53.348257: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:24:53.348259: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:24:53.348262: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:24:53.348264: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:24:53.348266: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:24:53.348269: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:24:53.348271: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:24:53.348274: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:24:53.348276: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:24:53.348278: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:24:53.348281: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:24:53.348283: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:24:53.348285: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:24:53.348288: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:24:53.348290: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:24:53.348292: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:24:53.348295: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:24:53.348297: | 48 ef Oct 31 15:24:53.348299: | e Oct 31 15:24:53.348302: | 03 Oct 31 15:24:53.348304: | CKAID Oct 31 15:24:53.348306: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.348309: | 8a 82 25 f1 Oct 31 15:24:53.348316: | saving right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 extracted from raw RSA public key Oct 31 15:24:53.348321: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.348407: | spent 0.084 (0.0838) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.348416: | no private key matching right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1: can't find the private key matching the NSS CKAID Oct 31 15:24:53.348420: | counting wild cards for @east is 0 Oct 31 15:24:53.348424: | updating connection from left.host_addr Oct 31 15:24:53.348429: | right host_nexthop 192.1.3.33 Oct 31 15:24:53.348432: | left host_port 500 Oct 31 15:24:53.348435: | updating connection from right.host_addr Oct 31 15:24:53.348438: | left host_nexthop 192.1.2.23 Oct 31 15:24:53.348441: | right host_port 500 Oct 31 15:24:53.348447: | orienting north-eastnets/0x1 Oct 31 15:24:53.348453: | north-eastnets/0x1 doesn't match 127.0.0.1:4500 at all Oct 31 15:24:53.348457: | north-eastnets/0x1 doesn't match 127.0.0.1:500 at all Oct 31 15:24:53.348462: | north-eastnets/0x1 doesn't match 192.0.3.254:4500 at all Oct 31 15:24:53.348466: | north-eastnets/0x1 doesn't match 192.0.3.254:500 at all Oct 31 15:24:53.348470: | north-eastnets/0x1 doesn't match 192.1.3.33:4500 at all Oct 31 15:24:53.348472: | oriented north-eastnets/0x1's this Oct 31 15:24:53.348479: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@(nil): none Oct 31 15:24:53.348491: | newref hp@0x561a1d27d728(0->1) (in connect_to_host_pair() at hostpair.c:290) Oct 31 15:24:53.348495: added IKEv2 connection "north-eastnets/0x1" Oct 31 15:24:53.348824: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:24:53.348841: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24 Oct 31 15:24:53.348845: | delref logger@0x561a1d26a218(1->0) (in add_connection() at connections.c:2026) Oct 31 15:24:53.348849: | delref fd@0x561a1d276b68(2->1) (in free_logger() at log.c:853) Oct 31 15:24:53.348852: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.348861: | delref fd@0x561a1d276b68(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.348869: | freeref fd-fd@0x561a1d276b68 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.348874: | spent 3.49 (6.18) milliseconds in whack Oct 31 15:24:53.348952: | newref struct fd@0x561a1d278788(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.348957: | fd_accept: new fd-fd@0x561a1d278788 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.348974: | whack: key Oct 31 15:24:53.348978: add keyid @north Oct 31 15:24:53.348981: | 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Oct 31 15:24:53.348984: | 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Oct 31 15:24:53.348986: | 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Oct 31 15:24:53.348988: | 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Oct 31 15:24:53.348990: | 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Oct 31 15:24:53.348993: | f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Oct 31 15:24:53.348995: | 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Oct 31 15:24:53.348997: | c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Oct 31 15:24:53.348999: | cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Oct 31 15:24:53.349001: | 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Oct 31 15:24:53.349003: | 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Oct 31 15:24:53.349005: | 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Oct 31 15:24:53.349007: | ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Oct 31 15:24:53.349010: | 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Oct 31 15:24:53.349012: | 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Oct 31 15:24:53.349014: | 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Oct 31 15:24:53.349016: | f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Oct 31 15:24:53.349018: | c7 5e a5 99 Oct 31 15:24:53.349030: | computed rsa CKAID Oct 31 15:24:53.349033: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.349035: | 88 aa 7c 5d Oct 31 15:24:53.349040: | keyid: *AQPl33O2P Oct 31 15:24:53.349042: | size: 274 Oct 31 15:24:53.349044: | n Oct 31 15:24:53.349046: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:24:53.349048: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:24:53.349050: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:24:53.349053: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:24:53.349055: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:24:53.349057: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:24:53.349059: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:24:53.349061: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:24:53.349064: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:24:53.349066: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:24:53.349068: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:24:53.349070: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:24:53.349072: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:24:53.349075: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:24:53.349077: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:24:53.349079: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:24:53.349081: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:24:53.349083: | a5 99 Oct 31 15:24:53.349085: | e Oct 31 15:24:53.349087: | 03 Oct 31 15:24:53.349089: | CKAID Oct 31 15:24:53.349092: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.349094: | 88 aa 7c 5d Oct 31 15:24:53.349098: | newref struct pubkey@0x561a1d27d878(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:24:53.349101: | addref pk@0x561a1d27d878(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:24:53.349104: | delref pkp@0x561a1d27d878(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:24:53.349111: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.349114: | matched Oct 31 15:24:53.349116: | secrets entry for ckaid already exists Oct 31 15:24:53.349121: | spent 0.00835 (0.00813) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.349125: | delref fd@0x561a1d278788(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.349130: | freeref fd-fd@0x561a1d278788 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.349134: | spent 0.181 (0.187) milliseconds in whack Oct 31 15:24:53.349465: | newref struct fd@0x561a1d26a218(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.349473: | fd_accept: new fd-fd@0x561a1d26a218 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.349487: | whack: key Oct 31 15:24:53.349491: add keyid @east Oct 31 15:24:53.349494: | 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Oct 31 15:24:53.349496: | e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Oct 31 15:24:53.349498: | 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Oct 31 15:24:53.349501: | 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Oct 31 15:24:53.349503: | 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Oct 31 15:24:53.349505: | d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Oct 31 15:24:53.349507: | 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Oct 31 15:24:53.349509: | 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Oct 31 15:24:53.349511: | bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Oct 31 15:24:53.349513: | ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Oct 31 15:24:53.349515: | e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Oct 31 15:24:53.349518: | 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Oct 31 15:24:53.349520: | 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Oct 31 15:24:53.349522: | 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Oct 31 15:24:53.349524: | d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Oct 31 15:24:53.349526: | 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Oct 31 15:24:53.349528: | 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Oct 31 15:24:53.349530: | 51 51 48 ef Oct 31 15:24:53.349599: | computed rsa CKAID Oct 31 15:24:53.349605: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.349607: | 8a 82 25 f1 Oct 31 15:24:53.349613: | keyid: *AQO9bJbr3 Oct 31 15:24:53.349615: | size: 274 Oct 31 15:24:53.349618: | n Oct 31 15:24:53.349622: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:24:53.349625: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:24:53.349630: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:24:53.349632: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:24:53.349634: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:24:53.349636: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:24:53.349638: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:24:53.349640: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:24:53.349642: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:24:53.349644: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:24:53.349647: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:24:53.349649: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:24:53.349651: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:24:53.349653: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:24:53.349655: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:24:53.349658: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:24:53.349660: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:24:53.349662: | 48 ef Oct 31 15:24:53.349664: | e Oct 31 15:24:53.349667: | 03 Oct 31 15:24:53.349669: | CKAID Oct 31 15:24:53.349672: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.349680: | 8a 82 25 f1 Oct 31 15:24:53.349684: | newref struct pubkey@0x561a1d27c9b8(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:24:53.349688: | addref pk@0x561a1d27c9b8(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:24:53.349691: | delref pkp@0x561a1d27c9b8(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:24:53.349695: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.349757: | spent 0.0604 (0.0603) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.349761: | no private key: can't find the private key matching the NSS CKAID Oct 31 15:24:53.349766: | delref fd@0x561a1d26a218(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.349771: | freeref fd-fd@0x561a1d26a218 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.349776: | spent 0.261 (0.316) milliseconds in whack Oct 31 15:24:53.349823: | newref struct fd@0x561a1d27da48(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.349828: | fd_accept: new fd-fd@0x561a1d27da48 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.349842: | whack: delete 'north-eastnets/0x2' Oct 31 15:24:53.349845: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.349848: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:53.349851: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.349853: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:53.349856: | whack: connection 'north-eastnets/0x2' Oct 31 15:24:53.349859: | addref fd@0x561a1d27da48(1->2) (in string_logger() at log.c:838) Oct 31 15:24:53.349863: | newref string logger@0x561a1d276c98(0->1) (in add_connection() at connections.c:1998) Oct 31 15:24:53.349866: | Connection DB: adding connection "north-eastnets/0x2" $2 Oct 31 15:24:53.349872: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.349879: | added new connection north-eastnets/0x2 with policy RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:24:53.349908: | ike (phase1) algorithm values: AES_CBC_256-HMAC_SHA2_256-MODP2048 Oct 31 15:24:53.349911: | from whack: got --esp=aes128-sha2_512;modp3072 Oct 31 15:24:53.349930: | ESP/AH string values: AES_CBC_128-HMAC_SHA2_512_256-MODP3072 Oct 31 15:24:53.349948: | computed rsa CKAID Oct 31 15:24:53.349951: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.349953: | 88 aa 7c 5d Oct 31 15:24:53.349959: | keyid: *AQPl33O2P Oct 31 15:24:53.349961: | size: 274 Oct 31 15:24:53.349963: | n Oct 31 15:24:53.349965: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:24:53.349968: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:24:53.349970: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:24:53.349972: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:24:53.349974: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:24:53.349976: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:24:53.349978: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:24:53.349980: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:24:53.349982: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:24:53.349985: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:24:53.349987: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:24:53.349989: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:24:53.349991: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:24:53.349993: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:24:53.349995: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:24:53.349997: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:24:53.350000: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:24:53.350002: | a5 99 Oct 31 15:24:53.350004: | e Oct 31 15:24:53.350006: | 03 Oct 31 15:24:53.350008: | CKAID Oct 31 15:24:53.350010: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.350014: | 88 aa 7c 5d Oct 31 15:24:53.350021: | saving left CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d extracted from raw RSA public key Oct 31 15:24:53.350025: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.350027: | matched Oct 31 15:24:53.350029: | secrets entry for ckaid already exists Oct 31 15:24:53.350034: | spent 0.00776 (0.00757) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.350037: | counting wild cards for @north is 0 Oct 31 15:24:53.350053: | computed rsa CKAID Oct 31 15:24:53.350056: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.350059: | 8a 82 25 f1 Oct 31 15:24:53.350064: | keyid: *AQO9bJbr3 Oct 31 15:24:53.350066: | size: 274 Oct 31 15:24:53.350068: | n Oct 31 15:24:53.350070: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:24:53.350072: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:24:53.350074: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:24:53.350076: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:24:53.350079: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:24:53.350081: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:24:53.350084: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:24:53.350086: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:24:53.350088: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:24:53.350090: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:24:53.350092: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:24:53.350094: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:24:53.350097: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:24:53.350099: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:24:53.350101: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:24:53.350103: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:24:53.350105: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:24:53.350107: | 48 ef Oct 31 15:24:53.350109: | e Oct 31 15:24:53.350111: | 03 Oct 31 15:24:53.350113: | CKAID Oct 31 15:24:53.350116: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.350118: | 8a 82 25 f1 Oct 31 15:24:53.350124: | saving right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 extracted from raw RSA public key Oct 31 15:24:53.350127: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.350172: | spent 0.0432 (0.0432) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.350180: | no private key matching right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1: can't find the private key matching the NSS CKAID Oct 31 15:24:53.350183: | counting wild cards for @east is 0 Oct 31 15:24:53.350186: | updating connection from left.host_addr Oct 31 15:24:53.350190: | right host_nexthop 192.1.3.33 Oct 31 15:24:53.350193: | left host_port 500 Oct 31 15:24:53.350195: | updating connection from right.host_addr Oct 31 15:24:53.350203: | left host_nexthop 192.1.2.23 Oct 31 15:24:53.350208: | right host_port 500 Oct 31 15:24:53.350211: | orienting north-eastnets/0x2 Oct 31 15:24:53.350216: | north-eastnets/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:24:53.350219: | north-eastnets/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:24:53.350223: | north-eastnets/0x2 doesn't match 192.0.3.254:4500 at all Oct 31 15:24:53.350227: | north-eastnets/0x2 doesn't match 192.0.3.254:500 at all Oct 31 15:24:53.350230: | north-eastnets/0x2 doesn't match 192.1.3.33:4500 at all Oct 31 15:24:53.350233: | oriented north-eastnets/0x2's this Oct 31 15:24:53.350239: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Oct 31 15:24:53.350244: | connect_to_host_pair: 192.1.3.33:500 192.1.2.23:500 -> hp@0x561a1d27d728: north-eastnets/0x1 Oct 31 15:24:53.350247: added IKEv2 connection "north-eastnets/0x2" Oct 31 15:24:53.350255: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:24:53.350267: | 192.0.3.0/24===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.22.0/24 Oct 31 15:24:53.350270: | delref logger@0x561a1d276c98(1->0) (in add_connection() at connections.c:2026) Oct 31 15:24:53.350273: | delref fd@0x561a1d27da48(2->1) (in free_logger() at log.c:853) Oct 31 15:24:53.350276: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.350280: | delref fd@0x561a1d27da48(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350285: | freeref fd-fd@0x561a1d27da48 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350290: | spent 0.463 (0.47) milliseconds in whack Oct 31 15:24:53.350349: | newref struct fd@0x561a1d27cce8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.350353: | fd_accept: new fd-fd@0x561a1d27cce8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.350366: | whack: key Oct 31 15:24:53.350370: | delref pkp@0x561a1d27d878(1->0) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:24:53.350374: add keyid @north Oct 31 15:24:53.350376: | 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Oct 31 15:24:53.350378: | 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Oct 31 15:24:53.350380: | 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Oct 31 15:24:53.350383: | 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Oct 31 15:24:53.350385: | 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Oct 31 15:24:53.350387: | f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Oct 31 15:24:53.350389: | 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Oct 31 15:24:53.350391: | c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Oct 31 15:24:53.350393: | cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Oct 31 15:24:53.350395: | 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Oct 31 15:24:53.350397: | 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Oct 31 15:24:53.350399: | 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Oct 31 15:24:53.350402: | ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Oct 31 15:24:53.350404: | 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Oct 31 15:24:53.350406: | 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Oct 31 15:24:53.350408: | 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Oct 31 15:24:53.350410: | f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Oct 31 15:24:53.350412: | c7 5e a5 99 Oct 31 15:24:53.350420: | computed rsa CKAID Oct 31 15:24:53.350423: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.350425: | 88 aa 7c 5d Oct 31 15:24:53.350430: | keyid: *AQPl33O2P Oct 31 15:24:53.350432: | size: 274 Oct 31 15:24:53.350434: | n Oct 31 15:24:53.350437: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:24:53.350439: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:24:53.350441: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:24:53.350443: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:24:53.350445: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:24:53.350447: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:24:53.350449: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:24:53.350452: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:24:53.350454: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:24:53.350456: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:24:53.350458: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:24:53.350460: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:24:53.350462: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:24:53.350464: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:24:53.350467: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:24:53.350469: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:24:53.350473: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:24:53.350475: | a5 99 Oct 31 15:24:53.350477: | e Oct 31 15:24:53.350479: | 03 Oct 31 15:24:53.350481: | CKAID Oct 31 15:24:53.350484: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:24:53.350486: | 88 aa 7c 5d Oct 31 15:24:53.350489: | newref struct pubkey@0x561a1d278d88(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:24:53.350495: | addref pk@0x561a1d278d88(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:24:53.350497: | delref pkp@0x561a1d278d88(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:24:53.350504: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.350506: | matched Oct 31 15:24:53.350508: | secrets entry for ckaid already exists Oct 31 15:24:53.350512: | spent 0.00724 (0.00712) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.350516: | delref fd@0x561a1d27cce8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350521: | freeref fd-fd@0x561a1d27cce8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350525: | spent 0.176 (0.18) milliseconds in whack Oct 31 15:24:53.350576: | newref struct fd@0x561a1d276c98(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.350584: | fd_accept: new fd-fd@0x561a1d276c98 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.350596: | whack: key Oct 31 15:24:53.350601: | delref pkp@0x561a1d27c9b8(1->0) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:24:53.350605: add keyid @east Oct 31 15:24:53.350607: | 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Oct 31 15:24:53.350610: | e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Oct 31 15:24:53.350612: | 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Oct 31 15:24:53.350614: | 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Oct 31 15:24:53.350616: | 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Oct 31 15:24:53.350618: | d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Oct 31 15:24:53.350620: | 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Oct 31 15:24:53.350622: | 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Oct 31 15:24:53.350624: | bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Oct 31 15:24:53.350626: | ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Oct 31 15:24:53.350629: | e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Oct 31 15:24:53.350631: | 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Oct 31 15:24:53.350633: | 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Oct 31 15:24:53.350635: | 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Oct 31 15:24:53.350638: | d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Oct 31 15:24:53.350639: | 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Oct 31 15:24:53.350642: | 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Oct 31 15:24:53.350644: | 51 51 48 ef Oct 31 15:24:53.350655: | computed rsa CKAID Oct 31 15:24:53.350658: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.350661: | 8a 82 25 f1 Oct 31 15:24:53.350667: | keyid: *AQO9bJbr3 Oct 31 15:24:53.350669: | size: 274 Oct 31 15:24:53.350672: | n Oct 31 15:24:53.350674: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:24:53.350676: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:24:53.350678: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:24:53.350681: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:24:53.350683: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:24:53.350685: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:24:53.350687: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:24:53.350689: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:24:53.350692: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:24:53.350694: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:24:53.350696: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:24:53.350701: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:24:53.350704: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:24:53.350706: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:24:53.350708: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:24:53.350710: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:24:53.350712: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:24:53.350715: | 48 ef Oct 31 15:24:53.350717: | e Oct 31 15:24:53.350719: | 03 Oct 31 15:24:53.350721: | CKAID Oct 31 15:24:53.350723: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:24:53.350726: | 8a 82 25 f1 Oct 31 15:24:53.350729: | newref struct pubkey@0x561a1d278ed8(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:24:53.350733: | addref pk@0x561a1d278ed8(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:24:53.350737: | delref pkp@0x561a1d278ed8(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:24:53.350741: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.350801: | spent 0.0578 (0.0577) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:24:53.350806: | no private key: can't find the private key matching the NSS CKAID Oct 31 15:24:53.350810: | delref fd@0x561a1d276c98(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350817: | freeref fd-fd@0x561a1d276c98 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.350822: | spent 0.254 (0.253) milliseconds in whack Oct 31 15:24:53.360846: | newref struct fd@0x561a1d277b38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.360869: | fd_accept: new fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.360883: | whack: initiate Oct 31 15:24:53.360887: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:53.360891: initiating all conns with alias='north-eastnets' Oct 31 15:24:53.360902: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:53.360908: | connection 'north-eastnets/0x2' +POLICY_UP Oct 31 15:24:53.360911: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:53.360929: | newref alloc logger@0x561a1d27cb88(0->1) (in new_state() at state.c:576) Oct 31 15:24:53.360933: | addref fd@0x561a1d277b38(1->2) (in new_state() at state.c:577) Oct 31 15:24:53.360936: | creating state object #1 at 0x561a1d27dd38 Oct 31 15:24:53.360938: | State DB: adding IKEv2 state #1 in UNDEFINED Oct 31 15:24:53.360949: | pstats #1 ikev2.ike started Oct 31 15:24:53.360953: | parent state #1: UNDEFINED(ignore) => PARENT_I0(ignore) Oct 31 15:24:53.360957: | #1.st_v2_transition NULL -> PARENT_I0->PARENT_I1 (in new_v2_ike_state() at state.c:620) Oct 31 15:24:53.360966: | Message ID: IKE #1 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744567.793756 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744567.793756 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:24:53.360971: | orienting north-eastnets/0x2 Oct 31 15:24:53.360976: | north-eastnets/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:24:53.360979: | north-eastnets/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:24:53.360982: | north-eastnets/0x2 doesn't match 192.0.3.254:4500 at all Oct 31 15:24:53.360985: | north-eastnets/0x2 doesn't match 192.0.3.254:500 at all Oct 31 15:24:53.360988: | north-eastnets/0x2 doesn't match 192.1.3.33:4500 at all Oct 31 15:24:53.360990: | oriented north-eastnets/0x2's this Oct 31 15:24:53.360997: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:544) Oct 31 15:24:53.361001: | addref fd@0x561a1d277b38(2->3) (in add_pending() at pending.c:86) Oct 31 15:24:53.361005: | queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #1 "north-eastnets/0x2" Oct 31 15:24:53.361008: "north-eastnets/0x2" #1: initiating IKEv2 connection Oct 31 15:24:53.361013: | constructing local IKE proposals for north-eastnets/0x2 (IKE SA initiator selecting KE) Oct 31 15:24:53.361024: | converting ike_info AES_CBC_256-HMAC_SHA2_256-MODP2048 to ikev2 ... Oct 31 15:24:53.361035: | ... ikev2_proposal: 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:53.361038: "north-eastnets/0x2": local IKE proposals (IKE SA initiator selecting KE): Oct 31 15:24:53.361042: "north-eastnets/0x2": 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:53.361047: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:53.361050: | addref fd@0x561a1d277b38(3->4) (in clone_logger() at log.c:810) Oct 31 15:24:53.361052: | newref clone logger@0x561a1d269e98(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:53.361055: | job 1 for #1: ikev2_outI1 KE (build KE and nonce): adding job to queue Oct 31 15:24:53.361058: | state #1 has no .st_event to delete Oct 31 15:24:53.361060: | #1 STATE_PARENT_I0: retransmits: cleared Oct 31 15:24:53.361064: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d277c48 Oct 31 15:24:53.361066: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:24:53.361137: | libevent_malloc: newref ptr-libevent@0x561a1d27ac38 size 128 Oct 31 15:24:53.361158: | #1 spent 0.188 (0.246) milliseconds in ikev2_parent_outI1() Oct 31 15:24:53.361163: | job 1 for #1: ikev2_outI1 KE (build KE and nonce): helper 1 starting job Oct 31 15:24:53.361164: | RESET processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:640) Oct 31 15:24:53.361176: | connection 'north-eastnets/0x1' +POLICY_UP Oct 31 15:24:53.361179: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:53.361184: | addref fd@0x561a1d277b38(4->5) (in add_pending() at pending.c:86) Oct 31 15:24:53.361189: "north-eastnets/0x1": queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #1 "north-eastnets/0x2" Oct 31 15:24:53.361197: | delref fd@0x561a1d277b38(5->4) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.361214: | spent 0.306 (0.379) milliseconds in whack Oct 31 15:24:53.362777: | "north-eastnets/0x2" #1: spent 1.4 (1.61) milliseconds in helper 1 processing job 1 for state #1: ikev2_outI1 KE (pcr) Oct 31 15:24:53.362791: | job 1 for #1: ikev2_outI1 KE (build KE and nonce): helper thread 1 sending result back to state Oct 31 15:24:53.362796: | scheduling resume sending helper answer back to state for #1 Oct 31 15:24:53.362799: | libevent_malloc: newref ptr-libevent@0x7f705c006108 size 128 Oct 31 15:24:53.362809: | helper thread 1 has nothing to do Oct 31 15:24:53.362824: | processing resume sending helper answer back to state for #1 Oct 31 15:24:53.362836: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:53.362842: | unsuspending #1 MD (nil) Oct 31 15:24:53.362845: | job 1 for #1: ikev2_outI1 KE (build KE and nonce): processing response from helper 1 Oct 31 15:24:53.362848: | job 1 for #1: ikev2_outI1 KE (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:53.362851: | ikev2_parent_outI1_continue() for #1 STATE_PARENT_I0 Oct 31 15:24:53.362855: | DH secret MODP2048@0x7f705c006ba8: transferring ownership from helper KE to state #1 Oct 31 15:24:53.362888: | opening output PBS reply packet Oct 31 15:24:53.362891: | **emit ISAKMP Message: Oct 31 15:24:53.362896: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.362901: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:53.362903: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:53.362906: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.362909: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:53.362912: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.362915: | Message ID: 0 (00 00 00 00) Oct 31 15:24:53.362918: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:53.362926: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:53.362931: | Emitting ikev2_proposals ... Oct 31 15:24:53.362934: | ***emit IKEv2 Security Association Payload: Oct 31 15:24:53.362936: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.362939: | flags: none (0x0) Oct 31 15:24:53.362941: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:53.362944: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.362948: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.362950: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.362953: | prop #: 1 (01) Oct 31 15:24:53.362955: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:53.362958: | spi size: 0 (00) Oct 31 15:24:53.362960: | # transforms: 4 (04) Oct 31 15:24:53.362963: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:53.362966: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.362968: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.362970: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.362972: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.362975: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.362977: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.362980: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.362983: | length/value: 256 (01 00) Oct 31 15:24:53.362986: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:53.362988: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.363170: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.363174: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:53.363177: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:53.363256: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.363563: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.363568: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.363571: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.363572: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.363574: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.363575: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:53.363577: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.363579: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.363580: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.363582: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.363583: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.363585: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:53.363586: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:53.363588: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.363589: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.363591: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.363595: | emitting length of IKEv2 Proposal Substructure Payload: 44 Oct 31 15:24:53.363596: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:53.363598: | emitting length of IKEv2 Security Association Payload: 48 Oct 31 15:24:53.363599: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:53.363601: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:24:53.363603: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363605: | flags: none (0x0) Oct 31 15:24:53.363606: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:53.363608: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:53.363610: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363612: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:53.363614: | ikev2 g^x: Oct 31 15:24:53.363616: | 5e 12 54 4c 78 84 38 ee a0 ca 67 3f 4a b1 7f d9 Oct 31 15:24:53.363619: | 94 d2 30 cd 70 e9 f8 49 b6 c0 1c fe 52 30 e7 73 Oct 31 15:24:53.363620: | d4 ee 6b f9 c0 77 7f 37 f3 e8 31 fe d1 64 95 b4 Oct 31 15:24:53.363623: | 56 6e 55 4a 49 f8 9c e3 c7 2e 40 24 b6 b2 ee 8e Oct 31 15:24:53.363625: | 57 b3 fe 74 ad 31 55 43 9a f6 df a8 13 74 2a d8 Oct 31 15:24:53.363627: | 86 8f 46 d4 2f 04 dd fc 69 35 6c 52 b9 45 df bc Oct 31 15:24:53.363629: | 7f 60 4b b4 4a cf ba 7f ba 91 e8 28 0d 04 9f 1d Oct 31 15:24:53.363631: | e2 62 cf 99 b3 eb 0d b6 fc fc 25 0e 08 85 d5 3f Oct 31 15:24:53.363634: | f8 6b 4a b6 6b 47 f5 0a dc 7f cc 1a a5 d2 ed b7 Oct 31 15:24:53.363635: | 33 b1 d4 22 6b a0 14 50 39 f8 12 53 7e 6a ae f3 Oct 31 15:24:53.363636: | ce 6c 46 b5 f1 b0 ca 2f a4 dc b6 5b c9 ef 85 3f Oct 31 15:24:53.363638: | 03 e2 98 16 d2 c7 ef 39 fb 52 0e 7a 30 83 ac 15 Oct 31 15:24:53.363639: | 53 bf 87 54 6f b4 83 b7 65 2c a1 3d 32 b4 b9 ec Oct 31 15:24:53.363640: | 1d 2e 04 2a 9a ea 03 1f 85 99 b5 f9 a1 f7 aa 53 Oct 31 15:24:53.363642: | ca a5 dc b2 96 1a 5f 92 16 b2 43 94 7e ba 8f fa Oct 31 15:24:53.363643: | 1b 6b 2b 55 e0 fc d4 dc f6 17 e1 cd b1 f0 b2 07 Oct 31 15:24:53.363645: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:24:53.363647: | ***emit IKEv2 Nonce Payload: Oct 31 15:24:53.363648: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363650: | flags: none (0x0) Oct 31 15:24:53.363651: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:53.363653: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363655: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:53.363656: | IKEv2 nonce: Oct 31 15:24:53.363658: | bf fa e8 d7 db 9e 4e 0b c6 ac 94 00 a7 1b c2 f7 Oct 31 15:24:53.363659: | 65 b9 9a 2b 80 40 29 9e 8c 6b 43 63 68 c9 ec 59 Oct 31 15:24:53.363665: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:53.363667: | adding a v2N Payload Oct 31 15:24:53.363668: | ***emit IKEv2 Notify Payload: Oct 31 15:24:53.363670: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363671: | flags: none (0x0) Oct 31 15:24:53.363673: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.363678: | SPI size: 0 (00) Oct 31 15:24:53.363683: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:53.363686: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:53.363689: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363692: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:24:53.363697: | adding a v2N Payload Oct 31 15:24:53.363699: | ***emit IKEv2 Notify Payload: Oct 31 15:24:53.363702: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363704: | flags: none (0x0) Oct 31 15:24:53.363707: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.363710: | SPI size: 0 (00) Oct 31 15:24:53.363718: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:53.363721: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:53.363724: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363728: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256 into IKEv2 Notify Payload Oct 31 15:24:53.363730: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256: 00 02 Oct 31 15:24:53.363732: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384 into IKEv2 Notify Payload Oct 31 15:24:53.363734: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384: 00 03 Oct 31 15:24:53.363736: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512 into IKEv2 Notify Payload Oct 31 15:24:53.363737: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512: 00 04 Oct 31 15:24:53.363739: | emitting length of IKEv2 Notify Payload: 14 Oct 31 15:24:53.363741: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:24:53.363743: | nat: IKE.SPIr is zero Oct 31 15:24:53.363761: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:53.363765: | natd_hash: icookie= Oct 31 15:24:53.363768: | 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.363770: | natd_hash: rcookie= Oct 31 15:24:53.363772: | 00 00 00 00 00 00 00 00 Oct 31 15:24:53.363774: | natd_hash: ip= Oct 31 15:24:53.363776: | c0 01 03 21 Oct 31 15:24:53.363779: | natd_hash: port= Oct 31 15:24:53.363781: | 01 f4 Oct 31 15:24:53.363783: | natd_hash: hash= Oct 31 15:24:53.363785: | 40 ff 65 9a 6c f6 e0 67 23 f5 72 72 aa ec 71 0f Oct 31 15:24:53.363788: | 2b 85 c9 2b Oct 31 15:24:53.363790: | adding a v2N Payload Oct 31 15:24:53.363793: | ***emit IKEv2 Notify Payload: Oct 31 15:24:53.363796: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363799: | flags: none (0x0) Oct 31 15:24:53.363801: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.363805: | SPI size: 0 (00) Oct 31 15:24:53.363807: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:53.363809: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:53.363811: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363813: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:53.363814: | Notify data: Oct 31 15:24:53.363816: | 40 ff 65 9a 6c f6 e0 67 23 f5 72 72 aa ec 71 0f Oct 31 15:24:53.363817: | 2b 85 c9 2b Oct 31 15:24:53.363819: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:53.363820: | nat: IKE.SPIr is zero Oct 31 15:24:53.363827: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:53.363829: | natd_hash: icookie= Oct 31 15:24:53.363830: | 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.363832: | natd_hash: rcookie= Oct 31 15:24:53.363833: | 00 00 00 00 00 00 00 00 Oct 31 15:24:53.363834: | natd_hash: ip= Oct 31 15:24:53.363836: | c0 01 02 17 Oct 31 15:24:53.363837: | natd_hash: port= Oct 31 15:24:53.363838: | 01 f4 Oct 31 15:24:53.363840: | natd_hash: hash= Oct 31 15:24:53.363841: | 3c 90 4e 38 4d 19 d0 e3 03 f4 37 b3 ad f7 3b 61 Oct 31 15:24:53.363842: | fd b1 2e ff Oct 31 15:24:53.363844: | adding a v2N Payload Oct 31 15:24:53.363845: | ***emit IKEv2 Notify Payload: Oct 31 15:24:53.363847: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.363848: | flags: none (0x0) Oct 31 15:24:53.363850: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.363853: | SPI size: 0 (00) Oct 31 15:24:53.363855: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:53.363856: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:53.363858: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.363860: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:53.363861: | Notify data: Oct 31 15:24:53.363862: | 3c 90 4e 38 4d 19 d0 e3 03 f4 37 b3 ad f7 3b 61 Oct 31 15:24:53.363864: | fd b1 2e ff Oct 31 15:24:53.363865: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:53.363867: | emitting length of ISAKMP Message: 454 Oct 31 15:24:53.363872: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.363875: | #1 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Oct 31 15:24:53.363877: | transitioning from state STATE_PARENT_I0 to state STATE_PARENT_I1 Oct 31 15:24:53.363878: | Message ID: updating counters for #1 Oct 31 15:24:53.363885: | Message ID: IKE #1 skipping update_recv as MD is fake Oct 31 15:24:53.363890: | Message ID: IKE #1 scheduling EVENT_RETRANSMIT: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:24:53.363893: | event_schedule: newref EVENT_RETRANSMIT-pe@0x561a1d279238 Oct 31 15:24:53.363895: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Oct 31 15:24:53.363897: | libevent_malloc: newref ptr-libevent@0x561a1d277d98 size 128 Oct 31 15:24:53.363900: | #1 STATE_PARENT_I0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744567.796688 Oct 31 15:24:53.363904: | Message ID: IKE #1 updating initiator sent message request 0: ike.initiator.sent=-1->0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1->0 ike.wip.responder=-1 Oct 31 15:24:53.363907: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:24:53.363910: | parent state #1: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Oct 31 15:24:53.363912: | announcing the state transition Oct 31 15:24:53.363914: "north-eastnets/0x2" #1: sent IKE_SA_INIT request Oct 31 15:24:53.363929: | sending 454 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:53.363933: | 3e 8d 75 fe ee 1c ba 7c 00 00 00 00 00 00 00 00 Oct 31 15:24:53.363936: | 21 20 22 08 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:53.363939: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:53.363941: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:53.363943: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:53.363944: | 00 0e 00 00 5e 12 54 4c 78 84 38 ee a0 ca 67 3f Oct 31 15:24:53.363945: | 4a b1 7f d9 94 d2 30 cd 70 e9 f8 49 b6 c0 1c fe Oct 31 15:24:53.363947: | 52 30 e7 73 d4 ee 6b f9 c0 77 7f 37 f3 e8 31 fe Oct 31 15:24:53.363948: | d1 64 95 b4 56 6e 55 4a 49 f8 9c e3 c7 2e 40 24 Oct 31 15:24:53.363949: | b6 b2 ee 8e 57 b3 fe 74 ad 31 55 43 9a f6 df a8 Oct 31 15:24:53.363951: | 13 74 2a d8 86 8f 46 d4 2f 04 dd fc 69 35 6c 52 Oct 31 15:24:53.363952: | b9 45 df bc 7f 60 4b b4 4a cf ba 7f ba 91 e8 28 Oct 31 15:24:53.363953: | 0d 04 9f 1d e2 62 cf 99 b3 eb 0d b6 fc fc 25 0e Oct 31 15:24:53.363955: | 08 85 d5 3f f8 6b 4a b6 6b 47 f5 0a dc 7f cc 1a Oct 31 15:24:53.363958: | a5 d2 ed b7 33 b1 d4 22 6b a0 14 50 39 f8 12 53 Oct 31 15:24:53.363959: | 7e 6a ae f3 ce 6c 46 b5 f1 b0 ca 2f a4 dc b6 5b Oct 31 15:24:53.363961: | c9 ef 85 3f 03 e2 98 16 d2 c7 ef 39 fb 52 0e 7a Oct 31 15:24:53.363962: | 30 83 ac 15 53 bf 87 54 6f b4 83 b7 65 2c a1 3d Oct 31 15:24:53.363963: | 32 b4 b9 ec 1d 2e 04 2a 9a ea 03 1f 85 99 b5 f9 Oct 31 15:24:53.363964: | a1 f7 aa 53 ca a5 dc b2 96 1a 5f 92 16 b2 43 94 Oct 31 15:24:53.363966: | 7e ba 8f fa 1b 6b 2b 55 e0 fc d4 dc f6 17 e1 cd Oct 31 15:24:53.363967: | b1 f0 b2 07 29 00 00 24 bf fa e8 d7 db 9e 4e 0b Oct 31 15:24:53.363968: | c6 ac 94 00 a7 1b c2 f7 65 b9 9a 2b 80 40 29 9e Oct 31 15:24:53.363970: | 8c 6b 43 63 68 c9 ec 59 29 00 00 08 00 00 40 2e Oct 31 15:24:53.363971: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:53.363972: | 00 1c 00 00 40 04 40 ff 65 9a 6c f6 e0 67 23 f5 Oct 31 15:24:53.363974: | 72 72 aa ec 71 0f 2b 85 c9 2b 00 00 00 1c 00 00 Oct 31 15:24:53.363975: | 40 05 3c 90 4e 38 4d 19 d0 e3 03 f4 37 b3 ad f7 Oct 31 15:24:53.363976: | 3b 61 fd b1 2e ff Oct 31 15:24:53.364017: | sent 1 messages Oct 31 15:24:53.364028: | checking that a retransmit timeout_event was already Oct 31 15:24:53.364032: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:53.364036: | libevent_free: delref ptr-libevent@0x561a1d27ac38 Oct 31 15:24:53.364039: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d277c48 Oct 31 15:24:53.364044: | delref logger@0x561a1d269e98(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:53.364047: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.364050: | delref fd@0x561a1d277b38(4->3) (in free_logger() at log.c:854) Oct 31 15:24:53.364053: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:24:53.364057: | delref mdp@NULL (in resume_handler() at server.c:743) Oct 31 15:24:53.364064: | #1 spent 0.671 (1.22) milliseconds in resume sending helper answer back to state Oct 31 15:24:53.364071: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:53.364074: | libevent_free: delref ptr-libevent@0x7f705c006108 Oct 31 15:24:53.367452: | spent 0.00232 (0.00228) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:53.367489: | newref struct msg_digest@0x561a1d27f068(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.367494: | newref alloc logger@0x561a1d269e98(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.367501: | *received 454 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:53.367517: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.367518: | 21 20 22 20 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:53.367520: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:53.367521: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:53.367523: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:53.367524: | 00 0e 00 00 f7 75 96 aa 2f 74 1c ef 2c 1f 12 2f Oct 31 15:24:53.367525: | 1b 38 22 84 32 d9 e7 ae 89 ff d1 4c ce 8b 1d 5d Oct 31 15:24:53.367527: | 1e 64 66 ca 46 c3 7a df 32 31 b5 b4 04 e8 62 13 Oct 31 15:24:53.367528: | d4 59 d2 7e a8 c0 ac a3 b8 39 f5 4d 9d 77 42 14 Oct 31 15:24:53.367529: | 77 f7 71 7b 2e 6e 0b 2f 97 86 f2 f3 a5 30 5c bc Oct 31 15:24:53.367531: | 8a 46 0e 1e ba dc 7f c1 59 e2 29 19 59 80 96 18 Oct 31 15:24:53.367532: | b0 09 af ae 86 00 0c 7d 2f ab 72 7f fb f6 ce 7a Oct 31 15:24:53.367533: | 86 fa 7f b4 02 93 e4 41 4d 13 5a 8a ae 82 3d 7e Oct 31 15:24:53.367535: | f6 63 71 ea 3e 81 85 64 df 9d 3c 81 2c b9 8c c2 Oct 31 15:24:53.367536: | eb ed aa 94 28 9f 48 e2 13 bb 2c 53 04 14 ee a6 Oct 31 15:24:53.367537: | 9c 62 ea 51 27 e1 e1 44 d1 ab 20 fe dc 52 a3 b3 Oct 31 15:24:53.367539: | 74 55 c0 b4 32 1b 65 5c 05 d3 4d f2 c0 74 98 71 Oct 31 15:24:53.367542: | ca eb bd 54 07 c5 13 b3 e3 af b3 a9 8f cb 78 ad Oct 31 15:24:53.367543: | e9 52 33 aa fb aa c9 0b 43 e6 4e aa fc d2 ac f1 Oct 31 15:24:53.367545: | be 4e 5e 65 aa 53 7c a8 13 d1 53 f8 19 b2 20 9c Oct 31 15:24:53.367546: | 38 d0 40 13 0a cd 65 87 7a 75 32 e8 0c 9d 17 ef Oct 31 15:24:53.367547: | b5 00 51 de 29 00 00 24 3a 4d a6 3a 6d 09 3d ea Oct 31 15:24:53.367549: | e4 af f9 69 aa 2a c2 e4 df a2 1d 72 70 47 72 86 Oct 31 15:24:53.367550: | 3d 6e c8 8e b6 2d 9a f9 29 00 00 08 00 00 40 2e Oct 31 15:24:53.367551: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:53.367553: | 00 1c 00 00 40 04 3f 2c 62 5f 15 8d 69 74 e9 af Oct 31 15:24:53.367555: | ce 81 47 c4 4e c7 aa 8e af 14 00 00 00 1c 00 00 Oct 31 15:24:53.367556: | 40 05 18 90 d8 8c 12 86 f4 05 e5 40 07 15 f7 f4 Oct 31 15:24:53.367558: | 2c aa d2 36 79 b6 Oct 31 15:24:53.367562: | **parse ISAKMP Message: Oct 31 15:24:53.367564: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.367567: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.367568: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:53.367570: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.367572: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:53.367573: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:53.367576: | Message ID: 0 (00 00 00 00) Oct 31 15:24:53.367578: | length: 454 (00 00 01 c6) Oct 31 15:24:53.367580: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:24:53.367582: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_SA_INIT response Oct 31 15:24:53.367585: | State DB: found IKEv2 state #1 in PARENT_I1 (find_v2_ike_sa_by_initiator_spi) Oct 31 15:24:53.367587: | #1 is idle Oct 31 15:24:53.367588: | #1 idle Oct 31 15:24:53.367590: | unpacking clear payloads Oct 31 15:24:53.367592: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:53.367594: | ***parse IKEv2 Security Association Payload: Oct 31 15:24:53.367596: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:53.367597: | flags: none (0x0) Oct 31 15:24:53.367599: | length: 48 (00 30) Oct 31 15:24:53.367601: | processing payload: ISAKMP_NEXT_v2SA (len=44) Oct 31 15:24:53.367602: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:53.367605: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:24:53.367606: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:53.367607: | flags: none (0x0) Oct 31 15:24:53.367609: | length: 264 (01 08) Oct 31 15:24:53.367611: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:53.367612: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:24:53.367614: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:53.367615: | ***parse IKEv2 Nonce Payload: Oct 31 15:24:53.367617: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.367618: | flags: none (0x0) Oct 31 15:24:53.367625: | length: 36 (00 24) Oct 31 15:24:53.367627: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:53.367628: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.367630: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.367631: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.367632: | flags: none (0x0) Oct 31 15:24:53.367634: | length: 8 (00 08) Oct 31 15:24:53.367636: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.367637: | SPI size: 0 (00) Oct 31 15:24:53.367639: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:53.367641: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:24:53.367642: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.367644: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.367645: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.367647: | flags: none (0x0) Oct 31 15:24:53.367649: | length: 14 (00 0e) Oct 31 15:24:53.367650: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.367653: | SPI size: 0 (00) Oct 31 15:24:53.367655: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:53.367656: | processing payload: ISAKMP_NEXT_v2N (len=6) Oct 31 15:24:53.367658: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.367659: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.367660: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:53.367662: | flags: none (0x0) Oct 31 15:24:53.367664: | length: 28 (00 1c) Oct 31 15:24:53.367665: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.367667: | SPI size: 0 (00) Oct 31 15:24:53.367668: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:53.367669: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:53.367671: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:53.367672: | ***parse IKEv2 Notify Payload: Oct 31 15:24:53.367674: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.367675: | flags: none (0x0) Oct 31 15:24:53.367677: | length: 28 (00 1c) Oct 31 15:24:53.367678: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:53.367680: | SPI size: 0 (00) Oct 31 15:24:53.367681: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:53.367683: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:53.367684: | looking for message matching transition from STATE_PARENT_I1 Oct 31 15:24:53.367686: | trying received anti-DDOS COOKIE notify response; resending IKE_SA_INIT request with cookie payload added Oct 31 15:24:53.367688: | message has errors Oct 31 15:24:53.367689: | trying received IKE_SA_INIT INVALID_KE_PAYLOAD notify response; resending IKE_SA_INIT with new KE payload Oct 31 15:24:53.367690: | message has errors Oct 31 15:24:53.367692: | trying received REDIRECT notify response; resending IKE_SA_INIT request to new destination Oct 31 15:24:53.367693: | message has errors Oct 31 15:24:53.367695: | trying Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE Oct 31 15:24:53.367696: | matched unencrypted message Oct 31 15:24:53.367701: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1848) Oct 31 15:24:53.367703: | calling processor Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE Oct 31 15:24:53.367706: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:53.367707: | hash algorithm identifier (network ordered) Oct 31 15:24:53.367709: | 00 02 Oct 31 15:24:53.367710: | received HASH_ALGORITHM_SHA2_256 which is allowed by local policy Oct 31 15:24:53.367711: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:53.367713: | hash algorithm identifier (network ordered) Oct 31 15:24:53.367714: | 00 03 Oct 31 15:24:53.367715: | received HASH_ALGORITHM_SHA2_384 which is allowed by local policy Oct 31 15:24:53.367717: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:53.367718: | hash algorithm identifier (network ordered) Oct 31 15:24:53.367719: | 00 04 Oct 31 15:24:53.367721: | received HASH_ALGORITHM_SHA2_512 which is allowed by local policy Oct 31 15:24:53.367722: | ikev2 parent inR1: calculating g^{xy} in order to send I2 Oct 31 15:24:53.367728: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator accepting remote proposal): 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:53.367730: | comparing remote proposals against IKE initiator (accepting) 1 local proposals Oct 31 15:24:53.367733: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:53.367734: | local proposal 1 type PRF has 1 transforms Oct 31 15:24:53.367736: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:53.367737: | local proposal 1 type DH has 1 transforms Oct 31 15:24:53.367739: | local proposal 1 type ESN has 0 transforms Oct 31 15:24:53.367742: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:24:53.367744: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.367745: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.367747: | length: 44 (00 2c) Oct 31 15:24:53.367749: | prop #: 1 (01) Oct 31 15:24:53.367751: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:53.367752: | spi size: 0 (00) Oct 31 15:24:53.367754: | # transforms: 4 (04) Oct 31 15:24:53.367756: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Oct 31 15:24:53.367758: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.367760: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.367761: | length: 12 (00 0c) Oct 31 15:24:53.367763: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.367764: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.367766: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.367768: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.367770: | length/value: 256 (01 00) Oct 31 15:24:53.367773: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:53.367774: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.367776: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.367778: | length: 8 (00 08) Oct 31 15:24:53.367779: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:53.367781: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:53.367783: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Oct 31 15:24:53.367784: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.367786: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.367787: | length: 8 (00 08) Oct 31 15:24:53.367789: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.367790: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:53.367792: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Oct 31 15:24:53.367794: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.367795: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.367797: | length: 8 (00 08) Oct 31 15:24:53.367798: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:53.367800: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:53.367805: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:24:53.367808: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Oct 31 15:24:53.367811: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Oct 31 15:24:53.367812: | remote proposal 1 matches local proposal 1 Oct 31 15:24:53.367814: | remote accepted the proposal 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Oct 31 15:24:53.367816: | converting proposal to internal trans attrs Oct 31 15:24:53.367831: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:53.367833: | natd_hash: icookie= Oct 31 15:24:53.367835: | 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.367836: | natd_hash: rcookie= Oct 31 15:24:53.367838: | 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.367839: | natd_hash: ip= Oct 31 15:24:53.367840: | c0 01 03 21 Oct 31 15:24:53.367842: | natd_hash: port= Oct 31 15:24:53.367843: | 01 f4 Oct 31 15:24:53.367844: | natd_hash: hash= Oct 31 15:24:53.367846: | 18 90 d8 8c 12 86 f4 05 e5 40 07 15 f7 f4 2c aa Oct 31 15:24:53.367847: | d2 36 79 b6 Oct 31 15:24:53.367855: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:53.367860: | natd_hash: icookie= Oct 31 15:24:53.367863: | 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.367865: | natd_hash: rcookie= Oct 31 15:24:53.367868: | 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.367874: | natd_hash: ip= Oct 31 15:24:53.367876: | c0 01 02 17 Oct 31 15:24:53.367879: | natd_hash: port= Oct 31 15:24:53.367881: | 01 f4 Oct 31 15:24:53.367883: | natd_hash: hash= Oct 31 15:24:53.367885: | 3f 2c 62 5f 15 8d 69 74 e9 af ce 81 47 c4 4e c7 Oct 31 15:24:53.367888: | aa 8e af 14 Oct 31 15:24:53.367891: | NAT_TRAVERSAL encaps using auto-detect Oct 31 15:24:53.367894: | NAT_TRAVERSAL this end is NOT behind NAT Oct 31 15:24:53.367896: | NAT_TRAVERSAL that end is NOT behind NAT Oct 31 15:24:53.367900: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Oct 31 15:24:53.367905: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey=AES_CBC Oct 31 15:24:53.367908: | DH secret MODP2048@0x7f705c006ba8: transferring ownership from state #1 to helper IKEv2 DH Oct 31 15:24:53.367912: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:53.367914: | addref fd@0x561a1d277b38(3->4) (in clone_logger() at log.c:810) Oct 31 15:24:53.367916: | newref clone logger@0x561a1d277c48(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:53.367918: | job 2 for #1: ikev2_inR1outI2 KE (compute dh (V2)): adding job to queue Oct 31 15:24:53.367920: | state #1 has no .st_event to delete Oct 31 15:24:53.367922: | #1 requesting EVENT_RETRANSMIT-pe@0x561a1d279238 be deleted Oct 31 15:24:53.367924: | libevent_free: delref ptr-libevent@0x561a1d277d98 Oct 31 15:24:53.367926: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x561a1d279238 Oct 31 15:24:53.367928: | #1 STATE_PARENT_I1: retransmits: cleared Oct 31 15:24:53.367930: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d2793d8 Oct 31 15:24:53.367931: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:24:53.367933: | libevent_malloc: newref ptr-libevent@0x561a1d27ac38 size 128 Oct 31 15:24:53.367942: | #1 spent 0.229 (0.235) milliseconds in processing: Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE in v2_dispatch() Oct 31 15:24:53.367945: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.367948: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND; .st_v2_transition=PARENT_I0->PARENT_I1 Oct 31 15:24:53.367950: | suspending state #1 and saving MD 0x561a1d27f068 Oct 31 15:24:53.367952: | addref md@0x561a1d27f068(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:53.367952: | job 2 for #1: ikev2_inR1outI2 KE (compute dh (V2)): helper 2 starting job Oct 31 15:24:53.367953: | #1 is busy; has suspended MD 0x561a1d27f068 Oct 31 15:24:53.367965: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1850) Oct 31 15:24:53.367969: | #1 spent 0.511 (0.524) milliseconds in ikev2_process_packet() Oct 31 15:24:53.367971: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:53.367972: | delref mdp@0x561a1d27f068(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.367975: | spent 0.518 (0.531) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:53.368491: | calculating skeyseed using prf=HMAC_SHA2_256 integ=HMAC_SHA2_256_128 cipherkey-size=32 salt-size=0 Oct 31 15:24:53.368590: | "north-eastnets/0x2" #1: spent 0.629 (0.638) milliseconds in helper 2 processing job 2 for state #1: ikev2_inR1outI2 KE (pcr) Oct 31 15:24:53.368594: | job 2 for #1: ikev2_inR1outI2 KE (compute dh (V2)): helper thread 2 sending result back to state Oct 31 15:24:53.368596: | scheduling resume sending helper answer back to state for #1 Oct 31 15:24:53.368598: | libevent_malloc: newref ptr-libevent@0x7f705400f3d8 size 128 Oct 31 15:24:53.368604: | helper thread 2 has nothing to do Oct 31 15:24:53.368612: | processing resume sending helper answer back to state for #1 Oct 31 15:24:53.368619: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:53.368624: | unsuspending #1 MD 0x561a1d27f068 Oct 31 15:24:53.368626: | job 2 for #1: ikev2_inR1outI2 KE (compute dh (V2)): processing response from helper 2 Oct 31 15:24:53.368628: | job 2 for #1: ikev2_inR1outI2 KE (compute dh (V2)): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:53.368630: | ikev2_parent_inR1outI2_continue() for #1 STATE_PARENT_I1: g^{xy} calculated, sending I2 Oct 31 15:24:53.368632: | DH secret MODP2048@0x7f705c006ba8: transferring ownership from helper IKEv2 DH to state #1 Oct 31 15:24:53.368634: | State DB: re-hashing IKEv2 state #1 IKE SPIi and SPI[ir] Oct 31 15:24:53.368655: | emit hash algo NEGOTIATE_AUTH_HASH_SHA2_512 Oct 31 15:24:53.368668: | get_connection_private_key() using CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d to find private key for @north->@east of kind RSA Oct 31 15:24:53.368671: | trying secret PKK_RSA:AQPl33O2P Oct 31 15:24:53.368673: | matched Oct 31 15:24:53.368674: | secrets entry for ckaid already exists Oct 31 15:24:53.368676: | connection north-eastnets/0x2's RSA private key found in NSS DB using CKAID Oct 31 15:24:53.368681: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:53.368682: | addref fd@0x561a1d277b38(4->5) (in clone_logger() at log.c:810) Oct 31 15:24:53.368684: | newref clone logger@0x561a1d279238(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:53.368686: | job 3 for #1: computing responder signature (signature): adding job to queue Oct 31 15:24:53.368688: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:53.368690: | libevent_free: delref ptr-libevent@0x561a1d27ac38 Oct 31 15:24:53.368692: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d2793d8 Oct 31 15:24:53.368694: | #1 STATE_PARENT_I1: retransmits: cleared Oct 31 15:24:53.368695: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:53.368697: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:24:53.368699: | libevent_malloc: newref ptr-libevent@0x561a1d277d98 size 128 Oct 31 15:24:53.368705: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.368708: | #1 complete_v2_state_transition() PARENT_I1->PARENT_I2 with status STF_SUSPEND; .st_v2_transition=PARENT_I0->PARENT_I1 Oct 31 15:24:53.368709: | suspending state #1 and saving MD 0x561a1d27f068 Oct 31 15:24:53.368711: | addref md@0x561a1d27f068(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:53.368713: | #1 is busy; has suspended MD 0x561a1d27f068 Oct 31 15:24:53.368715: | delref logger@0x561a1d277c48(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:53.368716: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.368718: | delref fd@0x561a1d277b38(5->4) (in free_logger() at log.c:854) Oct 31 15:24:53.368717: | job 3 for #1: computing responder signature (signature): helper 3 starting job Oct 31 15:24:53.368721: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:24:53.368729: | hash to sign Oct 31 15:24:53.368734: | 9c 47 71 8c 4f ba 24 92 ae 62 26 25 b4 b3 4f 28 Oct 31 15:24:53.368738: | 5b c0 30 a3 fc 51 e0 71 0e 45 ae f8 cd e5 4b b0 Oct 31 15:24:53.368741: | cd 82 e9 6e 6a 67 77 9e ee d8 8e 80 b5 71 56 1c Oct 31 15:24:53.368745: | da 67 25 63 df a0 5d 0f d8 7e 4b 5e 04 6a a6 b3 Oct 31 15:24:53.368731: | delref mdp@0x561a1d27f068(2->1) (in resume_handler() at server.c:743) Oct 31 15:24:53.368749: | RSA_sign_hash: Started using NSS Oct 31 15:24:53.368754: | #1 spent 0.12 (0.129) milliseconds in resume sending helper answer back to state Oct 31 15:24:53.368763: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:53.368765: | libevent_free: delref ptr-libevent@0x7f705400f3d8 Oct 31 15:24:53.374374: | RSA_sign_hash: Ended using NSS Oct 31 15:24:53.374402: | "north-eastnets/0x2" #1: spent 5.6 (5.65) milliseconds in v2_auth_signature() calling sign_hash() Oct 31 15:24:53.374412: | "north-eastnets/0x2" #1: spent 5.63 (5.68) milliseconds in v2_auth_signature() Oct 31 15:24:53.374418: | "north-eastnets/0x2" #1: spent 5.65 (5.7) milliseconds in helper 3 processing job 3 for state #1: computing responder signature (signature) Oct 31 15:24:53.374422: | job 3 for #1: computing responder signature (signature): helper thread 3 sending result back to state Oct 31 15:24:53.374427: | scheduling resume sending helper answer back to state for #1 Oct 31 15:24:53.374432: | libevent_malloc: newref ptr-libevent@0x7f7058000d38 size 128 Oct 31 15:24:53.374442: | helper thread 3 has nothing to do Oct 31 15:24:53.374455: | processing resume sending helper answer back to state for #1 Oct 31 15:24:53.374470: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:53.374477: | unsuspending #1 MD 0x561a1d27f068 Oct 31 15:24:53.374481: | job 3 for #1: computing responder signature (signature): processing response from helper 3 Oct 31 15:24:53.374484: | job 3 for #1: computing responder signature (signature): calling continuation function 0x561a1ce4f77f Oct 31 15:24:53.374494: | newref alloc logger@0x561a1d277c48(0->1) (in new_state() at state.c:576) Oct 31 15:24:53.374498: | addref fd@0x561a1d277b38(4->5) (in new_state() at state.c:577) Oct 31 15:24:53.374501: | creating state object #2 at 0x561a1d282fb8 Oct 31 15:24:53.374505: | State DB: adding IKEv2 state #2 in UNDEFINED Oct 31 15:24:53.374512: | pstats #2 ikev2.child started Oct 31 15:24:53.374516: | duplicating state object #1 "north-eastnets/0x2" as #2 for IPSEC SA Oct 31 15:24:53.374522: | #2 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:53.374535: | Message ID: CHILD #1.#2 initializing (CHILD SA): ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:53.374540: | child state #2: UNDEFINED(ignore) => V2_IKE_AUTH_CHILD_I0(ignore) Oct 31 15:24:53.374544: | #2.st_v2_transition NULL -> NULL (in new_v2_child_state() at state.c:1666) Oct 31 15:24:53.374550: | Message ID: IKE #1 switching from IKE SA initiator message response 0: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=0->-1 ike.wip.responder=-1 Oct 31 15:24:53.374556: | Message ID: CHILD #1.#2 switching to CHILD SA initiator message response 0: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1->0 child.wip.responder=-1 Oct 31 15:24:53.374560: | switching IKEv2 MD.ST from IKE #1 PARENT_I1 to CHILD #2 V2_IKE_AUTH_CHILD_I0 (in ikev2_parent_inR1outI2_auth_signature_continue() at ikev2_parent.c:2155) Oct 31 15:24:53.374563: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:53.374567: | libevent_free: delref ptr-libevent@0x561a1d277d98 Oct 31 15:24:53.374570: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:53.374573: | #1 STATE_PARENT_I1: retransmits: cleared Oct 31 15:24:53.374577: | event_schedule: newref EVENT_SA_REPLACE-pe@0x561a1d277d98 Oct 31 15:24:53.374579: | inserting event EVENT_SA_REPLACE, timeout in 120 seconds for #1 Oct 31 15:24:53.374581: | libevent_malloc: newref ptr-libevent@0x7f705400f3d8 size 128 Oct 31 15:24:53.374585: | parent state #1: PARENT_I1(half-open IKE SA) => PARENT_I2(open IKE SA) Oct 31 15:24:53.374592: | opening output PBS reply packet Oct 31 15:24:53.374596: | **emit ISAKMP Message: Oct 31 15:24:53.374600: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.374604: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.374606: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:53.374609: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.374613: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:53.374616: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.374620: | Message ID: 1 (00 00 00 01) Oct 31 15:24:53.374623: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:53.374627: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:53.374630: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374632: | flags: none (0x0) Oct 31 15:24:53.374635: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:53.374637: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374639: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:53.374649: | IKEv2 CERT: send a certificate? Oct 31 15:24:53.374650: | IKEv2 CERT: no certificate to send Oct 31 15:24:53.374652: | IDr payload will be sent Oct 31 15:24:53.374654: | ****emit IKEv2 Identification - Initiator - Payload: Oct 31 15:24:53.374655: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374657: | flags: none (0x0) Oct 31 15:24:53.374659: | ID type: ID_FQDN (0x2) Oct 31 15:24:53.374660: | reserved: 00 00 00 Oct 31 15:24:53.374662: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Initiator - Payload (35:ISAKMP_NEXT_v2IDi) Oct 31 15:24:53.374664: | next payload chain: saving location 'IKEv2 Identification - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374666: | emitting 5 raw bytes of my identity into IKEv2 Identification - Initiator - Payload Oct 31 15:24:53.374668: | my identity: 6e 6f 72 74 68 Oct 31 15:24:53.374670: | emitting length of IKEv2 Identification - Initiator - Payload: 13 Oct 31 15:24:53.374672: | ****emit IKEv2 Identification - Responder - Payload: Oct 31 15:24:53.374673: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374675: | flags: none (0x0) Oct 31 15:24:53.374676: | ID type: ID_FQDN (0x2) Oct 31 15:24:53.374678: | reserved: 00 00 00 Oct 31 15:24:53.374680: | next payload chain: setting previous 'IKEv2 Identification - Initiator - Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Oct 31 15:24:53.374681: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374683: | emitting 4 raw bytes of their IDr into IKEv2 Identification - Responder - Payload Oct 31 15:24:53.374685: | their IDr: 65 61 73 74 Oct 31 15:24:53.374686: | emitting length of IKEv2 Identification - Responder - Payload: 12 Oct 31 15:24:53.374688: | not sending INITIAL_CONTACT Oct 31 15:24:53.374689: | ****emit IKEv2 Authentication Payload: Oct 31 15:24:53.374691: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374692: | flags: none (0x0) Oct 31 15:24:53.374694: | auth method: IKEv2_AUTH_DIGSIG (0xe) Oct 31 15:24:53.374696: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Oct 31 15:24:53.374698: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374700: | emit hash algo NEGOTIATE_AUTH_HASH_SHA2_512 Oct 31 15:24:53.374703: | emitting 68 raw bytes of OID of ASN.1 Algorithm Identifier into IKEv2 Authentication Payload Oct 31 15:24:53.374705: | OID of ASN.1 Algorithm Identifier: Oct 31 15:24:53.374708: | 43 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 Oct 31 15:24:53.374710: | a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 Oct 31 15:24:53.374712: | 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 Oct 31 15:24:53.374714: | 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 a2 Oct 31 15:24:53.374716: | 03 02 01 40 Oct 31 15:24:53.374720: | emitting 274 raw bytes of signature into IKEv2 Authentication Payload Oct 31 15:24:53.374722: | signature: Oct 31 15:24:53.374724: | 5f 8d ff ad 1d 2a 63 c3 fe 63 35 56 d8 bf de a3 Oct 31 15:24:53.374727: | 20 76 5b e1 98 c8 41 b3 75 3c c2 3b ae f6 d8 0b Oct 31 15:24:53.374729: | 43 23 a0 80 bc 94 27 04 ef c8 11 09 6b 86 e6 24 Oct 31 15:24:53.374731: | 6e ac 76 7b 9c 45 b3 af ed 96 43 b4 e2 fc d7 cf Oct 31 15:24:53.374733: | 0f 18 d8 86 9a 86 32 39 0c a1 43 df d9 57 d2 42 Oct 31 15:24:53.374735: | f8 89 ed f8 b1 35 7f 16 fa 65 97 00 f3 2b cd cf Oct 31 15:24:53.374737: | 04 f3 8c 80 1a 7c c2 ba 1d ef fd 65 c7 26 5c 2f Oct 31 15:24:53.374739: | 0a 80 09 7f f7 f1 62 4b ce 3d 0f d8 70 16 e4 7b Oct 31 15:24:53.374741: | 17 9a 50 80 a0 f0 e9 45 6a ea 21 21 8c b0 f4 8d Oct 31 15:24:53.374743: | 8e b0 2c 8c 13 97 40 ba 66 40 8a 73 3e 70 75 68 Oct 31 15:24:53.374745: | 8b 03 95 c7 7d 2f 6f 6d 0d a0 af c0 8b 44 fc 3c Oct 31 15:24:53.374747: | 17 c0 6b a2 99 20 67 ad 09 b0 b4 a5 d0 72 7f be Oct 31 15:24:53.374749: | f6 33 d9 fe 5f 5e e0 2f b5 ba 85 05 02 77 e4 d1 Oct 31 15:24:53.374751: | 67 b1 3c 87 50 e4 42 07 0b 47 4d 8d 7f 15 9a e2 Oct 31 15:24:53.374753: | c2 c1 62 dd 52 8c b3 b3 7d 46 b2 a6 d9 00 57 82 Oct 31 15:24:53.374755: | fc bb be bd f0 d2 99 9f 45 a9 ca a0 a6 4a ce 11 Oct 31 15:24:53.374757: | 36 0e 8a c6 6a fd 42 0d 28 17 23 8f ee 3d 8f 48 Oct 31 15:24:53.374759: | 08 f5 Oct 31 15:24:53.374761: | emitting length of IKEv2 Authentication Payload: 350 Oct 31 15:24:53.374764: | getting first pending from state #1 Oct 31 15:24:53.374768: | delref fd@0x561a1d277b38(5->4) (in first_pending() at pending.c:318) Oct 31 15:24:53.374771: | addref fd@0x561a1d277b38(4->5) (in first_pending() at pending.c:319) Oct 31 15:24:53.374774: | Switching Child connection for #2 to "north-eastnets/0x1" from "north-eastnets/0x2" Oct 31 15:24:53.374777: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:53.374801: | netlink_get_spi: allocated 0x1eaca114 for esp.0@192.1.3.33 Oct 31 15:24:53.374805: | constructing ESP/AH proposals with all DH removed for north-eastnets/0x1 (IKE SA initiator emitting ESP/AH proposals) Oct 31 15:24:53.374812: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Oct 31 15:24:53.374820: | ... ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-NONE-DISABLED Oct 31 15:24:53.374824: "north-eastnets/0x1": local ESP/AH proposals (IKE SA initiator emitting ESP/AH proposals): Oct 31 15:24:53.374829: "north-eastnets/0x1": 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-NONE-DISABLED Oct 31 15:24:53.374832: | Emitting ikev2_proposals ... Oct 31 15:24:53.374834: | ****emit IKEv2 Security Association Payload: Oct 31 15:24:53.374837: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374839: | flags: none (0x0) Oct 31 15:24:53.374841: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:53.374844: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374848: | discard DH=NONE when counting transforms (multiple 0; allow single 0) Oct 31 15:24:53.374851: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.374853: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.374856: | prop #: 1 (01) Oct 31 15:24:53.374859: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:53.374861: | spi size: 4 (04) Oct 31 15:24:53.374864: | # transforms: 3 (03) Oct 31 15:24:53.374867: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:53.374870: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:24:53.374872: | our spi: 1e ac a1 14 Oct 31 15:24:53.374874: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.374875: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.374879: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.374880: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.374882: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.374884: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.374886: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.374887: | length/value: 128 (00 80) Oct 31 15:24:53.374889: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:53.374891: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.374892: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.374894: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.374895: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:53.374897: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.374899: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.374900: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.374902: | discard DH=NONE when emitting proposal (multiple 0; allow single 0) Oct 31 15:24:53.374904: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.374905: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.374906: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:53.374908: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:53.374910: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.374911: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.374912: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.374914: | emitting length of IKEv2 Proposal Substructure Payload: 40 Oct 31 15:24:53.374915: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:53.374917: | emitting length of IKEv2 Security Association Payload: 44 Oct 31 15:24:53.374918: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:53.374922: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:53.374923: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374925: | flags: none (0x0) Oct 31 15:24:53.374926: | number of TS: 1 (01) Oct 31 15:24:53.374928: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:24:53.374930: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374931: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:53.374933: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.374935: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.374937: | start port: 0 (00 00) Oct 31 15:24:53.374938: | end port: 65535 (ff ff) Oct 31 15:24:53.374940: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:53.374942: | IP start: c0 00 03 00 Oct 31 15:24:53.374944: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:53.374946: | IP end: c0 00 03 ff Oct 31 15:24:53.374948: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:53.374950: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:24:53.374953: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:53.374955: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.374959: | flags: none (0x0) Oct 31 15:24:53.374961: | number of TS: 1 (01) Oct 31 15:24:53.374964: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:24:53.374967: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.374969: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:53.374972: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.374974: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.374976: | start port: 0 (00 00) Oct 31 15:24:53.374978: | end port: 65535 (ff ff) Oct 31 15:24:53.374980: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:53.374982: | IP start: c0 00 02 00 Oct 31 15:24:53.374983: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:53.374985: | IP end: c0 00 02 ff Oct 31 15:24:53.374987: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:53.374988: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:24:53.374990: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Oct 31 15:24:53.374991: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:24:53.374993: | adding 13 bytes of padding (including 1 byte padding-length) Oct 31 15:24:53.374995: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.374997: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.374998: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375000: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375001: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375003: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375004: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375006: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375007: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375009: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375011: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375013: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375015: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.375018: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:53.375020: | emitting length of IKEv2 Encryption Payload: 516 Oct 31 15:24:53.375022: | emitting length of ISAKMP Message: 544 Oct 31 15:24:53.375028: | **parse ISAKMP Message: Oct 31 15:24:53.375032: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.375034: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.375036: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:53.375038: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.375039: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:53.375041: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.375043: | Message ID: 1 (00 00 00 01) Oct 31 15:24:53.375045: | length: 544 (00 00 02 20) Oct 31 15:24:53.375047: | **parse IKEv2 Encryption Payload: Oct 31 15:24:53.375048: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Oct 31 15:24:53.375050: | flags: none (0x0) Oct 31 15:24:53.375052: | length: 516 (02 04) Oct 31 15:24:53.375053: | opening output PBS reply frag packet Oct 31 15:24:53.375055: | **emit ISAKMP Message: Oct 31 15:24:53.375059: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.375061: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.375062: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:53.375064: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.375065: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:53.375067: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.375069: | Message ID: 1 (00 00 00 01) Oct 31 15:24:53.375070: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:53.375072: | ***emit IKEv2 Encrypted Fragment: Oct 31 15:24:53.375074: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Oct 31 15:24:53.375075: | flags: none (0x0) Oct 31 15:24:53.375077: | fragment number: 1 (00 01) Oct 31 15:24:53.375079: | total fragments: 1 (00 01) Oct 31 15:24:53.375080: | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 35:ISAKMP_NEXT_v2IDi Oct 31 15:24:53.375082: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) Oct 31 15:24:53.375084: | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' Oct 31 15:24:53.375086: | emitting 16 zero bytes of IV into IKEv2 Encrypted Fragment Oct 31 15:24:53.375089: | emitting 467 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment Oct 31 15:24:53.375091: | cleartext fragment: Oct 31 15:24:53.375095: | 24 00 00 0d 02 00 00 00 6e 6f 72 74 68 27 00 00 Oct 31 15:24:53.375099: | 0c 02 00 00 00 65 61 73 74 21 00 01 5e 0e 00 00 Oct 31 15:24:53.375101: | 00 43 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 Oct 31 15:24:53.375103: | 34 a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 03 Oct 31 15:24:53.375105: | 05 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 Oct 31 15:24:53.375108: | 08 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 Oct 31 15:24:53.375110: | a2 03 02 01 40 5f 8d ff ad 1d 2a 63 c3 fe 63 35 Oct 31 15:24:53.375112: | 56 d8 bf de a3 20 76 5b e1 98 c8 41 b3 75 3c c2 Oct 31 15:24:53.375115: | 3b ae f6 d8 0b 43 23 a0 80 bc 94 27 04 ef c8 11 Oct 31 15:24:53.375117: | 09 6b 86 e6 24 6e ac 76 7b 9c 45 b3 af ed 96 43 Oct 31 15:24:53.375119: | b4 e2 fc d7 cf 0f 18 d8 86 9a 86 32 39 0c a1 43 Oct 31 15:24:53.375122: | df d9 57 d2 42 f8 89 ed f8 b1 35 7f 16 fa 65 97 Oct 31 15:24:53.375124: | 00 f3 2b cd cf 04 f3 8c 80 1a 7c c2 ba 1d ef fd Oct 31 15:24:53.375126: | 65 c7 26 5c 2f 0a 80 09 7f f7 f1 62 4b ce 3d 0f Oct 31 15:24:53.375128: | d8 70 16 e4 7b 17 9a 50 80 a0 f0 e9 45 6a ea 21 Oct 31 15:24:53.375131: | 21 8c b0 f4 8d 8e b0 2c 8c 13 97 40 ba 66 40 8a Oct 31 15:24:53.375133: | 73 3e 70 75 68 8b 03 95 c7 7d 2f 6f 6d 0d a0 af Oct 31 15:24:53.375135: | c0 8b 44 fc 3c 17 c0 6b a2 99 20 67 ad 09 b0 b4 Oct 31 15:24:53.375138: | a5 d0 72 7f be f6 33 d9 fe 5f 5e e0 2f b5 ba 85 Oct 31 15:24:53.375140: | 05 02 77 e4 d1 67 b1 3c 87 50 e4 42 07 0b 47 4d Oct 31 15:24:53.375143: | 8d 7f 15 9a e2 c2 c1 62 dd 52 8c b3 b3 7d 46 b2 Oct 31 15:24:53.375145: | a6 d9 00 57 82 fc bb be bd f0 d2 99 9f 45 a9 ca Oct 31 15:24:53.375147: | a0 a6 4a ce 11 36 0e 8a c6 6a fd 42 0d 28 17 23 Oct 31 15:24:53.375150: | 8f ee 3d 8f 48 08 f5 2c 00 00 2c 00 00 00 28 01 Oct 31 15:24:53.375152: | 03 04 03 1e ac a1 14 03 00 00 0c 01 00 00 0c 80 Oct 31 15:24:53.375154: | 0e 00 80 03 00 00 08 03 00 00 0e 00 00 00 08 05 Oct 31 15:24:53.375156: | 00 00 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 Oct 31 15:24:53.375158: | 00 ff ff c0 00 03 00 c0 00 03 ff 00 00 00 18 01 Oct 31 15:24:53.375159: | 00 00 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 Oct 31 15:24:53.375160: | 00 02 ff Oct 31 15:24:53.375162: | adding 13 bytes of padding (including 1 byte padding-length) Oct 31 15:24:53.375164: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375168: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375169: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375171: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375172: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375174: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375175: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375177: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375178: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375180: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375181: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375183: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375184: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encrypted Fragment Oct 31 15:24:53.375186: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment Oct 31 15:24:53.375187: | emitting length of IKEv2 Encrypted Fragment: 520 Oct 31 15:24:53.375189: | emitting length of ISAKMP Message: 548 Oct 31 15:24:53.375238: | recording fragment 1 Oct 31 15:24:53.375252: | delref logger@0x561a1d279238(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:53.375256: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.375259: | delref fd@0x561a1d277b38(5->4) (in free_logger() at log.c:854) Oct 31 15:24:53.375263: | XXX: resume sending helper answer back to state for #1 switched MD.ST to #2 Oct 31 15:24:53.375271: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.375277: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.375282: | #2 complete_v2_state_transition() in state V2_IKE_AUTH_CHILD_I0 PARENT_I1->PARENT_I2 with status STF_OK; .st_v2_transition=NULL Oct 31 15:24:53.375286: | transitioning from state STATE_PARENT_I1 to state STATE_PARENT_I2 Oct 31 15:24:53.375288: | Message ID: updating counters for #2 Oct 31 15:24:53.375296: | Message ID: CHILD #1.#2 XXX: no EVENT_RETRANSMIT to clear; suspect IKE->CHILD switch: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744567.793756 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.375304: | Message ID: CHILD #1.#2 updating initiator received message response 0: ike.initiator.sent=0 ike.initiator.recv=-1->0 ike.initiator.last_contact=744567.793756->744567.808088 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=0->-1 child.wip.responder=-1 Oct 31 15:24:53.375310: | Message ID: CHILD #1.#2 scheduling EVENT_RETRANSMIT: ike.initiator.sent=1 ike.initiator.recv=0 ike.initiator.last_contact=744567.808088 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=1 child.wip.responder=-1 Oct 31 15:24:53.375315: | event_schedule: newref EVENT_RETRANSMIT-pe@0x561a1d279238 Oct 31 15:24:53.375318: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #2 Oct 31 15:24:53.375322: | libevent_malloc: newref ptr-libevent@0x561a1d281d48 size 128 Oct 31 15:24:53.375327: | #2 STATE_V2_IKE_AUTH_CHILD_I0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744567.80811 Oct 31 15:24:53.375332: | Message ID: CHILD #1.#2 updating initiator sent message request 1: ike.initiator.sent=0->1 ike.initiator.recv=0 ike.initiator.last_contact=744567.808088 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1->1 child.wip.responder=-1 Oct 31 15:24:53.375339: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=1 ike.initiator.recv=0 ike.initiator.last_contact=744567.808088 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:53.375341: | child state #2: V2_IKE_AUTH_CHILD_I0(ignore) => PARENT_I2(open IKE SA) Oct 31 15:24:53.375343: | announcing the state transition Oct 31 15:24:53.375347: "north-eastnets/0x2" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Oct 31 15:24:53.375360: | sending 548 bytes for STATE_PARENT_I1 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:53.375364: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.375367: | 35 20 23 08 00 00 00 01 00 00 02 24 23 00 02 08 Oct 31 15:24:53.375369: | 00 01 00 01 ca 04 00 c1 55 6d fe b0 24 07 fc 49 Oct 31 15:24:53.375371: | e7 8b f3 21 4e 0e 5a 4a 87 45 7f f5 24 78 1f a0 Oct 31 15:24:53.375373: | c6 9d 30 a1 13 1f 48 13 8d 89 c8 ab e2 1e ad f3 Oct 31 15:24:53.375375: | 9b 28 d9 f4 75 ac 17 5a e2 3f 21 e2 dc 6f 8c b4 Oct 31 15:24:53.375378: | a2 fa 6a 40 8a a6 f5 c4 fa a8 dd 43 9b d1 ae 67 Oct 31 15:24:53.375383: | 8b 39 a5 cf d5 2b df 82 6e 78 09 83 05 85 ed be Oct 31 15:24:53.375385: | 8c 14 85 b9 f1 13 1e 15 d0 75 3b c4 c4 2d e2 72 Oct 31 15:24:53.375388: | 2d 51 0c 5c 0b 2b a6 76 ed 09 b6 4f cc be 26 4f Oct 31 15:24:53.375390: | b6 92 f4 af 6d b6 51 7f a8 4a e5 f6 02 73 69 8c Oct 31 15:24:53.375392: | 44 61 76 e1 dc 3c d6 4e e5 54 1d cf 43 34 d5 83 Oct 31 15:24:53.375395: | ca 91 15 35 bc 3a ed 43 84 40 bf 93 e9 81 73 07 Oct 31 15:24:53.375397: | 6a 2e 91 a9 03 a4 1d 97 62 05 94 2e cb 7f 36 80 Oct 31 15:24:53.375399: | df dc e3 f1 21 64 04 81 aa b3 67 53 c0 a3 8a 1a Oct 31 15:24:53.375401: | 95 36 82 5b 14 43 ee 7e 22 7e 89 09 26 2d 11 55 Oct 31 15:24:53.375404: | c8 b4 0b 4a d2 83 d2 d4 02 7d ea df 1c c6 41 7f Oct 31 15:24:53.375406: | c3 02 dd f1 e6 91 1e 71 09 04 86 b3 10 98 3e ee Oct 31 15:24:53.375408: | 0f 56 63 ae 41 36 6c 9d bf a7 d2 a1 01 21 0c 52 Oct 31 15:24:53.375410: | fb ad b2 8f df 0d e1 b0 af 63 b5 f2 78 ae fb 2a Oct 31 15:24:53.375418: | 17 ae 3a 4d b3 a2 e8 8c 5d 59 3f fa 06 b1 9a 58 Oct 31 15:24:53.375421: | f9 d1 cf bc 4a ec 56 48 b4 c4 50 64 77 ff a2 4c Oct 31 15:24:53.375423: | c0 66 a2 d3 12 d5 0e 54 6a ae c3 64 d2 33 bd ec Oct 31 15:24:53.375426: | 0d c2 ff 44 a2 01 a6 dd 4c 14 73 0e 24 29 37 56 Oct 31 15:24:53.375428: | b0 8b 63 1d 0b 06 b9 91 50 c5 16 16 5e 47 63 8a Oct 31 15:24:53.375431: | 2e e7 e5 b9 c0 9c 8c 90 ae 22 72 2b 37 2c 90 bb Oct 31 15:24:53.375433: | 0d 50 82 93 56 5a e3 0a 57 fc 8d e6 7d a2 29 b5 Oct 31 15:24:53.375435: | 46 09 09 88 bb 86 64 16 72 e1 36 d2 5e 44 dc 02 Oct 31 15:24:53.375440: | 77 a2 6e 60 ad bb 98 b9 6f 23 8f f5 75 a8 92 8f Oct 31 15:24:53.375443: | b8 c9 66 84 1d f0 a4 00 fb 5c 43 67 e3 f9 4a c6 Oct 31 15:24:53.375445: | 37 66 8b ef 69 b1 65 8e 25 10 a6 8f 0c 90 dd 36 Oct 31 15:24:53.375446: | c1 b9 5b c6 ea 75 a1 3a de 3a ba cc 06 86 0f 14 Oct 31 15:24:53.375448: | ca 46 55 ef 13 29 b0 14 14 27 61 01 d5 48 41 e1 Oct 31 15:24:53.375449: | f8 30 2a b7 ec fa 91 19 8c 0a 13 bb b0 b7 42 cb Oct 31 15:24:53.375450: | 34 8d de 69 Oct 31 15:24:53.375502: | sent 1 messages Oct 31 15:24:53.375507: | checking that a retransmit timeout_event was already Oct 31 15:24:53.375510: | state #2 has no .st_event to delete Oct 31 15:24:53.375514: | delref mdp@0x561a1d27f068(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:53.375517: | delref logger@0x561a1d269e98(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:53.375520: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.375524: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.375532: | #1 spent 1.01 (1.05) milliseconds in resume sending helper answer back to state Oct 31 15:24:53.375538: | stop processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:53.375542: | libevent_free: delref ptr-libevent@0x7f7058000d38 Oct 31 15:24:53.449913: | spent 0.00236 (0.00235) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:53.449931: | newref struct msg_digest@0x561a1d27f068(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.449935: | newref alloc logger@0x561a1d27ac38(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.449941: | *received 528 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:53.449943: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.449945: | 2e 20 23 20 00 00 00 01 00 00 02 10 24 00 01 f4 Oct 31 15:24:53.449947: | 99 d6 74 6f 01 7c 2c 79 33 49 87 1a 98 ef ae 1b Oct 31 15:24:53.449949: | 5a f1 0e 8f c5 e5 99 fa a6 a1 89 ea 7d d4 55 4d Oct 31 15:24:53.449951: | 1d 76 34 ee 3e 0e 91 2a 7c aa c9 cb 11 02 b6 e7 Oct 31 15:24:53.449953: | 73 a8 37 ad 5f b5 11 e5 5f 15 50 47 aa c0 7b d2 Oct 31 15:24:53.449955: | 52 89 1e 64 b9 35 9d a0 35 0f bc eb 7a 96 0c 40 Oct 31 15:24:53.449956: | 81 b7 f2 22 b0 0e 41 72 18 3a 25 91 e8 a9 1c ac Oct 31 15:24:53.449959: | d9 50 16 04 91 2a 1b 18 a6 4f 79 c0 26 7e d2 b2 Oct 31 15:24:53.449960: | c1 88 0e 62 8a 5e 5f 80 63 18 27 fb 2e 20 8e ff Oct 31 15:24:53.449962: | 04 d7 da 43 ec 32 4a 75 25 bc 30 5e 60 a6 ce e7 Oct 31 15:24:53.449964: | 30 0c 15 ff 9e 88 c5 c4 e4 76 f4 44 75 f6 39 5f Oct 31 15:24:53.449966: | 7c 08 10 27 fe 3b 63 a0 1a d2 4c f1 9a 84 a0 89 Oct 31 15:24:53.449968: | 42 07 f8 2a 82 e8 1e d5 04 df 25 77 bd 5f f2 79 Oct 31 15:24:53.449970: | 66 5d 6d e4 97 77 e0 4e 96 8e e1 00 79 47 8b 38 Oct 31 15:24:53.449972: | 24 72 90 fb 4c a8 0f 2b d3 57 f7 a0 20 95 00 ef Oct 31 15:24:53.449973: | a0 b7 dd 82 42 ef d4 85 a4 3d 87 83 df 12 16 a1 Oct 31 15:24:53.449975: | cf 43 9f 8c 55 13 a6 98 c6 3a 0b 49 06 8e 85 5c Oct 31 15:24:53.449977: | 08 24 14 f9 39 d9 a1 13 75 47 39 32 a3 33 77 4c Oct 31 15:24:53.449979: | 2b 12 d1 7d fc db f4 12 03 90 d6 18 ae ed 77 d1 Oct 31 15:24:53.449981: | 85 b3 d4 56 73 9c d8 32 a7 92 21 30 9c a7 86 4b Oct 31 15:24:53.449983: | 83 3e dd ea 10 89 9d 8c 18 16 a7 59 55 25 63 8f Oct 31 15:24:53.449985: | fa 84 9a 85 60 2c f2 19 bd c2 44 07 c3 99 46 62 Oct 31 15:24:53.449986: | ce 47 37 14 30 c4 2e 04 4c ee a7 b9 48 a7 46 93 Oct 31 15:24:53.449988: | e5 2c 29 d2 7b bb ea fc b7 11 7b 1f 60 db ce e4 Oct 31 15:24:53.449990: | 33 64 26 95 5f 3f 13 84 04 88 39 9a 00 21 e7 68 Oct 31 15:24:53.449992: | d6 11 09 6d 7b 66 15 5f 3b d1 00 88 2a 23 2c cf Oct 31 15:24:53.449994: | 4f fd 61 eb 2f e8 55 e2 1d a1 e9 f3 df 4e 42 68 Oct 31 15:24:53.449995: | 74 21 16 4c de a4 18 7a 76 34 37 bd 19 44 c4 68 Oct 31 15:24:53.449997: | 70 8b 0f 14 f8 53 97 0f b8 0e 41 fc 0c b4 11 26 Oct 31 15:24:53.449999: | 89 89 63 21 35 16 f9 44 b5 5c 90 e7 48 df 3b 1d Oct 31 15:24:53.450001: | ac 26 3d 12 33 1b 0d 69 a4 be 7f a5 cf d7 57 8e Oct 31 15:24:53.450003: | b5 04 8c 31 5a cb 6b 83 3a 71 a9 c8 4e f2 58 1b Oct 31 15:24:53.450008: | **parse ISAKMP Message: Oct 31 15:24:53.450012: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.450015: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.450018: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:53.450020: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.450022: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:53.450025: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:53.450028: | Message ID: 1 (00 00 00 01) Oct 31 15:24:53.450031: | length: 528 (00 00 02 10) Oct 31 15:24:53.450033: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Oct 31 15:24:53.450039: | I am the IKE SA Original Initiator receiving an IKEv2 IKE_AUTH response Oct 31 15:24:53.450044: | State DB: found IKEv2 state #1 in PARENT_I2 (find_v2_ike_sa) Oct 31 15:24:53.450050: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:53.450053: | State DB: found IKEv2 state #2 in PARENT_I2 (find_v2_sa_by_initiator_wip) Oct 31 15:24:53.450056: | #2 is idle Oct 31 15:24:53.450058: | #2 idle Oct 31 15:24:53.450062: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:53.450066: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:53.450068: | unpacking clear payload Oct 31 15:24:53.450070: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:53.450074: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:53.450076: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Oct 31 15:24:53.450078: | flags: none (0x0) Oct 31 15:24:53.450080: | length: 500 (01 f4) Oct 31 15:24:53.450083: | processing payload: ISAKMP_NEXT_v2SK (len=496) Oct 31 15:24:53.450085: | #2 in state PARENT_I2: sent IKE_AUTH request Oct 31 15:24:53.450119: | authenticator matched Oct 31 15:24:53.450133: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Oct 31 15:24:53.450136: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Oct 31 15:24:53.450139: | **parse IKEv2 Identification - Responder - Payload: Oct 31 15:24:53.450141: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Oct 31 15:24:53.450143: | flags: none (0x0) Oct 31 15:24:53.450145: | length: 12 (00 0c) Oct 31 15:24:53.450147: | ID type: ID_FQDN (0x2) Oct 31 15:24:53.450150: | reserved: 00 00 00 Oct 31 15:24:53.450152: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Oct 31 15:24:53.450153: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Oct 31 15:24:53.450156: | **parse IKEv2 Authentication Payload: Oct 31 15:24:53.450158: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:53.450160: | flags: none (0x0) Oct 31 15:24:53.450162: | length: 350 (01 5e) Oct 31 15:24:53.450164: | auth method: IKEv2_AUTH_DIGSIG (0xe) Oct 31 15:24:53.450166: | processing payload: ISAKMP_NEXT_v2AUTH (len=342) Oct 31 15:24:53.450168: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:53.450171: | **parse IKEv2 Security Association Payload: Oct 31 15:24:53.450173: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:24:53.450175: | flags: none (0x0) Oct 31 15:24:53.450178: | length: 44 (00 2c) Oct 31 15:24:53.450180: | processing payload: ISAKMP_NEXT_v2SA (len=40) Oct 31 15:24:53.450182: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:24:53.450184: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:53.450187: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:24:53.450188: | flags: none (0x0) Oct 31 15:24:53.450191: | length: 24 (00 18) Oct 31 15:24:53.450193: | number of TS: 1 (01) Oct 31 15:24:53.450195: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:24:53.450196: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:24:53.450203: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:53.450208: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.450210: | flags: none (0x0) Oct 31 15:24:53.450212: | length: 24 (00 18) Oct 31 15:24:53.450214: | number of TS: 1 (01) Oct 31 15:24:53.450216: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:24:53.450219: | selected state microcode Initiator: process IKE_AUTH response Oct 31 15:24:53.450221: | calling processor Initiator: process IKE_AUTH response Oct 31 15:24:53.450225: | no certs to decode Oct 31 15:24:53.450230: | offered CA: '%none' Oct 31 15:24:53.450235: "north-eastnets/0x1" #2: IKEv2 mode peer ID is ID_FQDN: '@east' Oct 31 15:24:53.450262: | verifying AUTH payload Oct 31 15:24:53.450269: | looking for ASN.1 blob for method rsasig for hash_algo SHA2_512 Oct 31 15:24:53.450272: | parsing 68 raw bytes of IKEv2 Authentication Payload into ASN.1 blob for hash algo Oct 31 15:24:53.450274: | ASN.1 blob for hash algo Oct 31 15:24:53.450281: | 43 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 Oct 31 15:24:53.450284: | a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 Oct 31 15:24:53.450286: | 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 Oct 31 15:24:53.450288: | 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 a2 Oct 31 15:24:53.450290: | 03 02 01 40 Oct 31 15:24:53.450305: | required RSA CA is '%any' Oct 31 15:24:53.450307: | trying all remote certificates public keys for RSA key that matches ID: @east Oct 31 15:24:53.450309: | trying all preloaded keys public keys for RSA key that matches ID: @east Oct 31 15:24:53.450311: | trying '@east' issued by CA '%any' Oct 31 15:24:53.450314: | NSS RSA: verifying that decrypted signature matches hash: Oct 31 15:24:53.450315: | 78 8e 2e 74 b4 ef bf 37 ab e4 a6 df ff 1e fa b3 Oct 31 15:24:53.450317: | 86 c0 5f 61 28 3e ba 28 56 9f 17 5b bc f7 b5 d3 Oct 31 15:24:53.450318: | 03 5f 90 9a d4 94 ba f7 1b 3f 48 e6 20 ef 21 b6 Oct 31 15:24:53.450319: | 3c 33 b6 20 76 32 7c 94 53 60 dc 35 73 b8 ea 83 Oct 31 15:24:53.450376: | delref pkp@NULL (in try_RSA_signature_v2() at ikev2_rsa.c:170) Oct 31 15:24:53.450380: | addref pk@0x561a1d278ed8(1->2) (in try_RSA_signature_v2() at ikev2_rsa.c:171) Oct 31 15:24:53.450383: | an RSA Sig check passed with *AQO9bJbr3 [preloaded keys] Oct 31 15:24:53.450389: | #1 spent 0.0727 (0.0729) milliseconds in try_all_keys() trying a pubkey Oct 31 15:24:53.450392: "north-eastnets/0x2" #1: authenticated using RSA with SHA2_512 Oct 31 15:24:53.450403: | #1 spent 0.108 (0.108) milliseconds in ikev2_verify_rsa_hash() Oct 31 15:24:53.450407: | parent state #1: PARENT_I2(open IKE SA) => ESTABLISHED_IKE_SA(established IKE SA) Oct 31 15:24:53.450411: | #1 will start re-keying in 2607 seconds with margin of 993 seconds (attempting re-key) Oct 31 15:24:53.450413: | state #1 deleting .st_event EVENT_SA_REPLACE Oct 31 15:24:53.450418: | libevent_free: delref ptr-libevent@0x7f705400f3d8 Oct 31 15:24:53.450420: | free_event_entry: delref EVENT_SA_REPLACE-pe@0x561a1d277d98 Oct 31 15:24:53.450424: | event_schedule: newref EVENT_SA_REKEY-pe@0x561a1d282238 Oct 31 15:24:53.450426: | inserting event EVENT_SA_REKEY, timeout in 2607 seconds for #1 Oct 31 15:24:53.450429: | libevent_malloc: newref ptr-libevent@0x7f7058000d38 size 128 Oct 31 15:24:53.450878: | pstats #1 ikev2.ike established Oct 31 15:24:53.450888: | TSi: parsing 1 traffic selectors Oct 31 15:24:53.450892: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:53.450895: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.450898: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.450901: | length: 16 (00 10) Oct 31 15:24:53.450904: | start port: 0 (00 00) Oct 31 15:24:53.450907: | end port: 65535 (ff ff) Oct 31 15:24:53.450910: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:53.450912: | TS low Oct 31 15:24:53.450914: | c0 00 03 00 Oct 31 15:24:53.450917: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:53.450919: | TS high Oct 31 15:24:53.450921: | c0 00 03 ff Oct 31 15:24:53.450923: | TSi: parsed 1 traffic selectors Oct 31 15:24:53.450926: | TSr: parsing 1 traffic selectors Oct 31 15:24:53.450929: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:53.450931: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.450933: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.450936: | length: 16 (00 10) Oct 31 15:24:53.450939: | start port: 0 (00 00) Oct 31 15:24:53.450942: | end port: 65535 (ff ff) Oct 31 15:24:53.450944: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:53.450946: | TS low Oct 31 15:24:53.450949: | c0 00 02 00 Oct 31 15:24:53.450951: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:53.450956: | TS high Oct 31 15:24:53.450958: | c0 00 02 ff Oct 31 15:24:53.450961: | TSr: parsed 1 traffic selectors Oct 31 15:24:53.450968: | evaluating our conn="north-eastnets/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:24:53.450972: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:53.450977: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:24:53.450980: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:53.450981: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:53.450983: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:53.450985: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:53.450988: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:53.450992: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:24:53.450993: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:53.450995: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:53.450996: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:53.450998: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:53.451000: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:53.451001: | found an acceptable TSi/TSr Traffic Selector Oct 31 15:24:53.451003: | printing contents struct traffic_selector Oct 31 15:24:53.451004: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:53.451006: | ipprotoid: 0 Oct 31 15:24:53.451007: | port range: 0-65535 Oct 31 15:24:53.451009: | ip range: 192.0.3.0-192.0.3.255 Oct 31 15:24:53.451011: | printing contents struct traffic_selector Oct 31 15:24:53.451012: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:53.451014: | ipprotoid: 0 Oct 31 15:24:53.451015: | port range: 0-65535 Oct 31 15:24:53.451017: | ip range: 192.0.2.0-192.0.2.255 Oct 31 15:24:53.451023: | using existing local ESP/AH proposals for north-eastnets/0x1 (IKE_AUTH initiator accepting remote ESP/AH proposal): 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-NONE-DISABLED Oct 31 15:24:53.451025: | comparing remote proposals against IKE_AUTH initiator accepting remote ESP/AH proposal 1 local proposals Oct 31 15:24:53.451029: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:53.451030: | local proposal 1 type PRF has 0 transforms Oct 31 15:24:53.451032: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:53.451033: | local proposal 1 type DH has 1 transforms Oct 31 15:24:53.451035: | local proposal 1 type ESN has 1 transforms Oct 31 15:24:53.451037: | local proposal 1 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:24:53.451039: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.451041: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.451043: | length: 40 (00 28) Oct 31 15:24:53.451045: | prop #: 1 (01) Oct 31 15:24:53.451047: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:53.451049: | spi size: 4 (04) Oct 31 15:24:53.451050: | # transforms: 3 (03) Oct 31 15:24:53.451052: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:53.451054: | remote SPI Oct 31 15:24:53.451055: | 1c 19 67 03 Oct 31 15:24:53.451057: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..1] of 1 local proposals Oct 31 15:24:53.451059: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.451061: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.451063: | length: 12 (00 0c) Oct 31 15:24:53.451064: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.451066: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.451067: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.451069: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.451071: | length/value: 128 (00 80) Oct 31 15:24:53.451074: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:53.451077: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.451078: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.451080: | length: 8 (00 08) Oct 31 15:24:53.451082: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.451083: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:53.451085: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Oct 31 15:24:53.451087: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.451089: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.451092: | length: 8 (00 08) Oct 31 15:24:53.451094: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:53.451096: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:53.451099: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:24:53.451103: | remote proposal 1 proposed transforms: ENCR+INTEG+ESN; matched: ENCR+INTEG+ESN; unmatched: none Oct 31 15:24:53.451108: | comparing remote proposal 1 containing ENCR+INTEG+ESN transforms to local proposal 1; required: ENCR+INTEG+ESN; optional: DH; matched: ENCR+INTEG+ESN Oct 31 15:24:53.451111: | remote proposal 1 matches local proposal 1 Oct 31 15:24:53.451114: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;ESN=DISABLED[first-match] Oct 31 15:24:53.451119: | IKE_AUTH initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-DISABLED SPI=1c196703 Oct 31 15:24:53.451122: | converting proposal to internal trans attrs Oct 31 15:24:53.451130: | integ=HMAC_SHA2_512_256: .key_size=64 encrypt=AES_CBC: .key_size=16 .salt_size=0 keymat_len=80 Oct 31 15:24:53.451233: | install_ipsec_sa() for #2: inbound and outbound Oct 31 15:24:53.451241: | could_route called for north-eastnets/0x1; kind=CK_PERMANENT that.has_client=yes oppo=no this.host_port=500 Oct 31 15:24:53.451243: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:53.451245: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.451247: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:53.451248: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.451250: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:53.451252: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Oct 31 15:24:53.451254: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:53.451257: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:53.451259: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:53.451262: | setting IPsec SA replay-window to 32 Oct 31 15:24:53.451264: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Oct 31 15:24:53.451266: | netlink: enabling tunnel mode Oct 31 15:24:53.451268: | XFRM: adding IPsec SA with reqid 16389 Oct 31 15:24:53.451269: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:53.451271: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:53.451700: | netlink response for Add SA esp.1c196703@192.1.2.23 included non-error error Oct 31 15:24:53.451708: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1 Oct 31 15:24:53.451712: | set up outgoing SA, ref=0/0 Oct 31 15:24:53.451715: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:53.451719: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:53.451721: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:53.451726: | setting IPsec SA replay-window to 32 Oct 31 15:24:53.451728: | NIC esp-hw-offload not for connection 'north-eastnets/0x1' not available on interface eth1 Oct 31 15:24:53.451730: | netlink: enabling tunnel mode Oct 31 15:24:53.451734: | XFRM: adding IPsec SA with reqid 16389 Oct 31 15:24:53.451740: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:53.451743: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:53.451794: | netlink response for Add SA esp.1eaca114@192.1.3.33 included non-error error Oct 31 15:24:53.451802: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#0 mode=1 Oct 31 15:24:53.451806: | setup_half_ipsec_sa() is installing inbound eroute Oct 31 15:24:53.451808: | setup_half_ipsec_sa() before proto 50 Oct 31 15:24:53.451810: | setup_half_ipsec_sa() after proto 50 Oct 31 15:24:53.451813: | setup_half_ipsec_sa() calling raw_eroute backwards (i.e., inbound) Oct 31 15:24:53.451816: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:53.451824: | add inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 using reqid 16389 (raw_eroute) proto=50 Oct 31 15:24:53.451828: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:53.451857: | raw_eroute result=success Oct 31 15:24:53.451861: | set up incoming SA, ref=0/0 Oct 31 15:24:53.451863: | sr for #2: unrouted Oct 31 15:24:53.451864: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:24:53.451866: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:53.451868: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.451870: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:53.451871: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.451873: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:53.451875: | route owner of "north-eastnets/0x1" unrouted: NULL; eroute owner: NULL Oct 31 15:24:53.451877: | route_and_eroute with c: north-eastnets/0x1 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Oct 31 15:24:53.451879: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:53.451885: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.0@192.1.2.23 using reqid 16389 (raw_eroute) proto=50 Oct 31 15:24:53.451887: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:53.451896: | raw_eroute result=success Oct 31 15:24:53.451898: | running updown command "ipsec _updown" for verb up Oct 31 15:24:53.451900: | command executing up-client Oct 31 15:24:53.451903: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:53.451910: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:53.451931: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED=... Oct 31 15:24:53.451933: | popen cmd is 1140 chars long Oct 31 15:24:53.451935: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1': Oct 31 15:24:53.451936: | cmd( 80): PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_N: Oct 31 15:24:53.451938: | cmd( 160):EXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT=: Oct 31 15:24:53.451939: | cmd( 240):'192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255: Oct 31 15:24:53.451940: | cmd( 320):.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE: Oct 31 15:24:53.451944: | cmd( 400):='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.: Oct 31 15:24:53.451945: | cmd( 480):0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' P: Oct 31 15:24:53.451947: | cmd( 560):LUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' P: Oct 31 15:24:53.451948: | cmd( 640):LUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+: Oct 31 15:24:53.451949: | cmd( 720):IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PL: Oct 31 15:24:53.451951: | cmd( 800):UTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS: Oct 31 15:24:53.451953: | cmd( 880):_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLU: Oct 31 15:24:53.451958: | cmd( 960):TO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' V: Oct 31 15:24:53.451961: | cmd(1040):TI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1c196703 SPI_OUT=0x1eaca11: Oct 31 15:24:53.451963: | cmd(1120):4 ipsec _updown 2>&1: Oct 31 15:24:53.462279: | route_and_eroute: firewall_notified: true Oct 31 15:24:53.462298: | running updown command "ipsec _updown" for verb prepare Oct 31 15:24:53.462303: | command executing prepare-client Oct 31 15:24:53.462310: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:53.462328: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:53.462355: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_C... Oct 31 15:24:53.462358: | popen cmd is 1145 chars long Oct 31 15:24:53.462360: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Oct 31 15:24:53.462361: | cmd( 80):/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PL: Oct 31 15:24:53.462363: | cmd( 160):UTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CL: Oct 31 15:24:53.462364: | cmd( 240):IENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.25: Oct 31 15:24:53.462365: | cmd( 320):5.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA: Oct 31 15:24:53.462367: | cmd( 400):_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192: Oct 31 15:24:53.462368: | cmd( 480):.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255: Oct 31 15:24:53.462369: | cmd( 560):.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xf: Oct 31 15:24:53.462371: | cmd( 640):rm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PF: Oct 31 15:24:53.462372: | cmd( 720):S+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANEN: Oct 31 15:24:53.462374: | cmd( 800):T' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEE: Oct 31 15:24:53.462379: | cmd( 880):R_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0: Oct 31 15:24:53.462382: | cmd( 960):' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES=: Oct 31 15:24:53.462388: | cmd(1040):'0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1c196703 SPI_OUT=0x1e: Oct 31 15:24:53.462390: | cmd(1120):aca114 ipsec _updown 2>&1: Oct 31 15:24:53.475022: | running updown command "ipsec _updown" for verb route Oct 31 15:24:53.475047: | command executing route-client Oct 31 15:24:53.475057: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:53.475076: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:53.475123: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFI... Oct 31 15:24:53.475128: | popen cmd is 1143 chars long Oct 31 15:24:53.475131: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Oct 31 15:24:53.475134: | cmd( 80):x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUT: Oct 31 15:24:53.475137: | cmd( 160):O_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIE: Oct 31 15:24:53.475140: | cmd( 240):NT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.: Oct 31 15:24:53.475143: | cmd( 320):255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_T: Oct 31 15:24:53.475146: | cmd( 400):YPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0: Oct 31 15:24:53.475149: | cmd( 480):.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0: Oct 31 15:24:53.475151: | cmd( 560):' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm: Oct 31 15:24:53.475154: | cmd( 640):' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+: Oct 31 15:24:53.475157: | cmd( 720):UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT': Oct 31 15:24:53.475159: | cmd( 800): PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_: Oct 31 15:24:53.475162: | cmd( 880):DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' : Oct 31 15:24:53.475164: | cmd( 960):PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0: Oct 31 15:24:53.475167: | cmd(1040):' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1c196703 SPI_OUT=0x1eac: Oct 31 15:24:53.475170: | cmd(1120):a114 ipsec _updown 2>&1: Oct 31 15:24:53.520035: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520058: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520063: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520071: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520086: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520101: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520116: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520127: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520136: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520148: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520159: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520174: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520190: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520712: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520733: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520752: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520758: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520764: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520771: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.520998: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.521011: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.521016: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.521020: "north-eastnets/0x1" #2: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.524498: | route_and_eroute: instance "north-eastnets/0x1", setting eroute_owner {spd=0x561a1d278108,sr=0x561a1d278108} to #2 (was #0) (newest_ipsec_sa=#0) Oct 31 15:24:53.524710: | inR2: instance north-eastnets/0x1[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Oct 31 15:24:53.524722: | #2 spent 2.07 (74.5) milliseconds in processing: Initiator: process IKE_AUTH response in v2_dispatch() Oct 31 15:24:53.524729: | [RE]START processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.524732: | #2 complete_v2_state_transition() PARENT_I2->ESTABLISHED_CHILD_SA with status STF_OK; .st_v2_transition=NULL Oct 31 15:24:53.524734: | transitioning from state STATE_PARENT_I2 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:53.524736: | Message ID: updating counters for #2 Oct 31 15:24:53.524745: | Message ID: CHILD #1.#2 clearing EVENT_RETRANSMIT as response received: ike.initiator.sent=1 ike.initiator.recv=0 ike.initiator.last_contact=744567.808088 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.524751: | #2 requesting EVENT_RETRANSMIT-pe@0x561a1d279238 be deleted Oct 31 15:24:53.524757: | libevent_free: delref ptr-libevent@0x561a1d281d48 Oct 31 15:24:53.524760: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x561a1d279238 Oct 31 15:24:53.524763: | #2 STATE_PARENT_I2: retransmits: cleared Oct 31 15:24:53.524771: | Message ID: CHILD #1.#2 updating initiator received message response 1: ike.initiator.sent=1 ike.initiator.recv=0->1 ike.initiator.last_contact=744567.808088->744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=1->-1 child.wip.responder=-1 Oct 31 15:24:53.524779: | Message ID: CHILD #1.#2 skipping update_send as nothing to send: ike.initiator.sent=1 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.524786: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=1 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:53.524792: | child state #2: PARENT_I2(open IKE SA) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:24:53.524795: | pstats #2 ikev2.child established Oct 31 15:24:53.524797: | announcing the state transition Oct 31 15:24:53.524808: "north-eastnets/0x1" #2: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] Oct 31 15:24:53.524823: | NAT-T: encaps is 'auto' Oct 31 15:24:53.524830: "north-eastnets/0x1" #2: IPsec SA established tunnel mode {ESP=>0x1c196703 <0x1eaca114 xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive} Oct 31 15:24:53.524835: | releasing #2's fd-fd@0x561a1d277b38 because IKEv2 transitions finished Oct 31 15:24:53.524839: | delref fd@0x561a1d277b38(4->3) (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:53.524842: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:53.524845: | unpending #2's IKE SA #1 Oct 31 15:24:53.524848: | unpending state #1 connection "north-eastnets/0x1" Oct 31 15:24:53.524852: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x1" Oct 31 15:24:53.524854: | delref fd@0x561a1d277b38(3->2) (in delete_pending() at pending.c:218) Oct 31 15:24:53.524856: | removing pending policy for no connection {0x561a1d277cb8} Oct 31 15:24:53.524858: | FOR_EACH_STATE_... in find_pending_phase2 Oct 31 15:24:53.524862: | newref alloc logger@0x561a1d277d98(0->1) (in new_state() at state.c:576) Oct 31 15:24:53.524864: | addref fd@0x561a1d277b38(2->3) (in new_state() at state.c:577) Oct 31 15:24:53.524866: | creating state object #3 at 0x561a1d285198 Oct 31 15:24:53.524868: | State DB: adding IKEv2 state #3 in UNDEFINED Oct 31 15:24:53.524871: | pstats #3 ikev2.child started Oct 31 15:24:53.524873: | duplicating state object #1 "north-eastnets/0x2" as #3 for IPSEC SA Oct 31 15:24:53.524877: | #3 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:53.524882: | Message ID: CHILD #1.#3 initializing (CHILD SA): ike.initiator.sent=1 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:53.524885: | child state #3: UNDEFINED(ignore) => V2_NEW_CHILD_I0(established IKE SA) Oct 31 15:24:53.524887: | #3.st_v2_transition NULL -> V2_NEW_CHILD_I0->V2_NEW_CHILD_I1 (in new_v2_child_state() at state.c:1666) Oct 31 15:24:53.524891: | suspend processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:53.524893: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:53.524896: | create child proposal's DH changed from no-PFS to MODP2048, flushing Oct 31 15:24:53.524898: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x2 (ESP/AH initiator emitting proposals) Oct 31 15:24:53.524905: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Oct 31 15:24:53.524915: | ... ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:53.524920: "north-eastnets/0x2": local ESP/AH proposals (ESP/AH initiator emitting proposals): Oct 31 15:24:53.524926: "north-eastnets/0x2": 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:53.524932: | #3 schedule initiate IPsec SA RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 using IKE# 1 pfs=MODP3072 Oct 31 15:24:53.524937: | event_schedule: newref EVENT_v2_INITIATE_CHILD-pe@0x561a1d269e98 Oct 31 15:24:53.524939: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #3 Oct 31 15:24:53.524942: | libevent_malloc: newref ptr-libevent@0x561a1d2828b8 size 128 Oct 31 15:24:53.524948: | RESET processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:6035) Oct 31 15:24:53.524954: | delete from pending Child SA with 192.1.2.23 "north-eastnets/0x2" Oct 31 15:24:53.524957: | delref fd@0x561a1d277b38(3->2) (in delete_pending() at pending.c:218) Oct 31 15:24:53.524958: | removing pending policy for no connection {0x561a1d277b78} Oct 31 15:24:53.524960: | releasing #1's fd-fd@0x561a1d277b38 because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:24:53.524962: | delref fd@0x561a1d277b38(2->1) (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:53.524964: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:53.524966: | #2 will start re-keying in 28048 seconds with margin of 752 seconds (attempting re-key) Oct 31 15:24:53.524968: | state #2 has no .st_event to delete Oct 31 15:24:53.524970: | event_schedule: newref EVENT_SA_REKEY-pe@0x561a1d279218 Oct 31 15:24:53.524972: | inserting event EVENT_SA_REKEY, timeout in 28048 seconds for #2 Oct 31 15:24:53.524973: | libevent_malloc: newref ptr-libevent@0x561a1d282788 size 128 Oct 31 15:24:53.524976: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:53.524980: | #1 spent 2.16 (74.6) milliseconds Oct 31 15:24:53.524982: | #1 spent 2.65 (75.1) milliseconds in ikev2_process_packet() Oct 31 15:24:53.524984: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:53.524986: | delref mdp@0x561a1d27f068(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.524988: | delref logger@0x561a1d27ac38(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.524990: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.524992: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.524996: | spent 2.67 (75.1) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:53.525007: | timer_event_cb: processing event@0x561a1d269e98 Oct 31 15:24:53.525009: | handling event EVENT_v2_INITIATE_CHILD for child state #3 Oct 31 15:24:53.525011: | libevent_free: delref ptr-libevent@0x561a1d2828b8 Oct 31 15:24:53.525013: | free_event_entry: delref EVENT_v2_INITIATE_CHILD-pe@0x561a1d269e98 Oct 31 15:24:53.525016: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:53.525021: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:53.525023: | addref fd@0x561a1d277b38(1->2) (in clone_logger() at log.c:810) Oct 31 15:24:53.525024: | newref clone logger@0x561a1d2822a8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:53.525027: | job 4 for #3: Child Initiator KE and nonce ni (build KE and nonce): adding job to queue Oct 31 15:24:53.525028: | state #3 has no .st_event to delete Oct 31 15:24:53.525030: | #3 STATE_V2_NEW_CHILD_I0: retransmits: cleared Oct 31 15:24:53.525032: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:53.525033: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Oct 31 15:24:53.525035: | libevent_malloc: newref ptr-libevent@0x561a1d2828b8 size 128 Oct 31 15:24:53.525043: | #3 spent 0.0338 (0.0339) milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Oct 31 15:24:53.525048: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:447) Oct 31 15:24:53.525051: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.525052: | job 4 for #3: Child Initiator KE and nonce ni (build KE and nonce): helper 4 starting job Oct 31 15:24:53.525056: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.525060: | spent 0.00498 (0.00471) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.525063: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.525066: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.525070: | spent 0.00361 (0.00358) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.525073: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.525076: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.525082: | spent 0.00519 (0.00521) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.528559: | "north-eastnets/0x2" #3: spent 3.38 (3.5) milliseconds in helper 4 processing job 4 for state #3: Child Initiator KE and nonce ni (pcr) Oct 31 15:24:53.528575: | job 4 for #3: Child Initiator KE and nonce ni (build KE and nonce): helper thread 4 sending result back to state Oct 31 15:24:53.528578: | scheduling resume sending helper answer back to state for #3 Oct 31 15:24:53.528582: | libevent_malloc: newref ptr-libevent@0x7f704c006578 size 128 Oct 31 15:24:53.528590: | libevent_realloc: delref ptr-libevent@0x561a1d238be8 Oct 31 15:24:53.528592: | libevent_realloc: newref ptr-libevent@0x561a1d279638 size 128 Oct 31 15:24:53.528600: | helper thread 4 has nothing to do Oct 31 15:24:53.528612: | processing resume sending helper answer back to state for #3 Oct 31 15:24:53.528621: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:53.528625: | unsuspending #3 MD (nil) Oct 31 15:24:53.528628: | job 4 for #3: Child Initiator KE and nonce ni (build KE and nonce): processing response from helper 4 Oct 31 15:24:53.528631: | job 4 for #3: Child Initiator KE and nonce ni (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:53.528635: | ikev2_child_outI_continue() for #3 STATE_V2_NEW_CHILD_I0 Oct 31 15:24:53.528640: | DH secret MODP3072@0x7f704c007128: transferring ownership from helper KE to state #3 Oct 31 15:24:53.528643: | adding CHILD SA #3 to IKE SA #1 message initiator queue Oct 31 15:24:53.528653: | Message ID: CHILD #1.#3 wakeing IKE SA for next initiator (unack 0): ike.initiator.sent=1 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.528657: | scheduling callback v2_msgid_schedule_next_initiator (#1) Oct 31 15:24:53.528660: | libevent_malloc: newref ptr-libevent@0x561a1d279538 size 128 Oct 31 15:24:53.528667: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.528672: | #3 complete_v2_state_transition() V2_NEW_CHILD_I0->V2_NEW_CHILD_I1 with status STF_SUSPEND Oct 31 15:24:53.528675: | no MD to suspend Oct 31 15:24:53.528679: | delref logger@0x561a1d2822a8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:53.528682: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.528686: | delref fd@0x561a1d277b38(2->1) (in free_logger() at log.c:854) Oct 31 15:24:53.528689: | resume sending helper answer back to state for #3 suppresed complete_v2_state_transition() Oct 31 15:24:53.528693: | delref mdp@NULL (in resume_handler() at server.c:743) Oct 31 15:24:53.528700: | #3 spent 0.0725 (0.0728) milliseconds in resume sending helper answer back to state Oct 31 15:24:53.528706: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:53.528710: | libevent_free: delref ptr-libevent@0x7f704c006578 Oct 31 15:24:53.528716: | libevent_free: delref ptr-libevent@0x561a1d279538 Oct 31 15:24:53.528719: | processing callback v2_msgid_schedule_next_initiator for #1 Oct 31 15:24:53.528725: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:828) Oct 31 15:24:53.528733: | Message ID: CHILD #1.#3 resuming SA using IKE SA (unack 0): ike.initiator.sent=1 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.528739: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:675) Oct 31 15:24:53.528744: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:675) Oct 31 15:24:53.528751: | unsuspending #3 MD (nil) Oct 31 15:24:53.528758: | opening output PBS reply packet Oct 31 15:24:53.528762: | **emit ISAKMP Message: Oct 31 15:24:53.528768: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.528773: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.528775: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:53.528778: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.528780: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:24:53.528783: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:53.528786: | Message ID: 2 (00 00 00 02) Oct 31 15:24:53.528789: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:53.528792: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:53.528795: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.528797: | flags: none (0x0) Oct 31 15:24:53.528800: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:53.528802: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.528805: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:53.528828: | netlink_get_spi: allocated 0x45971e75 for esp.0@192.1.3.33 Oct 31 15:24:53.528832: | Emitting ikev2_proposals ... Oct 31 15:24:53.528836: | ****emit IKEv2 Security Association Payload: Oct 31 15:24:53.528839: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.528841: | flags: none (0x0) Oct 31 15:24:53.528845: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:53.528847: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.528853: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.528856: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.528860: | prop #: 1 (01) Oct 31 15:24:53.528863: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:53.528866: | spi size: 4 (04) Oct 31 15:24:53.528869: | # transforms: 4 (04) Oct 31 15:24:53.528873: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:53.528877: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:24:53.528880: | our spi: 45 97 1e 75 Oct 31 15:24:53.528883: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.528886: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528889: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.528892: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.528895: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.528898: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.528901: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.528905: | length/value: 128 (00 80) Oct 31 15:24:53.528908: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:53.528912: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.528914: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528917: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.528920: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:53.528924: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528927: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.528929: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.528934: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.528937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528940: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:53.528943: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:53.528946: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528949: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.528953: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.528956: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:53.528958: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.528961: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:53.528964: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:53.528967: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.528969: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:53.528973: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:53.528976: | emitting length of IKEv2 Proposal Substructure Payload: 48 Oct 31 15:24:53.528979: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:53.528982: | emitting length of IKEv2 Security Association Payload: 52 Oct 31 15:24:53.528984: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:53.528988: | ****emit IKEv2 Nonce Payload: Oct 31 15:24:53.528990: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.528993: | flags: none (0x0) Oct 31 15:24:53.528997: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:53.528999: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.529002: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:53.529005: | IKEv2 nonce: Oct 31 15:24:53.529007: | 82 17 16 08 4f 7d a8 c8 8d a8 e5 4e ba b2 31 4f Oct 31 15:24:53.529010: | fa c9 3e d1 7e 61 77 2a 99 ff 5c 69 0e 03 61 7d Oct 31 15:24:53.529013: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:53.529017: | ****emit IKEv2 Key Exchange Payload: Oct 31 15:24:53.529020: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.529022: | flags: none (0x0) Oct 31 15:24:53.529025: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:53.529029: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:53.529031: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.529035: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:53.529038: | ikev2 g^x: Oct 31 15:24:53.529041: | 78 53 51 54 9a a6 4f 0c 9e 13 4a ee 0d 80 a8 ed Oct 31 15:24:53.529043: | 30 10 88 a5 b7 55 a0 d5 16 60 6f e3 f2 87 48 4c Oct 31 15:24:53.529046: | 93 9c ef 3a af ff 84 ca d3 4b dc b9 1d 72 c4 98 Oct 31 15:24:53.529049: | b2 bf 7c 65 ac 03 12 54 7f 95 d6 5f 82 8f 91 56 Oct 31 15:24:53.529051: | 73 32 b1 d8 10 79 85 31 28 7a a9 65 06 60 5d 22 Oct 31 15:24:53.529053: | 39 fc 5c 7f fe b4 ee 32 2b ad f2 56 9c 28 32 f2 Oct 31 15:24:53.529055: | 03 85 2c 94 f9 c9 be 8f 04 4c 6f 05 8c 6b 6e 21 Oct 31 15:24:53.529058: | 91 ac 19 87 2f c9 25 cb 52 6f 8b 3b c2 d8 c6 18 Oct 31 15:24:53.529062: | bf 7f cd 9c d6 41 91 90 99 ab 9f 21 d8 29 84 4d Oct 31 15:24:53.529065: | 4e e7 99 83 6b a9 af b2 87 22 ac 71 ff 90 72 fc Oct 31 15:24:53.529068: | ca c9 33 f6 30 39 9d 73 3e a6 77 5c e5 33 26 8f Oct 31 15:24:53.529070: | 48 5c a6 f5 23 92 69 ba 3c f0 66 ee 22 8d 87 be Oct 31 15:24:53.529073: | ef eb 24 0a d4 cd bf 32 9b 75 3f 21 69 99 16 91 Oct 31 15:24:53.529075: | 88 10 f7 de 38 d6 34 d3 fa 2c f5 8f f4 94 28 e1 Oct 31 15:24:53.529078: | 4b b0 b9 4b e3 15 bd 10 98 a6 3e 4d f8 48 db 0e Oct 31 15:24:53.529081: | 63 84 71 ec ae fd 62 67 a9 5c 9d 6a 5c 34 a0 b4 Oct 31 15:24:53.529083: | 9b 2a 91 86 e8 ca b3 30 4b d6 38 3d d2 df 27 0d Oct 31 15:24:53.529086: | de 3a a9 30 27 04 9b eb 8d 66 89 82 96 86 36 ff Oct 31 15:24:53.529089: | f7 4e 67 37 cc 17 63 2b fc 2c 50 33 66 8f cc cd Oct 31 15:24:53.529091: | be 48 4c 23 06 d9 2d 17 a2 3e bf a6 e6 40 2b a0 Oct 31 15:24:53.529094: | 8e 18 ac 01 9b 62 7e b0 bb a5 53 38 26 ee 23 20 Oct 31 15:24:53.529097: | 34 46 d1 67 13 23 54 00 ae c6 87 ec 33 44 89 e9 Oct 31 15:24:53.529099: | 93 82 3d bc 87 3b 2d 1f e5 e4 57 b7 c3 8d e6 79 Oct 31 15:24:53.529101: | 6f f0 ca a3 3f 28 9c 00 f0 d6 e1 63 c9 12 59 0b Oct 31 15:24:53.529104: | emitting length of IKEv2 Key Exchange Payload: 392 Oct 31 15:24:53.529109: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:53.529112: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.529115: | flags: none (0x0) Oct 31 15:24:53.529119: | number of TS: 1 (01) Oct 31 15:24:53.529122: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:24:53.529125: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.529129: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:53.529132: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.529135: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.529138: | start port: 0 (00 00) Oct 31 15:24:53.529142: | end port: 65535 (ff ff) Oct 31 15:24:53.529146: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:53.529150: | IP start: c0 00 03 00 Oct 31 15:24:53.529154: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:53.529157: | IP end: c0 00 03 ff Oct 31 15:24:53.529160: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:53.529163: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:24:53.529166: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:53.529169: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.529172: | flags: none (0x0) Oct 31 15:24:53.529175: | number of TS: 1 (01) Oct 31 15:24:53.529178: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:24:53.529181: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:53.529184: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:53.529187: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.529189: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.529193: | start port: 0 (00 00) Oct 31 15:24:53.529197: | end port: 65535 (ff ff) Oct 31 15:24:53.529209: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:53.529213: | IP start: c0 00 16 00 Oct 31 15:24:53.529216: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:53.529220: | IP end: c0 00 16 ff Oct 31 15:24:53.529223: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:53.529225: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:24:53.529229: | Initiator child policy is tunnel mode, NOT sending v2N_USE_TRANSPORT_MODE Oct 31 15:24:53.529237: | adding 16 bytes of padding (including 1 byte padding-length) Oct 31 15:24:53.529241: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529244: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529247: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529250: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529253: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529256: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529259: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529262: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529265: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529268: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529271: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529275: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529278: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529281: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529284: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529287: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:53.529289: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:53.529292: | emitting length of IKEv2 Encryption Payload: 580 Oct 31 15:24:53.529294: | emitting length of ISAKMP Message: 608 Oct 31 15:24:53.529335: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.529341: | #3 complete_v2_state_transition() V2_NEW_CHILD_I0->V2_NEW_CHILD_I1 with status STF_OK Oct 31 15:24:53.529345: | transitioning from state STATE_V2_NEW_CHILD_I0 to state STATE_V2_NEW_CHILD_I1 Oct 31 15:24:53.529348: | Message ID: updating counters for #3 Oct 31 15:24:53.529351: | Message ID: IKE #1 skipping update_recv as MD is fake Oct 31 15:24:53.529357: | Message ID: CHILD #1.#3 scheduling EVENT_RETRANSMIT: ike.initiator.sent=2 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=2 child.wip.responder=-1 Oct 31 15:24:53.529360: | event_schedule: newref EVENT_RETRANSMIT-pe@0x561a1d27f488 Oct 31 15:24:53.529363: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #3 Oct 31 15:24:53.529366: | libevent_malloc: newref ptr-libevent@0x561a1d282a68 size 128 Oct 31 15:24:53.529371: | #3 STATE_V2_NEW_CHILD_I0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744567.962156 Oct 31 15:24:53.529375: | Message ID: CHILD #1.#3 updating initiator sent message request 2: ike.initiator.sent=1->2 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1->2 child.wip.responder=-1 Oct 31 15:24:53.529378: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=2 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:53.529381: | child state #3: V2_NEW_CHILD_I0(established IKE SA) => V2_NEW_CHILD_I1(established IKE SA) Oct 31 15:24:53.529384: | announcing the state transition Oct 31 15:24:53.529387: "north-eastnets/0x2" #3: sent CREATE_CHILD_SA request for new IPsec SA Oct 31 15:24:53.529401: | sending 608 bytes for STATE_V2_NEW_CHILD_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:53.529403: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.529405: | 2e 20 24 08 00 00 00 02 00 00 02 60 21 00 02 44 Oct 31 15:24:53.529407: | f9 f0 8d 73 f7 60 ec 67 d3 59 2f 0b f5 19 35 6d Oct 31 15:24:53.529409: | fb fe 23 46 be f1 8a 22 d5 c0 e1 b1 cc 04 78 15 Oct 31 15:24:53.529411: | c7 58 aa 37 0b 58 fb 30 2e 75 ce 43 7a 86 66 c2 Oct 31 15:24:53.529413: | 91 7a f3 a8 12 f8 2f 66 32 c0 e4 66 4f 8a d5 f6 Oct 31 15:24:53.529415: | df 4f e8 b2 3e c9 a9 71 8c 48 ef 9c ff 97 6d b3 Oct 31 15:24:53.529417: | 1a 27 db 47 8b 47 14 1f 95 25 ab 3f 01 42 65 b3 Oct 31 15:24:53.529418: | 68 62 24 1a 49 0a 04 a2 a8 c3 f7 48 5d 94 08 90 Oct 31 15:24:53.529420: | 80 b0 a0 2b d3 41 ba 6c 0c 12 bf ea 6a 7c 8f b5 Oct 31 15:24:53.529421: | ce de 89 01 06 11 7c b2 85 1a 16 0a d5 7a 32 ff Oct 31 15:24:53.529422: | 83 fe 55 ed 98 13 5b 24 99 13 23 c4 5f 08 55 32 Oct 31 15:24:53.529423: | 08 60 13 20 73 c3 6a fb a5 0d d8 f6 83 1a 82 ee Oct 31 15:24:53.529425: | 72 04 65 80 cc 51 2a 81 6b e4 ad 11 38 68 71 7b Oct 31 15:24:53.529426: | 49 c3 91 fb 21 e9 b6 06 a8 26 1e b2 17 23 a2 7d Oct 31 15:24:53.529427: | fd 55 e3 d4 f7 82 b6 5b 78 eb 73 d0 24 77 31 03 Oct 31 15:24:53.529429: | 04 3f dc 17 6f 54 ca 61 8f 57 5d a4 5c bb 71 19 Oct 31 15:24:53.529430: | be 72 4e 97 3c 2a 93 7d 16 31 f0 b6 19 73 18 67 Oct 31 15:24:53.529431: | a5 28 5b c0 1b 6c 6a ef 8a a7 89 8f 01 b9 18 69 Oct 31 15:24:53.529433: | d3 a9 07 fa c8 e6 6c f1 2f 75 5d 1f a0 26 29 c3 Oct 31 15:24:53.529434: | 27 73 2d 06 19 88 b6 d9 65 8b 88 d4 84 82 3b 67 Oct 31 15:24:53.529435: | d8 b3 b9 cb 15 1f 2d a7 50 90 5e 0f 95 ba 5f 46 Oct 31 15:24:53.529437: | 6b 2e b2 74 ad ab 86 c2 d4 f0 d9 9f 78 33 ce e5 Oct 31 15:24:53.529438: | 25 e3 9a 34 96 33 de 63 73 ad 2c b5 f7 06 2a f8 Oct 31 15:24:53.529439: | 9d b1 15 f7 37 f2 18 27 c0 79 a6 60 47 b3 50 1b Oct 31 15:24:53.529441: | 69 69 f9 7e 1e 9c 36 a2 c1 d3 ee 36 04 59 1f f0 Oct 31 15:24:53.529442: | c6 e1 1e eb 2c a2 17 00 90 0e 01 9a 5e 1c 57 25 Oct 31 15:24:53.529443: | 6a 38 87 b9 99 f1 20 b8 3b cc 39 2b 52 ae d7 32 Oct 31 15:24:53.529445: | ab 5c d4 75 11 ee ed ce 99 91 0f df a5 23 ef 1a Oct 31 15:24:53.529446: | 8b 35 20 f5 83 26 67 28 7b c1 d0 f3 2d 97 a3 9b Oct 31 15:24:53.529447: | b6 8e df c2 41 67 19 e7 ae 97 91 55 20 e9 2d cb Oct 31 15:24:53.529449: | ac b6 bf d3 b2 c5 15 c0 94 4c 87 54 e2 00 85 dc Oct 31 15:24:53.529450: | df 08 32 b9 57 18 d1 77 ea 95 aa d3 7b bd bd 73 Oct 31 15:24:53.529451: | 4c a5 18 8a 21 9a 24 06 e9 c7 84 2a d6 cb c5 59 Oct 31 15:24:53.529453: | cc c8 64 db 32 df 79 1f 7c b7 1a f9 6f 86 cf 2e Oct 31 15:24:53.529454: | 0e 04 fb 8d f8 32 9f 14 7b cf f6 1e 0a 1c 35 b8 Oct 31 15:24:53.529455: | a7 d4 20 16 24 97 c7 f1 2e bd 89 11 06 6b 54 01 Oct 31 15:24:53.529457: | f5 a4 04 90 69 68 c4 1f e6 79 95 c1 c5 80 d2 85 Oct 31 15:24:53.529500: | sent 1 messages Oct 31 15:24:53.529503: | checking that a retransmit timeout_event was already Oct 31 15:24:53.529505: | state #3 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:53.529508: | libevent_free: delref ptr-libevent@0x561a1d2828b8 Oct 31 15:24:53.529510: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:53.529512: | delref mdp@NULL (in initiate_next() at ikev2_msgid.c:705) Oct 31 15:24:53.529515: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:707) Oct 31 15:24:53.529518: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:707) Oct 31 15:24:53.529520: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:832) Oct 31 15:24:53.529526: | spent 0.774 (0.802) milliseconds in callback v2_msgid_schedule_next_initiator Oct 31 15:24:53.545079: | spent 0.00208 (0.00203) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:53.545098: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.545102: | newref alloc logger@0x561a1d2822a8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:53.545107: | *received 608 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:53.545109: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.545110: | 2e 20 24 20 00 00 00 02 00 00 02 60 21 00 02 44 Oct 31 15:24:53.545111: | 37 ab 37 86 e7 8d b8 0b f3 93 bb e1 34 b9 20 d5 Oct 31 15:24:53.545113: | 70 35 db 0b e5 58 4b 38 f7 41 53 79 a6 59 41 58 Oct 31 15:24:53.545114: | 0e 9a f7 29 82 2f 15 58 44 2a 65 54 67 68 4f 0e Oct 31 15:24:53.545116: | 35 a4 02 03 51 14 24 e0 0f 5f a3 ba 04 06 92 da Oct 31 15:24:53.545117: | a1 0c 9f 2f fc a0 e7 e6 1b 34 02 65 27 8a 30 60 Oct 31 15:24:53.545118: | d3 96 52 4b 2a d6 ed 21 6c 06 11 2a bc 0c 56 f6 Oct 31 15:24:53.545120: | 1e e6 65 2b 37 48 0f c5 26 ee 09 ec c2 ad f6 16 Oct 31 15:24:53.545121: | bc 9a 42 c1 1c 2f d7 98 07 e7 68 53 d8 5a 96 d8 Oct 31 15:24:53.545122: | 3a 83 13 78 c8 1a 32 05 0e d1 8f 35 42 2e 4b 11 Oct 31 15:24:53.545124: | 9f c9 47 e9 8e ea 2e 23 0f 0d 30 18 da dd b5 6e Oct 31 15:24:53.545125: | 0f 71 6d 0d 2c 76 8f 89 6d 40 9d fd 46 91 84 a9 Oct 31 15:24:53.545126: | 96 20 42 19 3d 08 65 86 08 10 ea cb fc 97 0d c6 Oct 31 15:24:53.545128: | 5d ea 68 27 a8 4f 5a c8 99 ea 78 55 0e 6d 49 b4 Oct 31 15:24:53.545129: | cd d4 07 11 25 8e df 6a 66 b6 71 09 8b b2 b6 87 Oct 31 15:24:53.545130: | 04 55 15 25 f1 fe 5e 8a d8 20 16 b3 6b 0f 90 c6 Oct 31 15:24:53.545132: | 16 f6 87 8f df d0 01 6f 6e 70 5f c4 08 9d bc ce Oct 31 15:24:53.545133: | d0 5e b5 fc 9e e5 10 ec fd 79 63 8e 6b c5 04 58 Oct 31 15:24:53.545134: | 83 f6 31 82 28 bc 53 c2 54 d1 c5 8c 8b ab 82 24 Oct 31 15:24:53.545136: | 10 23 92 3e 66 71 f6 c6 d5 0c a7 58 56 fb 78 10 Oct 31 15:24:53.545137: | e4 2e 29 ce 49 23 1a 73 61 6e 22 64 b5 a3 02 81 Oct 31 15:24:53.545138: | 65 fe 84 1c 6e 1e ce 88 39 a0 65 f2 28 cf d6 df Oct 31 15:24:53.545140: | 41 89 6d 00 75 4a d8 e9 d4 5f 9d 26 1b 83 87 5e Oct 31 15:24:53.545141: | a6 9d b4 7b 41 ca 04 8d 61 d8 b2 3e c1 bc 4e 5f Oct 31 15:24:53.545142: | 6a 4d f9 ff 90 3c 1e d3 4e ec 10 72 e9 e9 09 0d Oct 31 15:24:53.545144: | 7e 52 dd c1 b0 8e 2f a3 e1 c0 2f 66 ad d3 d7 de Oct 31 15:24:53.545145: | 1e b6 fa 73 da 5a 3d f0 10 a1 93 f2 9b fc ad 4a Oct 31 15:24:53.545147: | ef b8 eb 88 3a 93 dc d1 df 96 e4 e6 4f 1d d7 84 Oct 31 15:24:53.545148: | e0 07 80 fa 77 79 65 f8 df 59 20 57 a3 fb f4 46 Oct 31 15:24:53.545149: | 39 65 93 74 10 ca a7 63 79 6d 5c b6 40 93 6a 11 Oct 31 15:24:53.545151: | 61 f6 21 11 28 cd d9 47 c8 60 07 f0 e0 e9 28 de Oct 31 15:24:53.545152: | 99 40 33 ed 7e 34 11 6a a6 62 fc 5f be 80 41 0b Oct 31 15:24:53.545153: | 44 9a 71 b7 20 26 fb 5a ad b9 aa d5 0e a7 ad 73 Oct 31 15:24:53.545155: | 8a 58 20 a8 56 39 8f fe c5 85 27 cd 3e 31 9e a3 Oct 31 15:24:53.545156: | a2 e7 5b 33 fa e1 54 d9 19 cf 92 69 bc 60 1e ba Oct 31 15:24:53.545157: | 84 5d 7b 8d 15 7b 48 a2 31 ac 3e 10 e1 e6 38 bd Oct 31 15:24:53.545159: | b9 87 a3 1a 0a 33 1e 81 f1 7b 96 3e f0 b1 9d 14 Oct 31 15:24:53.545162: | **parse ISAKMP Message: Oct 31 15:24:53.545165: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:53.545168: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:53.545170: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:53.545171: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:53.545173: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:24:53.545175: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:53.545179: | Message ID: 2 (00 00 00 02) Oct 31 15:24:53.545181: | length: 608 (00 00 02 60) Oct 31 15:24:53.545183: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Oct 31 15:24:53.545185: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA response Oct 31 15:24:53.545189: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:53.545194: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:53.545197: | State DB: found IKEv2 state #3 in V2_NEW_CHILD_I1 (find_v2_sa_by_initiator_wip) Oct 31 15:24:53.545203: | #3 is idle Oct 31 15:24:53.545206: | #3 idle Oct 31 15:24:53.545209: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:53.545212: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:53.545213: | unpacking clear payload Oct 31 15:24:53.545215: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:53.545218: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:53.545219: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:53.545221: | flags: none (0x0) Oct 31 15:24:53.545223: | length: 580 (02 44) Oct 31 15:24:53.545224: | processing payload: ISAKMP_NEXT_v2SK (len=576) Oct 31 15:24:53.545226: | #3 in state V2_NEW_CHILD_I1: sent CREATE_CHILD_SA request for new IPsec SA Oct 31 15:24:53.545250: | authenticator matched Oct 31 15:24:53.545258: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Oct 31 15:24:53.545260: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:53.545261: | **parse IKEv2 Security Association Payload: Oct 31 15:24:53.545263: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:53.545264: | flags: none (0x0) Oct 31 15:24:53.545266: | length: 52 (00 34) Oct 31 15:24:53.545268: | processing payload: ISAKMP_NEXT_v2SA (len=48) Oct 31 15:24:53.545269: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:53.545271: | **parse IKEv2 Nonce Payload: Oct 31 15:24:53.545272: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:53.545274: | flags: none (0x0) Oct 31 15:24:53.545275: | length: 36 (00 24) Oct 31 15:24:53.545277: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:53.545278: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:53.545280: | **parse IKEv2 Key Exchange Payload: Oct 31 15:24:53.545281: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:24:53.545283: | flags: none (0x0) Oct 31 15:24:53.545284: | length: 392 (01 88) Oct 31 15:24:53.545286: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:53.545287: | processing payload: ISAKMP_NEXT_v2KE (len=384) Oct 31 15:24:53.545289: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:24:53.545290: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:53.545292: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:24:53.545293: | flags: none (0x0) Oct 31 15:24:53.545295: | length: 24 (00 18) Oct 31 15:24:53.545297: | number of TS: 1 (01) Oct 31 15:24:53.545298: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:24:53.545300: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:24:53.545301: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:53.545303: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:53.545304: | flags: none (0x0) Oct 31 15:24:53.545306: | length: 24 (00 18) Oct 31 15:24:53.545307: | number of TS: 1 (01) Oct 31 15:24:53.545309: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:24:53.545310: | selected state microcode Process CREATE_CHILD_SA IPsec SA Response Oct 31 15:24:53.545314: | #1 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:24:53.545316: | forcing ST #3 to CHILD #1.#3 in FSM processor Oct 31 15:24:53.545319: | calling processor Process CREATE_CHILD_SA IPsec SA Response Oct 31 15:24:53.545325: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA initiator accepting remote ESP/AH proposal): 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:53.545328: | comparing remote proposals against CREATE_CHILD_SA initiator accepting remote ESP/AH proposal 1 local proposals Oct 31 15:24:53.545330: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:53.545332: | local proposal 1 type PRF has 0 transforms Oct 31 15:24:53.545333: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:53.545335: | local proposal 1 type DH has 1 transforms Oct 31 15:24:53.545336: | local proposal 1 type ESN has 1 transforms Oct 31 15:24:53.545338: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Oct 31 15:24:53.545341: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:53.545342: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:53.545344: | length: 48 (00 30) Oct 31 15:24:53.545346: | prop #: 1 (01) Oct 31 15:24:53.545347: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:53.545349: | spi size: 4 (04) Oct 31 15:24:53.545351: | # transforms: 4 (04) Oct 31 15:24:53.545353: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:53.545354: | remote SPI Oct 31 15:24:53.545356: | ad 7c bd fe Oct 31 15:24:53.545357: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Oct 31 15:24:53.545359: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.545361: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.545363: | length: 12 (00 0c) Oct 31 15:24:53.545364: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:53.545366: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:53.545368: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:53.545369: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:53.545371: | length/value: 128 (00 80) Oct 31 15:24:53.545374: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:53.545376: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.545377: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.545379: | length: 8 (00 08) Oct 31 15:24:53.545380: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:53.545382: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:53.545384: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Oct 31 15:24:53.545386: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.545387: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:53.545389: | length: 8 (00 08) Oct 31 15:24:53.545390: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:53.545392: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:53.545394: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:24:53.545395: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:53.545397: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:53.545398: | length: 8 (00 08) Oct 31 15:24:53.545400: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:53.545401: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:53.545403: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:24:53.545406: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Oct 31 15:24:53.545409: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Oct 31 15:24:53.545410: | remote proposal 1 matches local proposal 1 Oct 31 15:24:53.545412: | remote accepted the proposal 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Oct 31 15:24:53.545416: | CREATE_CHILD_SA initiator accepting remote ESP/AH proposal ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED SPI=ad7cbdfe Oct 31 15:24:53.545418: | converting proposal to internal trans attrs Oct 31 15:24:53.545422: | updating #3's .st_oakley with preserved PRF, but why update? Oct 31 15:24:53.545425: | DH secret MODP3072@0x7f704c007128: transferring ownership from state #3 to helper DH Oct 31 15:24:53.545431: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:53.545433: | addref fd@0x561a1d277b38(1->2) (in clone_logger() at log.c:810) Oct 31 15:24:53.545435: | newref clone logger@0x561a1d2793d8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:53.545436: | job 5 for #3: ikev2 Child SA initiator pfs=yes (dh): adding job to queue Oct 31 15:24:53.545438: | state #3 has no .st_event to delete Oct 31 15:24:53.545440: | #3 requesting EVENT_RETRANSMIT-pe@0x561a1d27f488 be deleted Oct 31 15:24:53.545443: | libevent_free: delref ptr-libevent@0x561a1d282a68 Oct 31 15:24:53.545444: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x561a1d27f488 Oct 31 15:24:53.545446: | #3 STATE_V2_NEW_CHILD_I1: retransmits: cleared Oct 31 15:24:53.545448: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d269e98 Oct 31 15:24:53.545450: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Oct 31 15:24:53.545452: | libevent_malloc: newref ptr-libevent@0x561a1d2828b8 size 128 Oct 31 15:24:53.545461: | #3 spent 0.138 (0.138) milliseconds in processing: Process CREATE_CHILD_SA IPsec SA Response in v2_dispatch() Oct 31 15:24:53.545467: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.545470: | job 5 for #3: ikev2 Child SA initiator pfs=yes (dh): helper 5 starting job Oct 31 15:24:53.545471: | #3 complete_v2_state_transition() V2_NEW_CHILD_I1->ESTABLISHED_CHILD_SA with status STF_SUSPEND; .st_v2_transition=V2_NEW_CHILD_I0->V2_NEW_CHILD_I1 Oct 31 15:24:53.545483: | suspending state #3 and saving MD 0x561a1d2864c8 Oct 31 15:24:53.545487: | addref md@0x561a1d2864c8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:53.545489: | #3 is busy; has suspended MD 0x561a1d2864c8 Oct 31 15:24:53.545494: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:53.545499: | #1 spent 0.422 (0.427) milliseconds in ikev2_process_packet() Oct 31 15:24:53.545502: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:53.545504: | delref mdp@0x561a1d2864c8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:53.545508: | spent 0.431 (0.436) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:53.546814: | "north-eastnets/0x2" #3: spent 1.33 (1.34) milliseconds in helper 5 processing job 5 for state #3: ikev2 Child SA initiator pfs=yes (dh) Oct 31 15:24:53.546822: | job 5 for #3: ikev2 Child SA initiator pfs=yes (dh): helper thread 5 sending result back to state Oct 31 15:24:53.546824: | scheduling resume sending helper answer back to state for #3 Oct 31 15:24:53.546826: | libevent_malloc: newref ptr-libevent@0x7f70500011c8 size 128 Oct 31 15:24:53.546832: | helper thread 5 has nothing to do Oct 31 15:24:53.546840: | processing resume sending helper answer back to state for #3 Oct 31 15:24:53.546847: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:53.546850: | unsuspending #3 MD 0x561a1d2864c8 Oct 31 15:24:53.546852: | job 5 for #3: ikev2 Child SA initiator pfs=yes (dh): processing response from helper 5 Oct 31 15:24:53.546854: | job 5 for #3: ikev2 Child SA initiator pfs=yes (dh): calling continuation function 0x561a1cf227cb Oct 31 15:24:53.546856: | DH secret MODP3072@0x7f704c007128: transferring ownership from helper IKEv2 DH to state #3 Oct 31 15:24:53.546858: | ikev2_child_inR_continue() for #3 STATE_V2_NEW_CHILD_I1 Oct 31 15:24:53.546862: | TSi: parsing 1 traffic selectors Oct 31 15:24:53.546865: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:53.546867: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.546869: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.546871: | length: 16 (00 10) Oct 31 15:24:53.546873: | start port: 0 (00 00) Oct 31 15:24:53.546875: | end port: 65535 (ff ff) Oct 31 15:24:53.546877: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:53.546878: | TS low Oct 31 15:24:53.546880: | c0 00 03 00 Oct 31 15:24:53.546881: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:53.546883: | TS high Oct 31 15:24:53.546884: | c0 00 03 ff Oct 31 15:24:53.546885: | TSi: parsed 1 traffic selectors Oct 31 15:24:53.546887: | TSr: parsing 1 traffic selectors Oct 31 15:24:53.546888: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:53.546890: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:53.546891: | IP Protocol ID: ALL (0x0) Oct 31 15:24:53.546893: | length: 16 (00 10) Oct 31 15:24:53.546895: | start port: 0 (00 00) Oct 31 15:24:53.546897: | end port: 65535 (ff ff) Oct 31 15:24:53.546898: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:53.546899: | TS low Oct 31 15:24:53.546901: | c0 00 16 00 Oct 31 15:24:53.546902: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:53.546903: | TS high Oct 31 15:24:53.546905: | c0 00 16 ff Oct 31 15:24:53.546906: | TSr: parsed 1 traffic selectors Oct 31 15:24:53.546911: | evaluating our conn="north-eastnets/0x2" I=192.0.3.0/24:0:0/0 R=192.0.22.0/24:0:0/0 to their: Oct 31 15:24:53.546914: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:53.546919: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:24:53.546921: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:53.546923: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:53.546925: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:53.546926: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:53.546929: | TSr[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:53.546933: | match address end->client=192.0.22.0/24 == TSr[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Oct 31 15:24:53.546934: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:53.546936: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:53.546937: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:53.546939: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:53.546941: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:53.546942: | found an acceptable TSi/TSr Traffic Selector Oct 31 15:24:53.546943: | printing contents struct traffic_selector Oct 31 15:24:53.546945: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:53.546946: | ipprotoid: 0 Oct 31 15:24:53.546948: | port range: 0-65535 Oct 31 15:24:53.546950: | ip range: 192.0.3.0-192.0.3.255 Oct 31 15:24:53.546951: | printing contents struct traffic_selector Oct 31 15:24:53.546953: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:53.546954: | ipprotoid: 0 Oct 31 15:24:53.546955: | port range: 0-65535 Oct 31 15:24:53.546958: | ip range: 192.0.22.0-192.0.22.255 Oct 31 15:24:53.546961: | integ=HMAC_SHA2_512_256: .key_size=64 encrypt=AES_CBC: .key_size=16 .salt_size=0 keymat_len=80 Oct 31 15:24:53.547019: | install_ipsec_sa() for #3: inbound and outbound Oct 31 15:24:53.547022: | could_route called for north-eastnets/0x2; kind=CK_PERMANENT that.has_client=yes oppo=no this.host_port=500 Oct 31 15:24:53.547023: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:53.547025: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.547027: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:53.547029: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.547031: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:53.547034: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Oct 31 15:24:53.547036: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:53.547038: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:53.547040: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:53.547042: | setting IPsec SA replay-window to 32 Oct 31 15:24:53.547044: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Oct 31 15:24:53.547046: | netlink: enabling tunnel mode Oct 31 15:24:53.547048: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:53.547049: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:53.547051: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:53.547105: | netlink response for Add SA esp.ad7cbdfe@192.1.2.23 included non-error error Oct 31 15:24:53.547108: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1 Oct 31 15:24:53.547110: | set up outgoing SA, ref=0/0 Oct 31 15:24:53.547111: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:53.547113: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:53.547115: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:53.547117: | setting IPsec SA replay-window to 32 Oct 31 15:24:53.547118: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Oct 31 15:24:53.547120: | netlink: enabling tunnel mode Oct 31 15:24:53.547121: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:53.547123: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:53.547124: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:53.547147: | netlink response for Add SA esp.45971e75@192.1.3.33 included non-error error Oct 31 15:24:53.547150: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#0 mode=1 Oct 31 15:24:53.547153: | setup_half_ipsec_sa() is installing inbound eroute Oct 31 15:24:53.547155: | setup_half_ipsec_sa() before proto 50 Oct 31 15:24:53.547156: | setup_half_ipsec_sa() after proto 50 Oct 31 15:24:53.547157: | setup_half_ipsec_sa() calling raw_eroute backwards (i.e., inbound) Oct 31 15:24:53.547160: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:53.547164: | add inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => tun.10000@192.1.3.33 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:24:53.547166: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:53.547187: | raw_eroute result=success Oct 31 15:24:53.547191: | set up incoming SA, ref=0/0 Oct 31 15:24:53.547192: | sr for #3: unrouted Oct 31 15:24:53.547194: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:24:53.547196: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:53.547204: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.547207: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:53.547209: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:53.547210: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:53.547212: | route owner of "north-eastnets/0x2" unrouted: NULL; eroute owner: NULL Oct 31 15:24:53.547215: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #3 Oct 31 15:24:53.547216: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:53.547221: | eroute_connection add eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:24:53.547223: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:53.547235: | raw_eroute result=success Oct 31 15:24:53.547238: | running updown command "ipsec _updown" for verb up Oct 31 15:24:53.547241: | command executing up-client Oct 31 15:24:53.547244: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:53.547251: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:53.547273: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE... Oct 31 15:24:53.547277: | popen cmd is 1142 chars long Oct 31 15:24:53.547279: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2': Oct 31 15:24:53.547281: | cmd( 80): PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_N: Oct 31 15:24:53.547284: | cmd( 160):EXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT=: Oct 31 15:24:53.547286: | cmd( 240):'192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255: Oct 31 15:24:53.547288: | cmd( 320):.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE: Oct 31 15:24:53.547291: | cmd( 400):='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22: Oct 31 15:24:53.547293: | cmd( 480):.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0': Oct 31 15:24:53.547295: | cmd( 560): PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm': Oct 31 15:24:53.547297: | cmd( 640): PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+U: Oct 31 15:24:53.547299: | cmd( 720):P+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' : Oct 31 15:24:53.547301: | cmd( 800):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Oct 31 15:24:53.547303: | cmd( 880):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Oct 31 15:24:53.547305: | cmd( 960):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0': Oct 31 15:24:53.547307: | cmd(1040): VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xad7cbdfe SPI_OUT=0x45971: Oct 31 15:24:53.547310: | cmd(1120):e75 ipsec _updown 2>&1: Oct 31 15:24:53.555484: | route_and_eroute: firewall_notified: true Oct 31 15:24:53.555498: | running updown command "ipsec _updown" for verb prepare Oct 31 15:24:53.555501: | command executing prepare-client Oct 31 15:24:53.555506: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:53.555520: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:53.555545: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM... Oct 31 15:24:53.555551: | popen cmd is 1147 chars long Oct 31 15:24:53.555553: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Oct 31 15:24:53.555555: | cmd( 80):/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PL: Oct 31 15:24:53.555557: | cmd( 160):UTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CL: Oct 31 15:24:53.555558: | cmd( 240):IENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.25: Oct 31 15:24:53.555560: | cmd( 320):5.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA: Oct 31 15:24:53.555561: | cmd( 400):_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192: Oct 31 15:24:53.555563: | cmd( 480):.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.2: Oct 31 15:24:53.555564: | cmd( 560):55.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=': Oct 31 15:24:53.555566: | cmd( 640):xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+: Oct 31 15:24:53.555567: | cmd( 720):PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMAN: Oct 31 15:24:53.555569: | cmd( 800):ENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_P: Oct 31 15:24:53.555570: | cmd( 880):EER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER=: Oct 31 15:24:53.555572: | cmd( 960):'0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTE: Oct 31 15:24:53.555573: | cmd(1040):S='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xad7cbdfe SPI_OUT=0x: Oct 31 15:24:53.555575: | cmd(1120):45971e75 ipsec _updown 2>&1: Oct 31 15:24:53.563438: | running updown command "ipsec _updown" for verb route Oct 31 15:24:53.563450: | command executing route-client Oct 31 15:24:53.563456: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:53.563469: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:53.563496: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CON... Oct 31 15:24:53.563498: | popen cmd is 1145 chars long Oct 31 15:24:53.563500: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0: Oct 31 15:24:53.563502: | cmd( 80):x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUT: Oct 31 15:24:53.563504: | cmd( 160):O_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIE: Oct 31 15:24:53.563506: | cmd( 240):NT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.: Oct 31 15:24:53.563507: | cmd( 320):255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_T: Oct 31 15:24:53.563509: | cmd( 400):YPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0: Oct 31 15:24:53.563515: | cmd( 480):.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255: Oct 31 15:24:53.563516: | cmd( 560):.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xf: Oct 31 15:24:53.563518: | cmd( 640):rm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PF: Oct 31 15:24:53.563520: | cmd( 720):S+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANEN: Oct 31 15:24:53.563521: | cmd( 800):T' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEE: Oct 31 15:24:53.563523: | cmd( 880):R_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0: Oct 31 15:24:53.563524: | cmd( 960):' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES=: Oct 31 15:24:53.563526: | cmd(1040):'0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0xad7cbdfe SPI_OUT=0x45: Oct 31 15:24:53.563528: | cmd(1120):971e75 ipsec _updown 2>&1: Oct 31 15:24:53.577170: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577221: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577236: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577244: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577250: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577256: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577331: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577342: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577348: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577353: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577359: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577366: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577374: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577737: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577750: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577764: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577782: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577797: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577813: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577828: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577844: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577862: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.577878: "north-eastnets/0x2" #3: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:53.581534: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x561a1d279d88,sr=0x561a1d279d88} to #3 (was #0) (newest_ipsec_sa=#0) Oct 31 15:24:53.581600: | inR2: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #0) (spd.eroute=#3) cloned from #1 Oct 31 15:24:53.581608: | delref logger@0x561a1d2793d8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:53.581610: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.581612: | delref fd@0x561a1d277b38(2->1) (in free_logger() at log.c:854) Oct 31 15:24:53.581622: | [RE]START processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:53.581625: | #3 complete_v2_state_transition() V2_NEW_CHILD_I1->ESTABLISHED_CHILD_SA with status STF_OK; .st_v2_transition=V2_NEW_CHILD_I0->V2_NEW_CHILD_I1 Oct 31 15:24:53.581627: | transitioning from state STATE_V2_NEW_CHILD_I1 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:53.581629: | Message ID: updating counters for #3 Oct 31 15:24:53.581637: | Message ID: CHILD #1.#3 XXX: no EVENT_RETRANSMIT to clear; suspect IKE->CHILD switch: ike.initiator.sent=2 ike.initiator.recv=1 ike.initiator.last_contact=744567.957535 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.581647: | Message ID: CHILD #1.#3 updating initiator received message response 2: ike.initiator.sent=2 ike.initiator.recv=1->2 ike.initiator.last_contact=744567.957535->744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=2->-1 child.wip.responder=-1 Oct 31 15:24:53.581653: | Message ID: CHILD #1.#3 skipping update_send as nothing to send: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:53.581659: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:53.581663: | child state #3: V2_NEW_CHILD_I1(established IKE SA) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:24:53.581666: | pstats #3 ikev2.child established Oct 31 15:24:53.581669: | announcing the state transition Oct 31 15:24:53.581679: "north-eastnets/0x2" #3: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Oct 31 15:24:53.581691: | NAT-T: encaps is 'auto' Oct 31 15:24:53.581697: "north-eastnets/0x2" #3: IPsec SA established tunnel mode {ESP=>0xad7cbdfe <0x45971e75 xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Oct 31 15:24:53.581703: | releasing #3's fd-fd@0x561a1d277b38 because IKEv2 transitions finished Oct 31 15:24:53.581707: | delref fd@0x561a1d277b38(1->0) (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:53.581715: | freeref fd-fd@0x561a1d277b38 (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:53.581720: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:53.581723: | unpending #3's IKE SA #1 Oct 31 15:24:53.581726: | unpending state #1 connection "north-eastnets/0x2" Oct 31 15:24:53.581728: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:24:53.581731: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:53.581733: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:53.581737: | #3 will start re-keying in 27838 seconds with margin of 962 seconds (attempting re-key) Oct 31 15:24:53.581740: | state #3 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:53.581745: | libevent_free: delref ptr-libevent@0x561a1d2828b8 Oct 31 15:24:53.581748: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d269e98 Oct 31 15:24:53.581752: | event_schedule: newref EVENT_SA_REKEY-pe@0x561a1d269e98 Oct 31 15:24:53.581754: | inserting event EVENT_SA_REKEY, timeout in 27838 seconds for #3 Oct 31 15:24:53.581758: | libevent_malloc: newref ptr-libevent@0x561a1d280228 size 128 Oct 31 15:24:53.581763: | delref mdp@0x561a1d2864c8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:53.581766: | delref logger@0x561a1d2822a8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:53.581768: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.581772: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.581782: | #3 spent 1.45 (34.9) milliseconds in resume sending helper answer back to state Oct 31 15:24:53.581788: | stop processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:53.581791: | libevent_free: delref ptr-libevent@0x7f70500011c8 Oct 31 15:24:53.581803: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.581808: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.581813: | spent 0.00462 (0.00444) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.581816: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.581819: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.581823: | spent 0.00311 (0.00306) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.581825: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.581828: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.581832: | spent 0.00337 (0.00327) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.642652: | newref struct fd@0x561a1d277b38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.642666: | fd_accept: new fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.642680: | whack: status Oct 31 15:24:53.642922: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:24:53.642927: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:24:53.643033: | FOR_EACH_STATE_... in show_states (sort_states) Oct 31 15:24:53.643037: | FOR_EACH_STATE_... in sort_states Oct 31 15:24:53.643044: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:53.643058: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:53.643076: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:53.643082: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:53.643096: | delref fd@0x561a1d277b38(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.643101: | freeref fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.643107: | spent 0.463 (0.463) milliseconds in whack Oct 31 15:24:54.303425: | spent 0.00207 (0.00205) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:54.303442: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:54.303445: | newref alloc logger@0x561a1d27ac38(0->1) (in read_message() at demux.c:103) Oct 31 15:24:54.303451: | *received 454 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:54.303453: | 12 ba 70 b3 26 aa 96 82 00 00 00 00 00 00 00 00 Oct 31 15:24:54.303454: | 21 20 22 08 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:54.303456: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:54.303457: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:54.303459: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:54.303460: | 00 0e 00 00 f2 3c 68 2b c5 9c 9b b5 5f 42 4f 9a Oct 31 15:24:54.303462: | 87 ef cc fd c2 61 70 ed 2f f4 d2 10 7f ec c4 98 Oct 31 15:24:54.303463: | 55 8d 23 ae a9 95 ca 9f c9 8b b5 65 55 34 ff b4 Oct 31 15:24:54.303465: | 75 17 13 1a 9a e2 66 71 1c d7 4e 05 50 cf b6 a1 Oct 31 15:24:54.303466: | 62 e8 0d 0f 53 c1 da 66 25 ed 62 22 3d cf a9 87 Oct 31 15:24:54.303468: | 56 7b eb bb 74 44 ae 98 00 c4 80 99 bf e1 49 e4 Oct 31 15:24:54.303469: | b4 ff c3 36 2b 5b f2 ef 4f 2e f4 ec 24 33 f9 e7 Oct 31 15:24:54.303471: | f7 ce 19 f3 6b 0b 97 ce 1e 3b 96 99 21 46 47 69 Oct 31 15:24:54.303472: | b4 f8 58 1a b2 f3 71 f2 e3 63 3e 03 d1 dc 5d 7d Oct 31 15:24:54.303474: | b8 7a fe be 50 3f f4 27 8d 64 d0 89 3e 8a ae 6b Oct 31 15:24:54.303475: | ca 8d 72 29 a2 2f 5b 10 2e 3e b8 c4 7b ef ea ad Oct 31 15:24:54.303477: | d2 f7 0f e0 b1 44 b4 63 2e 54 e2 b5 b4 7e a2 07 Oct 31 15:24:54.303478: | 33 82 72 2f 25 21 d5 3b 19 95 48 c1 3b ad db e1 Oct 31 15:24:54.303480: | 5f cd 1a b2 4c d6 17 6e 49 e9 35 5e 21 ce b1 f8 Oct 31 15:24:54.303483: | 16 08 6b 5f 72 d0 36 cb 5b fc 12 a5 18 33 8a 81 Oct 31 15:24:54.303485: | d0 4b e5 d1 15 83 fb 36 6d 64 bd 63 af 7d 1a 3a Oct 31 15:24:54.303486: | db 50 2e 0d 29 00 00 24 8d c7 87 84 f0 d7 55 a4 Oct 31 15:24:54.303488: | 7a f9 00 c5 af f9 6e 1d b3 03 2b 31 f7 9e c1 ce Oct 31 15:24:54.303489: | 3d a1 d6 1c 5c d2 24 f5 29 00 00 08 00 00 40 2e Oct 31 15:24:54.303491: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:54.303492: | 00 1c 00 00 40 04 f9 e3 79 3b 97 04 ea 9f 37 17 Oct 31 15:24:54.303494: | a1 07 8d de e4 0c 5b ac 1e 40 00 00 00 1c 00 00 Oct 31 15:24:54.303495: | 40 05 55 bb ff 2f 57 4f f1 1e cd 3f dd 32 38 c0 Oct 31 15:24:54.303497: | d1 cb dc e2 35 2f Oct 31 15:24:54.303501: | **parse ISAKMP Message: Oct 31 15:24:54.303504: | initiator SPI: 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.303507: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:54.303509: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:54.303511: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:54.303513: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:54.303515: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:54.303517: | Message ID: 0 (00 00 00 00) Oct 31 15:24:54.303520: | length: 454 (00 00 01 c6) Oct 31 15:24:54.303522: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:24:54.303525: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Oct 31 15:24:54.303528: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Oct 31 15:24:54.303530: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:54.303532: | ***parse IKEv2 Security Association Payload: Oct 31 15:24:54.303534: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:54.303536: | flags: none (0x0) Oct 31 15:24:54.303538: | length: 48 (00 30) Oct 31 15:24:54.303540: | processing payload: ISAKMP_NEXT_v2SA (len=44) Oct 31 15:24:54.303541: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:54.303543: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:24:54.303545: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:54.303546: | flags: none (0x0) Oct 31 15:24:54.303548: | length: 264 (01 08) Oct 31 15:24:54.303550: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:54.303552: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:24:54.303553: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:54.303555: | ***parse IKEv2 Nonce Payload: Oct 31 15:24:54.303556: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:54.303558: | flags: none (0x0) Oct 31 15:24:54.303560: | length: 36 (00 24) Oct 31 15:24:54.303561: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:54.303563: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:54.303565: | ***parse IKEv2 Notify Payload: Oct 31 15:24:54.303566: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:54.303568: | flags: none (0x0) Oct 31 15:24:54.303570: | length: 8 (00 08) Oct 31 15:24:54.303571: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.303573: | SPI size: 0 (00) Oct 31 15:24:54.303575: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:54.303576: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:24:54.303578: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:54.303580: | ***parse IKEv2 Notify Payload: Oct 31 15:24:54.303582: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:54.303583: | flags: none (0x0) Oct 31 15:24:54.303585: | length: 14 (00 0e) Oct 31 15:24:54.303587: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.303588: | SPI size: 0 (00) Oct 31 15:24:54.303590: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:54.303591: | processing payload: ISAKMP_NEXT_v2N (len=6) Oct 31 15:24:54.303593: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:54.303596: | ***parse IKEv2 Notify Payload: Oct 31 15:24:54.303598: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:54.303599: | flags: none (0x0) Oct 31 15:24:54.303601: | length: 28 (00 1c) Oct 31 15:24:54.303603: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.303605: | SPI size: 0 (00) Oct 31 15:24:54.303606: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:54.303608: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:54.303609: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:54.303611: | ***parse IKEv2 Notify Payload: Oct 31 15:24:54.303612: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.303614: | flags: none (0x0) Oct 31 15:24:54.303616: | length: 28 (00 1c) Oct 31 15:24:54.303617: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.303619: | SPI size: 0 (00) Oct 31 15:24:54.303621: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:54.303622: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:54.303624: | DDOS disabled and no cookie sent, continuing Oct 31 15:24:54.303626: | looking for message matching transition from STATE_PARENT_R0 Oct 31 15:24:54.303628: | trying Respond to IKE_SA_INIT Oct 31 15:24:54.303630: | matched unencrypted message Oct 31 15:24:54.303634: | find_host_connection local=192.1.3.33:500 remote=192.1.2.23:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:24:54.303638: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Oct 31 15:24:54.303640: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:24:54.303643: | found policy = RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 (north-eastnets/0x2) Oct 31 15:24:54.303645: | find_next_host_connection returns "north-eastnets/0x2" Oct 31 15:24:54.303647: | found connection: "north-eastnets/0x2" with policy ECDSA+IKEV2_ALLOW Oct 31 15:24:54.303668: | newref alloc logger@0x561a1d27f488(0->1) (in new_state() at state.c:576) Oct 31 15:24:54.303670: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:54.303672: | creating state object #4 at 0x561a1d28c898 Oct 31 15:24:54.303674: | State DB: adding IKEv2 state #4 in UNDEFINED Oct 31 15:24:54.303681: | pstats #4 ikev2.ike started Oct 31 15:24:54.303684: | parent state #4: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Oct 31 15:24:54.303687: | #4.st_v2_transition NULL -> PARENT_R0->PARENT_R1 (in new_v2_ike_state() at state.c:620) Oct 31 15:24:54.303693: | Message ID: IKE #4 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744568.736485 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744568.736485 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:24:54.303695: | orienting north-eastnets/0x2 Oct 31 15:24:54.303698: | north-eastnets/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:24:54.303701: | north-eastnets/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:24:54.303703: | north-eastnets/0x2 doesn't match 192.0.3.254:4500 at all Oct 31 15:24:54.303705: | north-eastnets/0x2 doesn't match 192.0.3.254:500 at all Oct 31 15:24:54.303707: | north-eastnets/0x2 doesn't match 192.1.3.33:4500 at all Oct 31 15:24:54.303709: | oriented north-eastnets/0x2's this Oct 31 15:24:54.303714: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1758) Oct 31 15:24:54.303718: | Message ID: IKE #4 responder starting message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744568.736485 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744568.736485 ike.wip.initiator=-1 ike.wip.responder=-1->0 Oct 31 15:24:54.303719: | calling processor Respond to IKE_SA_INIT Oct 31 15:24:54.303724: | #4 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:24:54.303729: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA responder matching remote proposals): 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:54.303732: | comparing remote proposals against IKE responder 1 local proposals Oct 31 15:24:54.303735: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:54.303737: | local proposal 1 type PRF has 1 transforms Oct 31 15:24:54.303738: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:54.303739: | local proposal 1 type DH has 1 transforms Oct 31 15:24:54.303741: | local proposal 1 type ESN has 0 transforms Oct 31 15:24:54.303743: | local proposal 1 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:24:54.303746: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:54.303747: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:54.303749: | length: 44 (00 2c) Oct 31 15:24:54.303751: | prop #: 1 (01) Oct 31 15:24:54.303753: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:54.303754: | spi size: 0 (00) Oct 31 15:24:54.303756: | # transforms: 4 (04) Oct 31 15:24:54.303758: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Oct 31 15:24:54.303760: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.303762: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.303764: | length: 12 (00 0c) Oct 31 15:24:54.303765: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:54.303767: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:54.303769: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:54.303770: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:54.303772: | length/value: 256 (01 00) Oct 31 15:24:54.303775: | remote proposal 1 transform 0 (ENCR=AES_CBC_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:54.303776: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.303778: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.303780: | length: 8 (00 08) Oct 31 15:24:54.303781: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:54.303782: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:54.303785: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_256) matches local proposal 1 type 2 (PRF) transform 0 Oct 31 15:24:54.303786: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.303788: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.303789: | length: 8 (00 08) Oct 31 15:24:54.303791: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:54.303792: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:54.303794: | remote proposal 1 transform 2 (INTEG=HMAC_SHA2_256_128) matches local proposal 1 type 3 (INTEG) transform 0 Oct 31 15:24:54.303796: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.303797: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:54.303799: | length: 8 (00 08) Oct 31 15:24:54.303800: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:54.303802: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:54.303804: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:24:54.303806: | remote proposal 1 proposed transforms: ENCR+PRF+INTEG+DH; matched: ENCR+PRF+INTEG+DH; unmatched: none Oct 31 15:24:54.303809: | comparing remote proposal 1 containing ENCR+PRF+INTEG+DH transforms to local proposal 1; required: ENCR+PRF+INTEG+DH; optional: none; matched: ENCR+PRF+INTEG+DH Oct 31 15:24:54.303811: | remote proposal 1 matches local proposal 1 Oct 31 15:24:54.303815: "north-eastnets/0x2" #4: proposal 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048[first-match] Oct 31 15:24:54.303818: | accepted IKE proposal ikev2_proposal: 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:54.303819: | converting proposal to internal trans attrs Oct 31 15:24:54.303825: | nat: IKE.SPIr is zero Oct 31 15:24:54.303833: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:54.303834: | natd_hash: icookie= Oct 31 15:24:54.303836: | 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.303837: | natd_hash: rcookie= Oct 31 15:24:54.303838: | 00 00 00 00 00 00 00 00 Oct 31 15:24:54.303840: | natd_hash: ip= Oct 31 15:24:54.303841: | c0 01 03 21 Oct 31 15:24:54.303842: | natd_hash: port= Oct 31 15:24:54.303844: | 01 f4 Oct 31 15:24:54.303845: | natd_hash: hash= Oct 31 15:24:54.303847: | 55 bb ff 2f 57 4f f1 1e cd 3f dd 32 38 c0 d1 cb Oct 31 15:24:54.303848: | dc e2 35 2f Oct 31 15:24:54.303849: | nat: IKE.SPIr is zero Oct 31 15:24:54.303853: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:54.303854: | natd_hash: icookie= Oct 31 15:24:54.303855: | 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.303857: | natd_hash: rcookie= Oct 31 15:24:54.303858: | 00 00 00 00 00 00 00 00 Oct 31 15:24:54.303859: | natd_hash: ip= Oct 31 15:24:54.303861: | c0 01 02 17 Oct 31 15:24:54.303862: | natd_hash: port= Oct 31 15:24:54.303863: | 01 f4 Oct 31 15:24:54.303865: | natd_hash: hash= Oct 31 15:24:54.303866: | f9 e3 79 3b 97 04 ea 9f 37 17 a1 07 8d de e4 0c Oct 31 15:24:54.303867: | 5b ac 1e 40 Oct 31 15:24:54.303870: | NAT_TRAVERSAL encaps using auto-detect Oct 31 15:24:54.303871: | NAT_TRAVERSAL this end is NOT behind NAT Oct 31 15:24:54.303872: | NAT_TRAVERSAL that end is NOT behind NAT Oct 31 15:24:54.303874: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23 Oct 31 15:24:54.303876: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:54.303878: | hash algorithm identifier (network ordered) Oct 31 15:24:54.303879: | 00 02 Oct 31 15:24:54.303880: | received HASH_ALGORITHM_SHA2_256 which is allowed by local policy Oct 31 15:24:54.303882: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:54.303883: | hash algorithm identifier (network ordered) Oct 31 15:24:54.303885: | 00 03 Oct 31 15:24:54.303886: | received HASH_ALGORITHM_SHA2_384 which is allowed by local policy Oct 31 15:24:54.303887: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:24:54.303889: | hash algorithm identifier (network ordered) Oct 31 15:24:54.303890: | 00 04 Oct 31 15:24:54.303891: | received HASH_ALGORITHM_SHA2_512 which is allowed by local policy Oct 31 15:24:54.303895: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:54.303896: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:54.303898: | newref clone logger@0x561a1d26a1a8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:54.303900: | job 6 for #4: ikev2_inI1outR1 KE (build KE and nonce): adding job to queue Oct 31 15:24:54.303902: | state #4 has no .st_event to delete Oct 31 15:24:54.303904: | #4 STATE_PARENT_R0: retransmits: cleared Oct 31 15:24:54.303905: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27f9e8 Oct 31 15:24:54.303907: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #4 Oct 31 15:24:54.303909: | libevent_malloc: newref ptr-libevent@0x7f70500011c8 size 128 Oct 31 15:24:54.303918: | #4 spent 0.195 (0.195) milliseconds in processing: Respond to IKE_SA_INIT in v2_dispatch() Oct 31 15:24:54.303922: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.303925: | #4 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Oct 31 15:24:54.303927: | suspending state #4 and saving MD 0x561a1d2864c8 Oct 31 15:24:54.303929: | addref md@0x561a1d2864c8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:54.303930: | #4 is busy; has suspended MD 0x561a1d2864c8 Oct 31 15:24:54.303933: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1760) Oct 31 15:24:54.303932: | job 6 for #4: ikev2_inI1outR1 KE (build KE and nonce): helper 6 starting job Oct 31 15:24:54.303936: | #4 spent 0.519 (0.518) milliseconds in ikev2_process_packet() Oct 31 15:24:54.303983: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:54.303985: | delref mdp@0x561a1d2864c8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:54.303988: | spent 0.565 (0.57) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:54.305583: | "north-eastnets/0x2" #4: spent 1.58 (1.65) milliseconds in helper 6 processing job 6 for state #4: ikev2_inI1outR1 KE (pcr) Oct 31 15:24:54.305595: | job 6 for #4: ikev2_inI1outR1 KE (build KE and nonce): helper thread 6 sending result back to state Oct 31 15:24:54.305598: | scheduling resume sending helper answer back to state for #4 Oct 31 15:24:54.305600: | libevent_malloc: newref ptr-libevent@0x7f7044006108 size 128 Oct 31 15:24:54.305608: | helper thread 6 has nothing to do Oct 31 15:24:54.305617: | processing resume sending helper answer back to state for #4 Oct 31 15:24:54.305627: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:54.305632: | unsuspending #4 MD 0x561a1d2864c8 Oct 31 15:24:54.305637: | job 6 for #4: ikev2_inI1outR1 KE (build KE and nonce): processing response from helper 6 Oct 31 15:24:54.305642: | job 6 for #4: ikev2_inI1outR1 KE (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:54.305645: | ikev2_parent_inI1outR1_continue() for #4 STATE_PARENT_R0: calculated ke+nonce, sending R1 Oct 31 15:24:54.305652: | opening output PBS reply packet Oct 31 15:24:54.305656: | **emit ISAKMP Message: Oct 31 15:24:54.305661: | initiator SPI: 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.305666: | responder SPI: ea 07 65 54 73 03 b0 a3 Oct 31 15:24:54.305669: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:54.305672: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:54.305675: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:54.305678: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:54.305682: | Message ID: 0 (00 00 00 00) Oct 31 15:24:54.305684: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:54.305686: | emitting ikev2_proposal ... Oct 31 15:24:54.305688: | ***emit IKEv2 Security Association Payload: Oct 31 15:24:54.305690: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305691: | flags: none (0x0) Oct 31 15:24:54.305693: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:54.305695: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305698: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:54.305700: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:54.305702: | prop #: 1 (01) Oct 31 15:24:54.305703: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:54.305705: | spi size: 0 (00) Oct 31 15:24:54.305707: | # transforms: 4 (04) Oct 31 15:24:54.305708: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:54.305710: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.305712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305713: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:54.305715: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:54.305716: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.305718: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:54.305720: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:54.305722: | length/value: 256 (01 00) Oct 31 15:24:54.305724: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:54.305725: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.305729: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305731: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:54.305732: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:54.305734: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305736: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.305737: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.305739: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.305740: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305742: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:54.305743: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:54.305745: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305746: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.305748: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.305749: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.305751: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:54.305752: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:54.305753: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:54.305755: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.305756: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.305758: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.305760: | emitting length of IKEv2 Proposal Substructure Payload: 44 Oct 31 15:24:54.305761: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:54.305762: | emitting length of IKEv2 Security Association Payload: 48 Oct 31 15:24:54.305764: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:54.305767: | DH secret MODP2048@0x7f7044006ba8: transferring ownership from helper KE to state #4 Oct 31 15:24:54.305769: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:24:54.305770: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305772: | flags: none (0x0) Oct 31 15:24:54.305773: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:54.305775: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:54.305776: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305779: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:54.305780: | ikev2 g^x: Oct 31 15:24:54.305782: | af 71 32 2e bc 87 54 79 ef 8e 8c 53 fb 73 99 59 Oct 31 15:24:54.305783: | 17 94 3a bb 7f 57 7a 7c c7 b7 67 01 80 9c 1b 34 Oct 31 15:24:54.305785: | 02 bb 36 84 5e 71 00 59 64 15 37 df e8 20 79 8a Oct 31 15:24:54.305786: | 56 da 89 13 1b f4 56 b1 5c e8 15 34 12 a2 30 f1 Oct 31 15:24:54.305787: | 23 4b 9a 12 ce af 85 d2 f5 74 e7 e1 7b 69 d3 42 Oct 31 15:24:54.305789: | ca 1a 90 7e aa f5 69 cf 04 f6 71 e0 77 f4 ef 2f Oct 31 15:24:54.305790: | 69 53 81 3d 1b 51 eb 0e 2b 94 dc 1f 9e e5 e1 29 Oct 31 15:24:54.305791: | ee b7 b1 98 c8 af 19 13 83 b6 e7 bb 71 79 f8 42 Oct 31 15:24:54.305794: | 3a 57 1b ed 84 24 8b 42 d3 84 00 d9 20 4f 64 9d Oct 31 15:24:54.305796: | ab a9 64 98 86 02 e2 98 f5 6b 7d 56 ff b5 64 d1 Oct 31 15:24:54.305797: | ba ce db 61 b7 6f f6 0b d5 93 f9 3d af fa 5e cd Oct 31 15:24:54.305798: | c5 b2 92 4a 39 85 75 e3 2f 4b de 3c 1f bb ac c7 Oct 31 15:24:54.305800: | c6 2b e2 ab 3f ae 0c 38 86 af c1 dc f4 13 c9 ab Oct 31 15:24:54.305801: | 27 97 fe 27 d1 0f 63 8d 33 cf 06 14 02 fe f9 b8 Oct 31 15:24:54.305802: | 39 c1 1f 2f 6a 7c 25 6b 67 cf c3 da fa ef f8 cf Oct 31 15:24:54.305804: | 45 c2 0f ac 7d aa 02 93 d7 ac 17 25 56 12 0b af Oct 31 15:24:54.305805: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:24:54.305807: | ***emit IKEv2 Nonce Payload: Oct 31 15:24:54.305808: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305810: | flags: none (0x0) Oct 31 15:24:54.305811: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:54.305813: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305815: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:54.305816: | IKEv2 nonce: Oct 31 15:24:54.305818: | 3a f3 f7 b2 21 83 28 26 0f 84 59 03 25 bc 2b b9 Oct 31 15:24:54.305819: | 24 2c 57 a5 4c e5 02 ef 8f 15 e3 af 09 9a f0 58 Oct 31 15:24:54.305820: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:54.305823: | adding a v2N Payload Oct 31 15:24:54.305825: | ***emit IKEv2 Notify Payload: Oct 31 15:24:54.305826: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305827: | flags: none (0x0) Oct 31 15:24:54.305829: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.305831: | SPI size: 0 (00) Oct 31 15:24:54.305832: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:54.305834: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:54.305835: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305837: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:24:54.305839: | adding a v2N Payload Oct 31 15:24:54.305840: | ***emit IKEv2 Notify Payload: Oct 31 15:24:54.305841: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305843: | flags: none (0x0) Oct 31 15:24:54.305844: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.305846: | SPI size: 0 (00) Oct 31 15:24:54.305847: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:54.305849: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:54.305850: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305852: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256 into IKEv2 Notify Payload Oct 31 15:24:54.305854: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256: 00 02 Oct 31 15:24:54.305856: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384 into IKEv2 Notify Payload Oct 31 15:24:54.305857: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384: 00 03 Oct 31 15:24:54.305859: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512 into IKEv2 Notify Payload Oct 31 15:24:54.305860: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512: 00 04 Oct 31 15:24:54.305862: | emitting length of IKEv2 Notify Payload: 14 Oct 31 15:24:54.305864: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:24:54.305873: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:54.305875: | natd_hash: icookie= Oct 31 15:24:54.305876: | 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.305878: | natd_hash: rcookie= Oct 31 15:24:54.305879: | ea 07 65 54 73 03 b0 a3 Oct 31 15:24:54.305882: | natd_hash: ip= Oct 31 15:24:54.305883: | c0 01 03 21 Oct 31 15:24:54.305884: | natd_hash: port= Oct 31 15:24:54.305886: | 01 f4 Oct 31 15:24:54.305887: | natd_hash: hash= Oct 31 15:24:54.305889: | 24 a0 f8 26 fa ef 40 6c ee 5a fd 2b 51 48 ba 6e Oct 31 15:24:54.305890: | 7b 73 cd 1f Oct 31 15:24:54.305891: | adding a v2N Payload Oct 31 15:24:54.305893: | ***emit IKEv2 Notify Payload: Oct 31 15:24:54.305894: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305896: | flags: none (0x0) Oct 31 15:24:54.305897: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.305899: | SPI size: 0 (00) Oct 31 15:24:54.305900: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:54.305902: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:54.305903: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305905: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:54.305907: | Notify data: Oct 31 15:24:54.305908: | 24 a0 f8 26 fa ef 40 6c ee 5a fd 2b 51 48 ba 6e Oct 31 15:24:54.305909: | 7b 73 cd 1f Oct 31 15:24:54.305911: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:54.305915: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:54.305916: | natd_hash: icookie= Oct 31 15:24:54.305918: | 12 ba 70 b3 26 aa 96 82 Oct 31 15:24:54.305919: | natd_hash: rcookie= Oct 31 15:24:54.305920: | ea 07 65 54 73 03 b0 a3 Oct 31 15:24:54.305922: | natd_hash: ip= Oct 31 15:24:54.305923: | c0 01 02 17 Oct 31 15:24:54.305924: | natd_hash: port= Oct 31 15:24:54.305926: | 01 f4 Oct 31 15:24:54.305927: | natd_hash: hash= Oct 31 15:24:54.305928: | 78 f0 cc 08 e9 8c df 5a 5b c0 fd 3f d4 13 9f a5 Oct 31 15:24:54.305930: | 62 f0 4e 48 Oct 31 15:24:54.305931: | adding a v2N Payload Oct 31 15:24:54.305932: | ***emit IKEv2 Notify Payload: Oct 31 15:24:54.305934: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.305935: | flags: none (0x0) Oct 31 15:24:54.305936: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:54.305938: | SPI size: 0 (00) Oct 31 15:24:54.305940: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:54.305945: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:54.305949: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.305952: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:54.305954: | Notify data: Oct 31 15:24:54.305957: | 78 f0 cc 08 e9 8c df 5a 5b c0 fd 3f d4 13 9f a5 Oct 31 15:24:54.305959: | 62 f0 4e 48 Oct 31 15:24:54.305962: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:54.305964: | emitting length of ISAKMP Message: 454 Oct 31 15:24:54.305973: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.305977: | #4 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Oct 31 15:24:54.305980: | transitioning from state STATE_PARENT_R0 to state STATE_PARENT_R1 Oct 31 15:24:54.305982: | Message ID: updating counters for #4 Oct 31 15:24:54.305991: | Message ID: IKE #4 updating responder received message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744568.736485 ike.responder.sent=-1 ike.responder.recv=-1->0 ike.responder.last_contact=744568.736485->744568.738781 ike.wip.initiator=-1 ike.wip.responder=0->-1 Oct 31 15:24:54.305998: | Message ID: IKE #4 updating responder sent message response 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744568.736485 ike.responder.sent=-1->0 ike.responder.recv=0 ike.responder.last_contact=744568.738781 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:54.306005: | Message ID: IKE #4 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744568.736485 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744568.738781 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:54.306011: | parent state #4: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Oct 31 15:24:54.306014: | announcing the state transition Oct 31 15:24:54.306020: "north-eastnets/0x2" #4: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=MODP2048} Oct 31 15:24:54.306028: | sending 454 bytes for STATE_PARENT_R0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #4) Oct 31 15:24:54.306031: | 12 ba 70 b3 26 aa 96 82 ea 07 65 54 73 03 b0 a3 Oct 31 15:24:54.306034: | 21 20 22 20 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:54.306036: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:54.306038: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:54.306040: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:54.306043: | 00 0e 00 00 af 71 32 2e bc 87 54 79 ef 8e 8c 53 Oct 31 15:24:54.306045: | fb 73 99 59 17 94 3a bb 7f 57 7a 7c c7 b7 67 01 Oct 31 15:24:54.306047: | 80 9c 1b 34 02 bb 36 84 5e 71 00 59 64 15 37 df Oct 31 15:24:54.306049: | e8 20 79 8a 56 da 89 13 1b f4 56 b1 5c e8 15 34 Oct 31 15:24:54.306051: | 12 a2 30 f1 23 4b 9a 12 ce af 85 d2 f5 74 e7 e1 Oct 31 15:24:54.306054: | 7b 69 d3 42 ca 1a 90 7e aa f5 69 cf 04 f6 71 e0 Oct 31 15:24:54.306055: | 77 f4 ef 2f 69 53 81 3d 1b 51 eb 0e 2b 94 dc 1f Oct 31 15:24:54.306057: | 9e e5 e1 29 ee b7 b1 98 c8 af 19 13 83 b6 e7 bb Oct 31 15:24:54.306060: | 71 79 f8 42 3a 57 1b ed 84 24 8b 42 d3 84 00 d9 Oct 31 15:24:54.306061: | 20 4f 64 9d ab a9 64 98 86 02 e2 98 f5 6b 7d 56 Oct 31 15:24:54.306063: | ff b5 64 d1 ba ce db 61 b7 6f f6 0b d5 93 f9 3d Oct 31 15:24:54.306064: | af fa 5e cd c5 b2 92 4a 39 85 75 e3 2f 4b de 3c Oct 31 15:24:54.306065: | 1f bb ac c7 c6 2b e2 ab 3f ae 0c 38 86 af c1 dc Oct 31 15:24:54.306067: | f4 13 c9 ab 27 97 fe 27 d1 0f 63 8d 33 cf 06 14 Oct 31 15:24:54.306068: | 02 fe f9 b8 39 c1 1f 2f 6a 7c 25 6b 67 cf c3 da Oct 31 15:24:54.306069: | fa ef f8 cf 45 c2 0f ac 7d aa 02 93 d7 ac 17 25 Oct 31 15:24:54.306071: | 56 12 0b af 29 00 00 24 3a f3 f7 b2 21 83 28 26 Oct 31 15:24:54.306072: | 0f 84 59 03 25 bc 2b b9 24 2c 57 a5 4c e5 02 ef Oct 31 15:24:54.306073: | 8f 15 e3 af 09 9a f0 58 29 00 00 08 00 00 40 2e Oct 31 15:24:54.306075: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:54.306076: | 00 1c 00 00 40 04 24 a0 f8 26 fa ef 40 6c ee 5a Oct 31 15:24:54.306077: | fd 2b 51 48 ba 6e 7b 73 cd 1f 00 00 00 1c 00 00 Oct 31 15:24:54.306079: | 40 05 78 f0 cc 08 e9 8c df 5a 5b c0 fd 3f d4 13 Oct 31 15:24:54.306080: | 9f a5 62 f0 4e 48 Oct 31 15:24:54.306124: | sent 1 messages Oct 31 15:24:54.306127: | state #4 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:54.306130: | libevent_free: delref ptr-libevent@0x7f70500011c8 Oct 31 15:24:54.306133: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27f9e8 Oct 31 15:24:54.306135: | event_schedule: newref EVENT_SO_DISCARD-pe@0x561a1d28db48 Oct 31 15:24:54.306137: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #4 Oct 31 15:24:54.306139: | libevent_malloc: newref ptr-libevent@0x561a1d2828b8 size 128 Oct 31 15:24:54.306142: | delref logger@0x561a1d26a1a8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:54.306144: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:54.306145: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.306147: | resume sending helper answer back to state for #4 suppresed complete_v2_state_transition() Oct 31 15:24:54.306149: | delref mdp@0x561a1d2864c8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:54.306151: | delref logger@0x561a1d27ac38(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:54.306152: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:54.306155: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.306161: | #4 spent 0.504 (0.528) milliseconds in resume sending helper answer back to state Oct 31 15:24:54.306164: | stop processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:54.306166: | libevent_free: delref ptr-libevent@0x7f7044006108 Oct 31 15:24:54.310535: | spent 0.00235 (0.00233) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:54.310556: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:54.310561: | newref alloc logger@0x561a1d27f9e8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:54.310567: | *received 608 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:54.310570: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:54.310573: | 2e 20 24 00 00 00 00 00 00 00 02 60 21 00 02 44 Oct 31 15:24:54.310575: | 31 50 b1 e0 49 62 87 d2 73 80 54 34 d6 60 b8 3d Oct 31 15:24:54.310577: | c8 f1 02 07 b8 e0 36 8a 27 2c 07 1e 87 cc f1 a8 Oct 31 15:24:54.310579: | 3f e3 29 f5 8a c1 0c e2 98 fb 13 e8 a5 cc 3c 71 Oct 31 15:24:54.310581: | f1 df 7d ca ff ae 2c 99 f4 89 f3 05 dc 49 08 8f Oct 31 15:24:54.310583: | 1b a0 f5 6b 43 6f 8d 89 07 5e d3 65 60 8d 56 53 Oct 31 15:24:54.310586: | 28 2f e2 66 73 99 5b 68 24 5f 9d 2c d5 19 80 06 Oct 31 15:24:54.310588: | 4e 21 83 b3 3f fe 2d 66 b2 3d f7 ea 93 0f 54 dd Oct 31 15:24:54.310590: | 99 e6 b5 91 30 6f e3 51 e8 7f 7a 61 a1 c0 ff b7 Oct 31 15:24:54.310591: | d6 ef c6 9a 3f 55 a3 2e cb 1d 3d 8b 01 a9 23 f5 Oct 31 15:24:54.310593: | 47 56 2c 47 4d 0c 16 1a 2a 4f e8 6a 53 16 0f 68 Oct 31 15:24:54.310595: | 81 12 c9 4f 8d b3 54 3c 12 e3 89 cc cb 1c 68 a8 Oct 31 15:24:54.310597: | 03 6a 3f 33 49 a0 e6 d5 5d 35 8b b2 54 3a cb fd Oct 31 15:24:54.310599: | 4e 29 3f 31 c1 e2 60 82 a7 b2 20 33 89 b8 d3 c5 Oct 31 15:24:54.310601: | 6e 35 9a 80 97 86 93 ca 7a 30 3f c4 ef 88 dd 62 Oct 31 15:24:54.310603: | 46 3c 7f 84 68 ce 97 a1 02 16 9f 93 e3 28 ef da Oct 31 15:24:54.310605: | d8 c5 28 ce 35 3f 4d 67 b2 e9 a5 c5 ce 3f ea cd Oct 31 15:24:54.310607: | 75 43 77 41 aa 06 f3 83 92 a6 3a f1 31 ea 68 c3 Oct 31 15:24:54.310609: | 50 e7 46 fe 37 25 99 69 55 99 f3 65 02 42 f0 02 Oct 31 15:24:54.310611: | 52 50 ad 99 4d 0f 1a d5 06 2a 9d 7f 2a 3e ea e6 Oct 31 15:24:54.310613: | e6 63 26 d9 df 1e 22 3b 37 77 83 b7 7b fb fa 44 Oct 31 15:24:54.310615: | ac b0 7f dd 98 6a 35 d3 ff 4f 85 7f c7 9f 28 ae Oct 31 15:24:54.310617: | 4e 1a 72 ba 41 eb c0 c2 d1 c2 7e 4b 2c be 67 24 Oct 31 15:24:54.310619: | 78 3f f4 75 10 f6 97 0d f6 02 1d bc 2d bf 10 3c Oct 31 15:24:54.310621: | 9b 28 5a 7b 31 a4 0f 50 c0 2f a0 c1 65 fc 9f 5b Oct 31 15:24:54.310624: | 0d ef fd 72 f1 41 71 ce a6 1d 21 61 74 36 fd ad Oct 31 15:24:54.310626: | b7 68 8f 96 6c 06 2a a5 1d 73 c4 e0 a6 1f 47 1c Oct 31 15:24:54.310628: | e3 64 23 89 5a 96 f7 8a e4 ba 82 3c f3 77 52 35 Oct 31 15:24:54.310631: | 4e 17 3b a1 8b 02 47 4a fb 71 01 96 b2 45 eb d7 Oct 31 15:24:54.310633: | f2 5f 50 be a0 8f a7 b0 ad a7 3e 4b 13 5e 5e e1 Oct 31 15:24:54.310635: | f3 f5 e3 f7 55 20 e8 e9 c4 58 b0 3f e5 4a a4 74 Oct 31 15:24:54.310637: | 44 9d 62 43 9c ff 83 71 62 b7 12 40 e3 ca 2a 54 Oct 31 15:24:54.310639: | 7f e8 c3 c3 1f 8a b5 fc d6 4a 26 48 90 a1 f7 a1 Oct 31 15:24:54.310641: | 45 09 67 80 3f ba 15 d0 36 b5 53 35 b3 dd 3f c8 Oct 31 15:24:54.310643: | 13 57 22 2d ad f8 13 74 0b e0 d1 38 31 19 7e ac Oct 31 15:24:54.310646: | ea 5c b9 f6 d7 c2 60 7a 88 99 5a fe fa a2 aa 89 Oct 31 15:24:54.310648: | 67 46 be 29 2b dd 61 fe bb 46 5d 80 9e 98 c1 23 Oct 31 15:24:54.310653: | **parse ISAKMP Message: Oct 31 15:24:54.310658: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:54.310662: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:54.310665: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:54.310671: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:54.310673: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:24:54.310675: | flags: none (0x0) Oct 31 15:24:54.310679: | Message ID: 0 (00 00 00 00) Oct 31 15:24:54.310683: | length: 608 (00 00 02 60) Oct 31 15:24:54.310686: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Oct 31 15:24:54.310690: | I am the IKE SA Original Initiator receiving an IKEv2 CREATE_CHILD_SA request Oct 31 15:24:54.310695: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:54.310703: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:54.310706: | #1 st.st_msgid_lastrecv -1 md.hdr.isa_msgid 00000000 Oct 31 15:24:54.310709: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:54.310712: | #1 is idle Oct 31 15:24:54.310718: | Message ID: IKE #1 not a duplicate - message request 0 is new: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:54.310723: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:54.310726: | unpacking clear payload Oct 31 15:24:54.310729: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:54.310733: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:54.310735: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:54.310738: | flags: none (0x0) Oct 31 15:24:54.310741: | length: 580 (02 44) Oct 31 15:24:54.310743: | processing payload: ISAKMP_NEXT_v2SK (len=576) Oct 31 15:24:54.310746: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:24:54.310780: | authenticator matched Oct 31 15:24:54.310792: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Oct 31 15:24:54.310796: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:54.310799: | **parse IKEv2 Security Association Payload: Oct 31 15:24:54.310802: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:54.310805: | flags: none (0x0) Oct 31 15:24:54.310815: | length: 52 (00 34) Oct 31 15:24:54.310817: | processing payload: ISAKMP_NEXT_v2SA (len=48) Oct 31 15:24:54.310820: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:54.310823: | **parse IKEv2 Nonce Payload: Oct 31 15:24:54.310825: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:54.310828: | flags: none (0x0) Oct 31 15:24:54.310831: | length: 36 (00 24) Oct 31 15:24:54.310834: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:54.310836: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:54.310839: | **parse IKEv2 Key Exchange Payload: Oct 31 15:24:54.310842: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:24:54.310844: | flags: none (0x0) Oct 31 15:24:54.310847: | length: 392 (01 88) Oct 31 15:24:54.310850: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:54.310853: | processing payload: ISAKMP_NEXT_v2KE (len=384) Oct 31 15:24:54.310855: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:24:54.310858: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:54.310860: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:24:54.310863: | flags: none (0x0) Oct 31 15:24:54.310866: | length: 24 (00 18) Oct 31 15:24:54.310869: | number of TS: 1 (01) Oct 31 15:24:54.310872: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:24:54.310874: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:24:54.310877: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:54.310879: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.310882: | flags: none (0x0) Oct 31 15:24:54.310885: | length: 24 (00 18) Oct 31 15:24:54.310890: | number of TS: 1 (01) Oct 31 15:24:54.310892: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:24:54.310896: | state #1 forced to match CREATE_CHILD_SA from STATE_V2_NEW_CHILD_R0->STATE_V2_ESTABLISHED_CHILD_SA by ignoring from state Oct 31 15:24:54.310898: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Oct 31 15:24:54.310904: | #1 updating local interface from 192.1.3.33:500 to 192.1.3.33:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:24:54.310913: | newref alloc logger@0x561a1d2793d8(0->1) (in new_state() at state.c:576) Oct 31 15:24:54.310916: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:54.310919: | creating state object #5 at 0x561a1d28dbb8 Oct 31 15:24:54.310921: | State DB: adding IKEv2 state #5 in UNDEFINED Oct 31 15:24:54.310929: | pstats #5 ikev2.child started Oct 31 15:24:54.310932: | duplicating state object #1 "north-eastnets/0x2" as #5 for IPSEC SA Oct 31 15:24:54.310937: | #5 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:54.310945: | Message ID: CHILD #1.#5 initializing (CHILD SA): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:54.310949: | child state #5: UNDEFINED(ignore) => V2_NEW_CHILD_R0(established IKE SA) Oct 31 15:24:54.310953: | #5.st_v2_transition NULL -> V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA (in new_v2_child_state() at state.c:1666) Oct 31 15:24:54.310956: | "north-eastnets/0x2" #1 received Respond to CREATE_CHILD_SA IPsec SA Request CREATE_CHILD_SA Child "north-eastnets/0x2" #5 in STATE_V2_NEW_CHILD_R0 will process it further Oct 31 15:24:54.310959: | forcing ST #1 to CHILD #1.#5 in FSM processor Oct 31 15:24:54.310965: | Message ID: CHILD #1.#5 responder starting message request 0: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744567.793756 child.wip.initiator=-1 child.wip.responder=-1->0 Oct 31 15:24:54.310968: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Oct 31 15:24:54.310978: | using existing local ESP/AH proposals for north-eastnets/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals): 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:54.310981: | comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 1 local proposals Oct 31 15:24:54.310985: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:54.310987: | local proposal 1 type PRF has 0 transforms Oct 31 15:24:54.310988: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:54.310990: | local proposal 1 type DH has 1 transforms Oct 31 15:24:54.310991: | local proposal 1 type ESN has 1 transforms Oct 31 15:24:54.310994: | local proposal 1 transforms: required: ENCR+INTEG+DH+ESN; optional: none Oct 31 15:24:54.310996: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:54.310998: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:54.311000: | length: 48 (00 30) Oct 31 15:24:54.311002: | prop #: 1 (01) Oct 31 15:24:54.311003: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:54.311005: | spi size: 4 (04) Oct 31 15:24:54.311007: | # transforms: 4 (04) Oct 31 15:24:54.311009: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:54.311010: | remote SPI Oct 31 15:24:54.311012: | 52 2b cc 92 Oct 31 15:24:54.311014: | Comparing remote proposal 1 containing 4 transforms against local proposal [1..1] of 1 local proposals Oct 31 15:24:54.311016: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.311017: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.311019: | length: 12 (00 0c) Oct 31 15:24:54.311021: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:54.311022: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:54.311028: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:54.311029: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:54.311031: | length/value: 128 (00 80) Oct 31 15:24:54.311034: | remote proposal 1 transform 0 (ENCR=AES_CBC_128) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:54.311036: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.311037: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.311039: | length: 8 (00 08) Oct 31 15:24:54.311040: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:54.311042: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:54.311044: | remote proposal 1 transform 1 (INTEG=HMAC_SHA2_512_256) matches local proposal 1 type 3 (INTEG) transform 0 Oct 31 15:24:54.311045: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.311047: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.311049: | length: 8 (00 08) Oct 31 15:24:54.311050: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:54.311051: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:54.311053: | remote proposal 1 transform 2 (DH=MODP3072) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:24:54.311055: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:54.311056: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:54.311058: | length: 8 (00 08) Oct 31 15:24:54.311060: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:54.311061: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:54.311063: | remote proposal 1 transform 3 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:24:54.311065: | remote proposal 1 proposed transforms: ENCR+INTEG+DH+ESN; matched: ENCR+INTEG+DH+ESN; unmatched: none Oct 31 15:24:54.311069: | comparing remote proposal 1 containing ENCR+INTEG+DH+ESN transforms to local proposal 1; required: ENCR+INTEG+DH+ESN; optional: none; matched: ENCR+INTEG+DH+ESN Oct 31 15:24:54.311070: | remote proposal 1 matches local proposal 1 Oct 31 15:24:54.311074: "north-eastnets/0x2" #5: proposal 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED SPI=522bcc92 chosen from remote proposals 1:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;DH=MODP3072;ESN=DISABLED[first-match] Oct 31 15:24:54.311078: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED SPI=522bcc92 Oct 31 15:24:54.311080: | converting proposal to internal trans attrs Oct 31 15:24:54.311083: | updating #5's .st_oakley with preserved PRF, but why update? Oct 31 15:24:54.311086: | Child SA TS Request has child->sa == md->st; so using child connection Oct 31 15:24:54.311088: | TSi: parsing 1 traffic selectors Oct 31 15:24:54.311089: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:54.311091: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:54.311092: | IP Protocol ID: ALL (0x0) Oct 31 15:24:54.311094: | length: 16 (00 10) Oct 31 15:24:54.311096: | start port: 0 (00 00) Oct 31 15:24:54.311098: | end port: 65535 (ff ff) Oct 31 15:24:54.311100: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:54.311101: | TS low Oct 31 15:24:54.311102: | c0 00 16 00 Oct 31 15:24:54.311104: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:54.311105: | TS high Oct 31 15:24:54.311107: | c0 00 16 ff Oct 31 15:24:54.311108: | TSi: parsed 1 traffic selectors Oct 31 15:24:54.311110: | TSr: parsing 1 traffic selectors Oct 31 15:24:54.311111: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:54.311112: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:54.311114: | IP Protocol ID: ALL (0x0) Oct 31 15:24:54.311116: | length: 16 (00 10) Oct 31 15:24:54.311117: | start port: 0 (00 00) Oct 31 15:24:54.311119: | end port: 65535 (ff ff) Oct 31 15:24:54.311120: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:54.311122: | TS low Oct 31 15:24:54.311123: | c0 00 03 00 Oct 31 15:24:54.311126: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:54.311127: | TS high Oct 31 15:24:54.311128: | c0 00 03 ff Oct 31 15:24:54.311130: | TSr: parsed 1 traffic selectors Oct 31 15:24:54.311131: | looking for best SPD in current connection Oct 31 15:24:54.311135: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Oct 31 15:24:54.311139: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:54.311144: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Oct 31 15:24:54.311146: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:54.311147: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:54.311149: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:54.311151: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:54.311154: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:54.311157: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:24:54.311159: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:54.311160: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:54.311162: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:54.311163: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:54.311165: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:54.311166: | found better spd route for TSi[0],TSr[0] Oct 31 15:24:54.311168: | looking for better host pair Oct 31 15:24:54.311171: | find_host_pair: comparing 192.1.3.33:500 to 192.1.2.23:500 but ignoring ports Oct 31 15:24:54.311175: | checking hostpair 192.0.3.0/24:0 -> 192.0.22.0/24:0 is found Oct 31 15:24:54.311176: | investigating connection "north-eastnets/0x2" as a better match Oct 31 15:24:54.311179: | match_id a=@east Oct 31 15:24:54.311181: | b=@east Oct 31 15:24:54.311182: | results matched Oct 31 15:24:54.311185: | evaluating our conn="north-eastnets/0x2" I=192.0.22.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Oct 31 15:24:54.311188: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:54.311191: | match address end->client=192.0.22.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: YES fitness 32 Oct 31 15:24:54.311193: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:54.311194: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:54.311196: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:54.311209: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:54.311215: | TSr[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:54.311219: | match address end->client=192.0.3.0/24 == TSr[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:24:54.311221: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:54.311222: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:54.311224: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:54.311225: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:54.311227: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:54.311228: | investigating connection "north-eastnets/0x1" as a better match Oct 31 15:24:54.311230: | match_id a=@east Oct 31 15:24:54.311232: | b=@east Oct 31 15:24:54.311233: | results matched Oct 31 15:24:54.311236: | evaluating our conn="north-eastnets/0x1" I=192.0.2.0/24:0:0/0 R=192.0.3.0/24:0:0/0 to their: Oct 31 15:24:54.311239: | TSi[0] .net=192.0.22.0-192.0.22.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:54.311242: | match address end->client=192.0.2.0/24 == TSi[0]net=192.0.22.0-192.0.22.255: NO Oct 31 15:24:54.311244: | did not find a better connection using host pair Oct 31 15:24:54.311246: | printing contents struct traffic_selector Oct 31 15:24:54.311248: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:54.311250: | ipprotoid: 0 Oct 31 15:24:54.311251: | port range: 0-65535 Oct 31 15:24:54.311254: | ip range: 192.0.3.0-192.0.3.255 Oct 31 15:24:54.311255: | printing contents struct traffic_selector Oct 31 15:24:54.311256: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:54.311258: | ipprotoid: 0 Oct 31 15:24:54.311259: | port range: 0-65535 Oct 31 15:24:54.311261: | ip range: 192.0.22.0-192.0.22.255 Oct 31 15:24:54.311267: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:54.311269: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:54.311271: | newref clone logger@0x561a1d2822a8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:54.311273: | job 7 for #5: Child Responder KE and nonce nr (build KE and nonce): adding job to queue Oct 31 15:24:54.311275: | state #5 has no .st_event to delete Oct 31 15:24:54.311276: | #5 STATE_V2_NEW_CHILD_R0: retransmits: cleared Oct 31 15:24:54.311278: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:54.311280: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 Oct 31 15:24:54.311283: | libevent_malloc: newref ptr-libevent@0x7f7044006108 size 128 Oct 31 15:24:54.311292: | #5 spent 0.309 (0.319) milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in v2_dispatch() Oct 31 15:24:54.311296: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.311299: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.311301: | #5 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_SUSPEND Oct 31 15:24:54.311300: | job 7 for #5: Child Responder KE and nonce nr (build KE and nonce): helper 7 starting job Oct 31 15:24:54.311303: | suspending state #5 and saving MD 0x561a1d2864c8 Oct 31 15:24:54.311314: | addref md@0x561a1d2864c8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:54.311316: | #5 is busy; has suspended MD 0x561a1d2864c8 Oct 31 15:24:54.311319: | stop processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:54.311322: | #1 spent 0.777 (0.795) milliseconds in ikev2_process_packet() Oct 31 15:24:54.311324: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:54.311326: | delref mdp@0x561a1d2864c8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:54.311328: | spent 0.783 (0.801) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:54.314114: | "north-eastnets/0x2" #5: spent 2.77 (2.81) milliseconds in helper 7 processing job 7 for state #5: Child Responder KE and nonce nr (pcr) Oct 31 15:24:54.314129: | job 7 for #5: Child Responder KE and nonce nr (build KE and nonce): helper thread 7 sending result back to state Oct 31 15:24:54.314132: | scheduling resume sending helper answer back to state for #5 Oct 31 15:24:54.314135: | libevent_malloc: newref ptr-libevent@0x7f7048002e98 size 128 Oct 31 15:24:54.314142: | helper thread 7 has nothing to do Oct 31 15:24:54.314158: | processing resume sending helper answer back to state for #5 Oct 31 15:24:54.314173: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:54.314179: | unsuspending #5 MD 0x561a1d2864c8 Oct 31 15:24:54.314183: | job 7 for #5: Child Responder KE and nonce nr (build KE and nonce): processing response from helper 7 Oct 31 15:24:54.314187: | job 7 for #5: Child Responder KE and nonce nr (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:54.314191: | ikev2_child_inIoutR_continue() for #5 STATE_V2_NEW_CHILD_R0 Oct 31 15:24:54.314197: | DH secret MODP3072@0x7f7048003238: transferring ownership from helper KE to state #5 Oct 31 15:24:54.314235: | DH secret MODP3072@0x7f7048003238: transferring ownership from state #5 to helper DH Oct 31 15:24:54.314248: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:54.314251: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:54.314255: | newref clone logger@0x561a1d26a1a8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:54.314258: | job 8 for #5: DHv2 for child sa (dh): adding job to queue Oct 31 15:24:54.314261: | state #5 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:54.314264: | libevent_free: delref ptr-libevent@0x7f7044006108 Oct 31 15:24:54.314268: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27ac38 Oct 31 15:24:54.314271: | #5 STATE_V2_NEW_CHILD_R0: retransmits: cleared Oct 31 15:24:54.314274: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d287e88 Oct 31 15:24:54.314277: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #5 Oct 31 15:24:54.314280: | libevent_malloc: newref ptr-libevent@0x7f7044006108 size 128 Oct 31 15:24:54.314291: | [RE]START processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.314297: | #5 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_SUSPEND Oct 31 15:24:54.314299: | suspending state #5 and saving MD 0x561a1d2864c8 Oct 31 15:24:54.314303: | addref md@0x561a1d2864c8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:54.314306: | #5 is busy; has suspended MD 0x561a1d2864c8 Oct 31 15:24:54.314309: | delref logger@0x561a1d2822a8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:54.314311: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:54.314313: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.314317: | resume sending helper answer back to state for #5 suppresed complete_v2_state_transition() Oct 31 15:24:54.314320: | delref mdp@0x561a1d2864c8(2->1) (in resume_handler() at server.c:743) Oct 31 15:24:54.314322: | job 8 for #5: DHv2 for child sa (dh): helper 1 starting job Oct 31 15:24:54.314328: | #5 spent 0.118 (0.146) milliseconds in resume sending helper answer back to state Oct 31 15:24:54.314333: | stop processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:54.314337: | libevent_free: delref ptr-libevent@0x7f7048002e98 Oct 31 15:24:54.315672: | "north-eastnets/0x2" #5: spent 1.33 (1.35) milliseconds in helper 1 processing job 8 for state #5: DHv2 for child sa (dh) Oct 31 15:24:54.315683: | job 8 for #5: DHv2 for child sa (dh): helper thread 1 sending result back to state Oct 31 15:24:54.315687: | scheduling resume sending helper answer back to state for #5 Oct 31 15:24:54.315690: | libevent_malloc: newref ptr-libevent@0x7f705c002b48 size 128 Oct 31 15:24:54.315695: | helper thread 1 has nothing to do Oct 31 15:24:54.315704: | processing resume sending helper answer back to state for #5 Oct 31 15:24:54.315715: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:54.315720: | unsuspending #5 MD 0x561a1d2864c8 Oct 31 15:24:54.315723: | job 8 for #5: DHv2 for child sa (dh): processing response from helper 1 Oct 31 15:24:54.315726: | job 8 for #5: DHv2 for child sa (dh): calling continuation function 0x561a1cf227cb Oct 31 15:24:54.315729: | DH secret MODP3072@0x7f7048003238: transferring ownership from helper IKEv2 DH to state #5 Oct 31 15:24:54.315733: | ikev2_child_inIoutR_continue_continue() for #5 STATE_V2_NEW_CHILD_R0 Oct 31 15:24:54.315739: | opening output PBS reply packet Oct 31 15:24:54.315742: | **emit ISAKMP Message: Oct 31 15:24:54.315746: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:54.315750: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:54.315753: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:54.315755: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:54.315758: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:24:54.315761: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Oct 31 15:24:54.315768: | Message ID: 0 (00 00 00 00) Oct 31 15:24:54.315771: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:54.315774: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:54.315777: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.315779: | flags: none (0x0) Oct 31 15:24:54.315782: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:54.315784: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.315786: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:54.315815: | netlink_get_spi: allocated 0x11a0f228 for esp.0@192.1.3.33 Oct 31 15:24:54.315820: | emitting ikev2_proposal ... Oct 31 15:24:54.315823: | ****emit IKEv2 Security Association Payload: Oct 31 15:24:54.315826: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.315829: | flags: none (0x0) Oct 31 15:24:54.315832: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:54.315835: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.315840: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:54.315843: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:54.315846: | prop #: 1 (01) Oct 31 15:24:54.315849: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:54.315852: | spi size: 4 (04) Oct 31 15:24:54.315854: | # transforms: 4 (04) Oct 31 15:24:54.315856: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:54.315858: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:24:54.315860: | our spi: 11 a0 f2 28 Oct 31 15:24:54.315862: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.315864: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315865: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:54.315867: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:54.315868: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.315870: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:54.315872: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:54.315874: | length/value: 128 (00 80) Oct 31 15:24:54.315876: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:54.315877: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.315879: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315880: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:54.315882: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:54.315884: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315885: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.315887: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.315888: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.315890: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315891: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:54.315893: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:54.315894: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315896: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.315899: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.315901: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:54.315902: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:54.315903: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:54.315905: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:54.315906: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:54.315908: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:54.315909: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:54.315911: | emitting length of IKEv2 Proposal Substructure Payload: 48 Oct 31 15:24:54.315912: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:54.315914: | emitting length of IKEv2 Security Association Payload: 52 Oct 31 15:24:54.315915: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:54.315917: | ****emit IKEv2 Nonce Payload: Oct 31 15:24:54.315918: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.315920: | flags: none (0x0) Oct 31 15:24:54.315922: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:54.315923: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.315925: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:54.315926: | IKEv2 nonce: Oct 31 15:24:54.315928: | 7f c9 10 a4 b5 f7 ad 2d 04 cf 30 3c d0 02 54 ec Oct 31 15:24:54.315930: | 27 35 b4 50 13 b3 90 5e ba f8 2a 0d 84 74 b5 a6 Oct 31 15:24:54.315931: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:54.315933: | ****emit IKEv2 Key Exchange Payload: Oct 31 15:24:54.315934: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.315940: | flags: none (0x0) Oct 31 15:24:54.315942: | DH group: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:54.315943: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:54.315945: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.315947: | emitting 384 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:54.315948: | ikev2 g^x: Oct 31 15:24:54.315950: | 3c 6a 49 e2 04 ee e1 2b 05 c2 4c e8 0e 9a 9d c0 Oct 31 15:24:54.315951: | 63 fc 70 08 ab f4 54 b5 0a 9c 8e 9e 67 e5 2e ab Oct 31 15:24:54.315952: | 50 ae 4b 07 a2 f7 4e ea 80 c2 13 94 d0 a9 54 3f Oct 31 15:24:54.315954: | 05 13 8b 2c ee 1b b1 4a f9 21 83 fc 22 26 00 fa Oct 31 15:24:54.315955: | 66 c1 b2 9d 37 8a e8 ae af 97 5c be 7f 79 c6 c9 Oct 31 15:24:54.315956: | fc 11 0d 04 8c 88 e6 b0 1f e9 1f 1b f3 21 72 1d Oct 31 15:24:54.315958: | 56 d4 e8 d9 bb 48 05 34 71 a2 98 6d 3a 9b fa 3e Oct 31 15:24:54.315959: | 2a 96 bb c4 6b 20 55 98 ae 34 7c 97 87 bf 9d 91 Oct 31 15:24:54.315960: | ab 7b a8 c2 80 5c 66 19 df 2c 09 e3 6c e6 0b 3c Oct 31 15:24:54.315962: | f3 d3 78 dd f6 e1 05 91 ff 68 52 e3 d9 4d 9a 5a Oct 31 15:24:54.315963: | 0a a9 99 84 7f d0 88 cb 38 7c 8d 5c 29 64 6b ae Oct 31 15:24:54.315964: | a4 69 94 ac f3 d0 57 34 fb b1 6a a9 f6 36 60 75 Oct 31 15:24:54.315966: | 31 28 ac 02 80 d0 76 e5 14 1c 5a 10 6b 58 79 13 Oct 31 15:24:54.315967: | 52 26 59 ab b0 f8 5f d5 c0 0b 2b b7 99 9f 5e 84 Oct 31 15:24:54.315968: | 38 ee 98 49 c1 fa f3 b6 a2 6f 28 12 2d 2b e6 84 Oct 31 15:24:54.315971: | 42 40 ed ec 41 25 e2 e2 73 55 3c 2d ae 57 47 46 Oct 31 15:24:54.315972: | 78 1c 68 02 a5 bf 0c a3 10 36 f5 75 b0 0a b3 5a Oct 31 15:24:54.315974: | 97 0b 18 b5 99 bd 83 fb 3a 62 6c 69 16 e3 9d 40 Oct 31 15:24:54.315975: | c2 fe de 9d a4 20 56 23 0b 0c a5 4e 51 da 12 e9 Oct 31 15:24:54.315976: | 90 8b ee 28 49 d4 84 e4 9f e0 3e 04 99 2d b3 af Oct 31 15:24:54.315978: | 44 c1 b7 5d 1c 91 d1 c7 bf 9d 92 86 30 17 1a b0 Oct 31 15:24:54.315979: | 5a 9b 4d 4d ac f7 83 4e 2d b1 6c cf 46 d1 87 1d Oct 31 15:24:54.315980: | 1a bc 93 fd 6b 38 74 f7 c7 cd 3d b9 b3 58 9d 02 Oct 31 15:24:54.315982: | ac 0d 51 ea ab b7 b0 ae 09 8c ee 52 bf f1 46 33 Oct 31 15:24:54.315983: | emitting length of IKEv2 Key Exchange Payload: 392 Oct 31 15:24:54.315985: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:54.315987: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.315988: | flags: none (0x0) Oct 31 15:24:54.315990: | number of TS: 1 (01) Oct 31 15:24:54.315992: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:24:54.315993: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.315995: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:54.315996: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:54.315998: | IP Protocol ID: ALL (0x0) Oct 31 15:24:54.316000: | start port: 0 (00 00) Oct 31 15:24:54.316002: | end port: 65535 (ff ff) Oct 31 15:24:54.316004: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:54.316006: | IP start: c0 00 16 00 Oct 31 15:24:54.316008: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:54.316010: | IP end: c0 00 16 ff Oct 31 15:24:54.316011: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:54.316012: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:24:54.316014: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:54.316015: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:54.316017: | flags: none (0x0) Oct 31 15:24:54.316019: | number of TS: 1 (01) Oct 31 15:24:54.316020: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:24:54.316022: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:54.316023: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:54.316025: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:54.316026: | IP Protocol ID: ALL (0x0) Oct 31 15:24:54.316028: | start port: 0 (00 00) Oct 31 15:24:54.316030: | end port: 65535 (ff ff) Oct 31 15:24:54.316031: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:54.316033: | IP start: c0 00 03 00 Oct 31 15:24:54.316035: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:54.316036: | IP end: c0 00 03 ff Oct 31 15:24:54.316038: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:54.316039: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:24:54.316041: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:24:54.316043: | integ=HMAC_SHA2_512_256: .key_size=64 encrypt=AES_CBC: .key_size=16 .salt_size=0 keymat_len=80 Oct 31 15:24:54.316108: | install_ipsec_sa() for #5: inbound and outbound Oct 31 15:24:54.316112: | could_route called for north-eastnets/0x2; kind=CK_PERMANENT that.has_client=yes oppo=no this.host_port=500 Oct 31 15:24:54.316114: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:54.316115: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:54.316117: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:54.316120: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:54.316122: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:54.316124: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Oct 31 15:24:54.316127: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:54.316129: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:54.316131: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:54.316133: | setting IPsec SA replay-window to 32 Oct 31 15:24:54.316135: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Oct 31 15:24:54.316137: | netlink: enabling tunnel mode Oct 31 15:24:54.316139: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:54.316140: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:54.316143: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:54.316208: | netlink response for Add SA esp.522bcc92@192.1.2.23 included non-error error Oct 31 15:24:54.316218: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#3 mode=1 Oct 31 15:24:54.316222: | set up outgoing SA, ref=0/0 Oct 31 15:24:54.316224: | looking for alg with encrypt: AES_CBC keylen: 128 integ: HMAC_SHA2_512_256 Oct 31 15:24:54.316227: | encrypt AES_CBC keylen=128 transid=12, key_size=16, encryptalg=12 Oct 31 15:24:54.316229: | st->st_esp.keymat_len=80 is encrypt_keymat_size=16 + integ_keymat_size=64 Oct 31 15:24:54.316233: | setting IPsec SA replay-window to 32 Oct 31 15:24:54.316235: | NIC esp-hw-offload not for connection 'north-eastnets/0x2' not available on interface eth1 Oct 31 15:24:54.316237: | netlink: enabling tunnel mode Oct 31 15:24:54.316239: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:54.316242: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:54.316245: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:54.316287: | netlink response for Add SA esp.11a0f228@192.1.3.33 included non-error error Oct 31 15:24:54.316291: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#3 mode=1 Oct 31 15:24:54.316294: | set up incoming SA, ref=0/0 Oct 31 15:24:54.316296: | sr for #5: erouted Oct 31 15:24:54.316298: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:24:54.316301: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:54.316304: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:54.316306: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:54.316309: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:54.316312: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:54.316315: | route owner of "north-eastnets/0x2" erouted: self; eroute owner: self Oct 31 15:24:54.316319: | route_and_eroute with c: north-eastnets/0x2 (next: none) ero:north-eastnets/0x2 esr:{(nil)} ro:north-eastnets/0x2 rosr:{(nil)} and state: #5 Oct 31 15:24:54.316321: | we are replacing an eroute Oct 31 15:24:54.316325: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:54.316334: | eroute_connection replace eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => tun.0@192.1.2.23>tun.0@192.1.2.23 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:24:54.316338: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:54.316356: | raw_eroute result=success Oct 31 15:24:54.316359: | route_and_eroute: firewall_notified: true Oct 31 15:24:54.316363: | route_and_eroute: instance "north-eastnets/0x2", setting eroute_owner {spd=0x561a1d279d88,sr=0x561a1d279d88} to #5 (was #3) (newest_ipsec_sa=#3) Oct 31 15:24:54.316406: | ISAKMP_v2_CREATE_CHILD_SA: instance north-eastnets/0x2[0], setting IKEv2 newest_ipsec_sa to #5 (was #3) (spd.eroute=#5) cloned from #1 Oct 31 15:24:54.316411: | adding 16 bytes of padding (including 1 byte padding-length) Oct 31 15:24:54.316414: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316419: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316422: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316424: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316427: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316430: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316433: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316436: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316438: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316441: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316444: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316446: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316449: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316452: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316455: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316457: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:54.316460: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:54.316463: | emitting length of IKEv2 Encryption Payload: 580 Oct 31 15:24:54.316466: | emitting length of ISAKMP Message: 608 Oct 31 15:24:54.316515: "north-eastnets/0x2" #5: negotiated new IPsec SA [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Oct 31 15:24:54.316522: | delref logger@0x561a1d26a1a8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:54.316525: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:54.316527: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.316535: | [RE]START processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:54.316540: | #5 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_OK Oct 31 15:24:54.316543: | transitioning from state STATE_V2_NEW_CHILD_R0 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:54.316545: | Message ID: updating counters for #5 Oct 31 15:24:54.316554: | Message ID: CHILD #1.#5 updating responder received message request 0: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1 ike.responder.recv=-1->0 ike.responder.last_contact=744567.793756->744568.749345 child.wip.initiator=-1 child.wip.responder=0->-1 Oct 31 15:24:54.316560: | Message ID: CHILD #1.#5 updating responder sent message response 0: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=-1->0 ike.responder.recv=0 ike.responder.last_contact=744568.749345 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:54.316566: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744568.749345 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:54.316571: | child state #5: V2_NEW_CHILD_R0(established IKE SA) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:24:54.316574: | pstats #5 ikev2.child established Oct 31 15:24:54.316577: | announcing the state transition Oct 31 15:24:54.316584: "north-eastnets/0x2" #5: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.22.0-192.0.22.255:0-65535 0] Oct 31 15:24:54.316587: | NAT-T: encaps is 'auto' Oct 31 15:24:54.316593: "north-eastnets/0x2" #5: IPsec SA established tunnel mode {ESP=>0x522bcc92 <0x11a0f228 xfrm=AES_CBC_128-HMAC_SHA2_512_256-MODP3072 NATOA=none NATD=none DPD=passive} Oct 31 15:24:54.316597: | sending 608 bytes for STATE_V2_NEW_CHILD_R0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:54.316599: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:54.316601: | 2e 20 24 28 00 00 00 00 00 00 02 60 21 00 02 44 Oct 31 15:24:54.316602: | 39 9a 04 9f 92 d6 dd 57 60 36 b9 f2 84 b9 6e 35 Oct 31 15:24:54.316603: | f9 c6 47 83 9b 58 6f a3 23 a7 f5 e5 12 30 66 9c Oct 31 15:24:54.316605: | 9f 6e d5 fa cb 66 6c ca 76 79 3e 4b a5 e7 e4 ca Oct 31 15:24:54.316606: | bd fb 91 d6 c1 98 12 fc 59 bc 9b 3b 89 d8 08 56 Oct 31 15:24:54.316611: | 89 df c0 58 5c e2 2d 98 5f 73 2f d2 91 b1 4b 4a Oct 31 15:24:54.316613: | 24 80 e5 9b cb 3e 23 0b e8 04 5e 6d e3 ef 7b fb Oct 31 15:24:54.316614: | a1 2e 85 af 91 5e eb 22 d0 bc 27 16 62 7b 18 6d Oct 31 15:24:54.316615: | 64 6a a7 a1 62 54 09 fe 28 4b 2f d9 91 d2 a5 c8 Oct 31 15:24:54.316617: | 99 61 44 c3 b2 bc 94 c3 07 b7 95 3c f3 56 6a c8 Oct 31 15:24:54.316618: | b1 ac 13 ca 14 ff 26 3a 68 88 6b 03 7c b2 58 20 Oct 31 15:24:54.316619: | bc 6b ef c7 a2 f0 d6 7d d8 61 1f 23 1b ae 08 95 Oct 31 15:24:54.316621: | 1e be a5 b8 49 07 ee 82 6d c9 7d ed 87 1c 41 64 Oct 31 15:24:54.316626: | 40 35 57 20 18 05 88 6f f1 f5 2d e6 28 1f 23 eb Oct 31 15:24:54.316629: | 8c 60 db 7e 7e ed f3 04 91 49 5e d0 03 e2 a5 98 Oct 31 15:24:54.316634: | 1f eb 4a d5 c8 9a f3 1b 0b f8 8d 87 3b a9 8a bc Oct 31 15:24:54.316636: | 68 d4 5d 01 f6 62 47 ff 08 e1 86 68 a2 bb e6 ff Oct 31 15:24:54.316639: | 26 db 9f 0b 75 70 9d 56 c8 b0 df ac e3 9c 91 3e Oct 31 15:24:54.316641: | 26 d1 cd e1 08 7d e0 d5 07 8d f0 fa 52 7b 4c 90 Oct 31 15:24:54.316643: | 92 b9 60 02 6f 51 56 10 36 4b bb fd 0b ed 2b 01 Oct 31 15:24:54.316646: | 53 8b 95 03 d0 03 0b 22 bc c4 ae 2a f5 92 10 a3 Oct 31 15:24:54.316648: | 05 6d ec c7 df 5c b6 8e 2e 0f 41 6e f2 e5 9e 56 Oct 31 15:24:54.316650: | 9e 2c 6e 7f d2 27 e3 44 af 86 57 96 b4 df be c6 Oct 31 15:24:54.316652: | f2 e1 f5 1a 44 cd 8a 6f 2d 69 9b 9e 7a 40 24 10 Oct 31 15:24:54.316654: | 23 8a 8b 8e 95 72 ab 12 95 a3 2c 13 c0 dc 6c a5 Oct 31 15:24:54.316655: | d1 48 b4 c3 4e 2c fa db 9e 15 ea 9c ef 82 54 44 Oct 31 15:24:54.316657: | 32 de 5a 2f 4a e7 e6 7e a4 08 e7 c2 23 22 6f eb Oct 31 15:24:54.316659: | d9 88 7b 4c 34 5f 31 6e 78 2b 10 98 8f d8 6b 32 Oct 31 15:24:54.316660: | 0b 1e 5a 04 be e6 32 9b f6 b7 0c 85 d0 c8 d7 67 Oct 31 15:24:54.316662: | 84 d6 9a 9d 79 10 0d f1 ab c8 05 4d 05 cc 87 97 Oct 31 15:24:54.316665: | f9 da b8 f4 44 e7 a3 62 7f 64 33 9b 2a 7d 49 d5 Oct 31 15:24:54.316666: | 47 cf 7a ca 3f 9e 53 9b c4 57 5a 72 38 80 e7 e4 Oct 31 15:24:54.316668: | d1 3a 7f b4 76 0e 1b 19 de 42 61 75 fb bb 7a cf Oct 31 15:24:54.316670: | 84 4c 23 5b 9c 1c b5 28 f3 90 59 6e da 6c 0c 2a Oct 31 15:24:54.316672: | f6 ae 29 e6 be c8 55 8b 9c e9 89 15 44 7e e4 90 Oct 31 15:24:54.316673: | fc 3b 42 54 7e 0e f6 fd 88 3b ac 37 50 78 e5 bc Oct 31 15:24:54.316675: | b7 78 fd f4 7c 27 47 9f ab 15 2f 5f ab 6f 65 67 Oct 31 15:24:54.316726: | sent 1 messages Oct 31 15:24:54.316732: | releasing #5's fd-fd@(nil) because IKEv2 transitions finished Oct 31 15:24:54.316734: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:54.316736: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:54.316738: | unpending #5's IKE SA #1 Oct 31 15:24:54.316741: | unpending state #1 connection "north-eastnets/0x2" Oct 31 15:24:54.316744: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:24:54.316746: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:54.316748: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:54.316756: | #5 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:24:54.316759: | state #5 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:54.316764: | libevent_free: delref ptr-libevent@0x7f7044006108 Oct 31 15:24:54.316767: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d287e88 Oct 31 15:24:54.316771: | event_schedule: newref EVENT_SA_REKEY-pe@0x561a1d287e88 Oct 31 15:24:54.316774: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #5 Oct 31 15:24:54.316777: | libevent_malloc: newref ptr-libevent@0x561a1d28e968 size 128 Oct 31 15:24:54.316780: | delref mdp@0x561a1d2864c8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:54.316783: | delref logger@0x561a1d27f9e8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:54.316785: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:54.316787: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.316794: | #5 spent 1.01 (1.07) milliseconds in resume sending helper answer back to state Oct 31 15:24:54.316799: | stop processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:54.316801: | libevent_free: delref ptr-libevent@0x7f705c002b48 Oct 31 15:24:54.754594: | newref struct fd@0x561a1d277b38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:54.754605: | fd_accept: new fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:54.754631: | whack: traffic_status Oct 31 15:24:54.754634: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Oct 31 15:24:54.754636: | FOR_EACH_STATE_... in sort_states Oct 31 15:24:54.754644: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:54.754659: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:54.754672: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:54.754697: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:54.754727: | get_sa_info esp.11a0f228@192.1.3.33 Oct 31 15:24:54.754736: | get_sa_info esp.522bcc92@192.1.2.23 Oct 31 15:24:54.754750: | delref fd@0x561a1d277b38(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:54.754756: | freeref fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:54.754762: | spent 0.19 (0.19) milliseconds in whack Oct 31 15:24:55.641221: | newref struct fd@0x561a1d277b38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:55.641235: | fd_accept: new fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:55.641249: | whack: traffic_status Oct 31 15:24:55.641252: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Oct 31 15:24:55.641255: | FOR_EACH_STATE_... in sort_states Oct 31 15:24:55.641263: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:55.641277: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:55.641290: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:55.641297: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:55.641309: | get_sa_info esp.11a0f228@192.1.3.33 Oct 31 15:24:55.641317: | get_sa_info esp.522bcc92@192.1.2.23 Oct 31 15:24:55.641332: | delref fd@0x561a1d277b38(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:55.641339: | freeref fd-fd@0x561a1d277b38 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:55.641349: | spent 0.138 (0.151) milliseconds in whack Oct 31 15:24:55.867666: | spent 0.00212 (0.00207) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.867683: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.867686: | newref alloc logger@0x561a1d288308(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.867691: | *received 80 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:55.867693: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.867694: | 2e 20 25 00 00 00 00 01 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.867696: | 7e 64 c4 40 2b a8 53 9a 18 21 0d d1 fe fb 55 45 Oct 31 15:24:55.867697: | 90 92 7c f5 fe 5c 31 b2 63 59 86 18 ff 64 ec 10 Oct 31 15:24:55.867700: | 3f 80 e2 45 4e 89 40 d9 c7 9c 91 d9 1e e6 57 78 Oct 31 15:24:55.867704: | **parse ISAKMP Message: Oct 31 15:24:55.867707: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.867709: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.867711: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:55.867713: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.867714: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.867716: | flags: none (0x0) Oct 31 15:24:55.867718: | Message ID: 1 (00 00 00 01) Oct 31 15:24:55.867720: | length: 80 (00 00 00 50) Oct 31 15:24:55.867722: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Oct 31 15:24:55.867725: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Oct 31 15:24:55.867729: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:55.867735: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:55.867737: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Oct 31 15:24:55.867739: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:55.867741: | #1 is idle Oct 31 15:24:55.867745: | Message ID: IKE #1 not a duplicate - message request 1 is new: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744568.749345 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.867749: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:55.867750: | unpacking clear payload Oct 31 15:24:55.867752: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:55.867755: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:55.867756: | next payload type: ISAKMP_NEXT_v2D (0x2a) Oct 31 15:24:55.867758: | flags: none (0x0) Oct 31 15:24:55.867760: | length: 52 (00 34) Oct 31 15:24:55.867761: | processing payload: ISAKMP_NEXT_v2SK (len=48) Oct 31 15:24:55.867763: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:24:55.867784: | authenticator matched Oct 31 15:24:55.867795: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Oct 31 15:24:55.867797: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Oct 31 15:24:55.867799: | **parse IKEv2 Delete Payload: Oct 31 15:24:55.867801: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.867802: | flags: none (0x0) Oct 31 15:24:55.867804: | length: 12 (00 0c) Oct 31 15:24:55.867806: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.867808: | SPI size: 4 (04) Oct 31 15:24:55.867809: | number of SPIs: 1 (00 01) Oct 31 15:24:55.867811: | processing payload: ISAKMP_NEXT_v2D (len=4) Oct 31 15:24:55.867813: | selected state microcode Informational Request Oct 31 15:24:55.867817: | Message ID: IKE #1 responder starting message request 1: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744568.749345 ike.wip.initiator=-1 ike.wip.responder=-1->1 Oct 31 15:24:55.867819: | calling processor Informational Request Oct 31 15:24:55.867821: | an informational request should send a response Oct 31 15:24:55.867825: | opening output PBS information exchange reply packet Oct 31 15:24:55.867827: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Oct 31 15:24:55.867828: | **emit ISAKMP Message: Oct 31 15:24:55.867831: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.867833: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.867835: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.867836: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.867838: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.867840: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Oct 31 15:24:55.867843: | Message ID: 1 (00 00 00 01) Oct 31 15:24:55.867845: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.867847: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.867849: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.867850: | flags: none (0x0) Oct 31 15:24:55.867852: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.867854: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.867858: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.867869: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Oct 31 15:24:55.867874: | SPI Oct 31 15:24:55.867877: | 52 2b cc 92 Oct 31 15:24:55.867881: | delete IKEv2_SEC_PROTO_ESP SA(0x522bcc92) Oct 31 15:24:55.867886: | v2 CHILD SA #5 found using their inbound (our outbound) SPI, in STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:55.867889: | State DB: found IKEv2 state #5 in ESTABLISHED_CHILD_SA (find_v2_child_sa_by_outbound_spi) Oct 31 15:24:55.867893: | our side SPI that needs to be deleted: IKEv2_SEC_PROTO_ESP SA(0x522bcc92) Oct 31 15:24:55.867899: "north-eastnets/0x2" #1: received Delete SA payload: replace IPsec State #5 now Oct 31 15:24:55.867904: | #5 requesting EVENT_SA_REKEY-pe@0x561a1d287e88 be deleted Oct 31 15:24:55.867910: | libevent_free: delref ptr-libevent@0x561a1d28e968 Oct 31 15:24:55.867915: | free_event_entry: delref EVENT_SA_REKEY-pe@0x561a1d287e88 Oct 31 15:24:55.867919: | event_schedule: newref EVENT_SA_REPLACE-pe@0x561a1d27f9e8 Oct 31 15:24:55.867921: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #5 Oct 31 15:24:55.867924: | libevent_malloc: newref ptr-libevent@0x7f705c002b48 size 128 Oct 31 15:24:55.867927: | ****emit IKEv2 Delete Payload: Oct 31 15:24:55.867930: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.867932: | flags: none (0x0) Oct 31 15:24:55.867934: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.867937: | SPI size: 4 (04) Oct 31 15:24:55.867940: | number of SPIs: 1 (00 01) Oct 31 15:24:55.867942: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:24:55.867944: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.867946: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Oct 31 15:24:55.867948: | local SPIs: 11 a0 f2 28 Oct 31 15:24:55.867949: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:24:55.867951: | adding 4 bytes of padding (including 1 byte padding-length) Oct 31 15:24:55.867953: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.867954: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.867956: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.867957: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.867959: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:55.867961: | emitting length of IKEv2 Encryption Payload: 52 Oct 31 15:24:55.867962: | emitting length of ISAKMP Message: 80 Oct 31 15:24:55.867983: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.867985: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.867987: | 2e 20 25 28 00 00 00 01 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.867988: | 6e 93 28 40 08 c6 f0 4a 16 ff 0d 28 24 c9 6f a1 Oct 31 15:24:55.867990: | f4 d8 d1 a4 cd bf f4 16 68 67 17 0d a9 23 65 1c Oct 31 15:24:55.867991: | 31 ba 3b db 2f 4b 96 29 6e 14 a5 3e cb 31 a2 2d Oct 31 15:24:55.868021: | sent 1 messages Oct 31 15:24:55.868026: | Message ID: IKE #1 XXX: in process_encrypted_informational_ikev2() hacking around record 'n' send bypassing send queue hacking around delete_ike_family(): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744568.749345 ike.wip.initiator=-1 ike.wip.responder=1 Oct 31 15:24:55.868030: | Message ID: IKE #1 updating responder sent message response 1: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=0->1 ike.responder.recv=0 ike.responder.last_contact=744568.749345 ike.wip.initiator=-1 ike.wip.responder=1 Oct 31 15:24:55.868036: | #1 spent 0.198 (0.213) milliseconds in processing: Informational Request in v2_dispatch() Oct 31 15:24:55.868039: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.868043: | #1 complete_v2_state_transition() ESTABLISHED_IKE_SA->ESTABLISHED_IKE_SA with status STF_OK; .st_v2_transition=PARENT_I0->PARENT_I1 Oct 31 15:24:55.868045: | Message ID: updating counters for #1 Oct 31 15:24:55.868049: | Message ID: IKE #1 updating responder received message request 1: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=0->1 ike.responder.last_contact=744568.749345->744570.300843 ike.wip.initiator=-1 ike.wip.responder=1->-1 Oct 31 15:24:55.868052: | Message ID: IKE #1 updating responder sent message response 1: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.868056: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.868057: | announcing the state transition Oct 31 15:24:55.868059: "north-eastnets/0x2" #1: established IKE SA Oct 31 15:24:55.868064: | sending 80 bytes for STATE_V2_ESTABLISHED_IKE_SA through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.868065: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.868067: | 2e 20 25 28 00 00 00 01 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.868068: | 6e 93 28 40 08 c6 f0 4a 16 ff 0d 28 24 c9 6f a1 Oct 31 15:24:55.868069: | f4 d8 d1 a4 cd bf f4 16 68 67 17 0d a9 23 65 1c Oct 31 15:24:55.868071: | 31 ba 3b db 2f 4b 96 29 6e 14 a5 3e cb 31 a2 2d Oct 31 15:24:55.868081: | sent 1 messages Oct 31 15:24:55.868083: | #1 is retaining EVENT_SA_REKEY with is previously set timeout Oct 31 15:24:55.868086: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:55.868090: | #1 spent 0.412 (0.43) milliseconds in ikev2_process_packet() Oct 31 15:24:55.868092: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.868094: | delref mdp@0x561a1d2864c8(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.868096: | delref logger@0x561a1d288308(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.868098: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.868100: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.868103: | spent 0.425 (0.444) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.868108: | timer_event_cb: processing event@0x561a1d27f9e8 Oct 31 15:24:55.868110: | handling event EVENT_SA_REPLACE for child state #5 Oct 31 15:24:55.868112: | libevent_free: delref ptr-libevent@0x7f705c002b48 Oct 31 15:24:55.868114: | free_event_entry: delref EVENT_SA_REPLACE-pe@0x561a1d27f9e8 Oct 31 15:24:55.868117: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.868122: | picked newest_ipsec_sa #5 for #5 Oct 31 15:24:55.868124: | replacing stale CHILD SA Oct 31 15:24:55.868126: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:55.868129: | FOR_EACH_STATE_... in find_pending_phase2 Oct 31 15:24:55.868133: | newref alloc logger@0x561a1d287e88(0->1) (in new_state() at state.c:576) Oct 31 15:24:55.868134: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:55.868136: | creating state object #6 at 0x561a1d28efe8 Oct 31 15:24:55.868138: | State DB: adding IKEv2 state #6 in UNDEFINED Oct 31 15:24:55.868141: | pstats #6 ikev2.child started Oct 31 15:24:55.868143: | duplicating state object #1 "north-eastnets/0x2" as #6 for IPSEC SA Oct 31 15:24:55.868146: | #6 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:55.868151: | Message ID: CHILD #1.#6 initializing (CHILD SA): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:55.868153: | child state #6: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Oct 31 15:24:55.868156: | #6.st_v2_transition NULL -> V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I1 (in new_v2_child_state() at state.c:1666) Oct 31 15:24:55.868159: | suspend processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:55.868162: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:55.868167: | using existing local ESP/AH proposals for north-eastnets/0x2 (ESP/AH initiator emitting proposals): 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:55.868171: | #6 schedule rekey initiate IPsec SA RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 to replace #5 using IKE# 1 pfs=MODP3072 Oct 31 15:24:55.868173: | event_schedule: newref EVENT_v2_INITIATE_CHILD-pe@0x561a1d26a1a8 Oct 31 15:24:55.868176: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #6 Oct 31 15:24:55.868178: | libevent_malloc: newref ptr-libevent@0x561a1d2800f8 size 128 Oct 31 15:24:55.868183: | RESET processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:6035) Oct 31 15:24:55.868186: | event_schedule: newref EVENT_SA_EXPIRE-pe@0x561a1d288308 Oct 31 15:24:55.868188: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #5 Oct 31 15:24:55.868190: | libevent_malloc: newref ptr-libevent@0x7f7048002e98 size 128 Oct 31 15:24:55.868196: | #5 spent 0.0857 (0.0859) milliseconds in timer_event_cb() EVENT_SA_REPLACE Oct 31 15:24:55.868219: | processing: STOP state #0 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.868229: | timer_event_cb: processing event@0x561a1d26a1a8 Oct 31 15:24:55.868232: | handling event EVENT_v2_INITIATE_CHILD for child state #6 Oct 31 15:24:55.868234: | libevent_free: delref ptr-libevent@0x561a1d2800f8 Oct 31 15:24:55.868237: | free_event_entry: delref EVENT_v2_INITIATE_CHILD-pe@0x561a1d26a1a8 Oct 31 15:24:55.868242: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.868247: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:55.868250: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:55.868254: | newref clone logger@0x561a1d27f9e8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:55.868257: | job 9 for #6: Child Rekey Initiator KE and nonce ni (build KE and nonce): adding job to queue Oct 31 15:24:55.868259: | state #6 has no .st_event to delete Oct 31 15:24:55.868262: | #6 STATE_V2_REKEY_CHILD_I0: retransmits: cleared Oct 31 15:24:55.868264: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d26a1a8 Oct 31 15:24:55.868269: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #6 Oct 31 15:24:55.868272: | libevent_malloc: newref ptr-libevent@0x561a1d2800f8 size 128 Oct 31 15:24:55.868281: | #6 spent 0.051 (0.051) milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Oct 31 15:24:55.868286: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.868290: | timer_event_cb: processing event@0x561a1d288308 Oct 31 15:24:55.868290: | job 9 for #6: Child Rekey Initiator KE and nonce ni (build KE and nonce): helper 2 starting job Oct 31 15:24:55.868292: | handling event EVENT_SA_EXPIRE for child state #5 Oct 31 15:24:55.868306: | libevent_free: delref ptr-libevent@0x7f7048002e98 Oct 31 15:24:55.868308: | free_event_entry: delref EVENT_SA_EXPIRE-pe@0x561a1d288308 Oct 31 15:24:55.868313: | start processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.868317: | picked newest_ipsec_sa #5 for #5 Oct 31 15:24:55.868319: | un-established partial CHILD SA timeout (SA expired) Oct 31 15:24:55.868322: | pstats #5 ikev2.child re-failed exchange-timeout Oct 31 15:24:55.868325: | should_send_delete: no, just because Oct 31 15:24:55.868328: | pstats #5 ikev2.child deleted completed Oct 31 15:24:55.868331: | #5 main thread spent 1.53 (1.62) milliseconds helper thread spent 4.1 (4.16) milliseconds in total Oct 31 15:24:55.868336: | [RE]START processing: state #5 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.868339: | should_send_delete: no, just because Oct 31 15:24:55.868342: "north-eastnets/0x2" #5: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 1.55743s and NOT sending notification Oct 31 15:24:55.868346: | child state #5: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:24:55.868350: | get_sa_info esp.522bcc92@192.1.2.23 Oct 31 15:24:55.868366: | get_sa_info esp.11a0f228@192.1.3.33 Oct 31 15:24:55.868375: "north-eastnets/0x2" #5: ESP traffic information: in=336B out=336B Oct 31 15:24:55.868379: | unsuspending #5 MD (nil) Oct 31 15:24:55.868381: | should_send_delete: no, just because Oct 31 15:24:55.868384: | child state #5: ESTABLISHED_CHILD_SA(established CHILD SA) => CHILDSA_DEL(informational) Oct 31 15:24:55.868387: | state #5 has no .st_event to delete Oct 31 15:24:55.868389: | #5 STATE_CHILDSA_DEL: retransmits: cleared Oct 31 15:24:55.868443: | running updown command "ipsec _updown" for verb down Oct 31 15:24:55.868448: | command executing down-client Oct 31 15:24:55.868453: | get_sa_info esp.522bcc92@192.1.2.23 Oct 31 15:24:55.868461: | get_sa_info esp.11a0f228@192.1.3.33 Oct 31 15:24:55.868494: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157894' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFI... Oct 31 15:24:55.868498: | popen cmd is 1148 chars long Oct 31 15:24:55.868501: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Oct 31 15:24:55.868503: | cmd( 80):2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO: Oct 31 15:24:55.868508: | cmd( 160):_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIEN: Oct 31 15:24:55.868510: | cmd( 240):T='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.2: Oct 31 15:24:55.868512: | cmd( 320):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TY: Oct 31 15:24:55.868514: | cmd( 400):PE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.: Oct 31 15:24:55.868516: | cmd( 480):22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.: Oct 31 15:24:55.868518: | cmd( 560):0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfr: Oct 31 15:24:55.868520: | cmd( 640):m' PLUTO_ADDTIME='1604157894' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS: Oct 31 15:24:55.868522: | cmd( 720):+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT: Oct 31 15:24:55.868524: | cmd( 800):' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER: Oct 31 15:24:55.868526: | cmd( 880):_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0': Oct 31 15:24:55.868528: | cmd( 960): PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='336' PLUTO_OUTBYTES: Oct 31 15:24:55.868530: | cmd(1040):='336' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x522bcc92 SPI_OUT=0: Oct 31 15:24:55.868532: | cmd(1120):x11a0f228 ipsec _updown 2>&1: Oct 31 15:24:55.871642: | "north-eastnets/0x2" #6: spent 3.3 (3.35) milliseconds in helper 2 processing job 9 for state #6: Child Rekey Initiator KE and nonce ni (pcr) Oct 31 15:24:55.871655: | job 9 for #6: Child Rekey Initiator KE and nonce ni (build KE and nonce): helper thread 2 sending result back to state Oct 31 15:24:55.871658: | scheduling resume sending helper answer back to state for #6 Oct 31 15:24:55.871661: | libevent_malloc: newref ptr-libevent@0x7f7054010538 size 128 Oct 31 15:24:55.871666: | helper thread 2 has nothing to do Oct 31 15:24:55.878446: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.3.0/24:0 --0->- 192.0.22.0/24:0 Oct 31 15:24:55.878462: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.22.0/24:0 Oct 31 15:24:55.878467: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:55.878472: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:55.878509: | delete esp.522bcc92@192.1.2.23 Oct 31 15:24:55.878514: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.878530: | netlink response for Del SA esp.522bcc92@192.1.2.23 included non-error error Oct 31 15:24:55.878535: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:55.878543: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk.10000@192.1.3.33 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:55.878567: | raw_eroute result=success Oct 31 15:24:55.878573: | delete esp.11a0f228@192.1.3.33 Oct 31 15:24:55.878576: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.878589: | netlink response for Del SA esp.11a0f228@192.1.3.33 included non-error error Oct 31 15:24:55.878600: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:55.878604: | State DB: deleting IKEv2 state #5 in CHILDSA_DEL Oct 31 15:24:55.878608: | child state #5: CHILDSA_DEL(informational) => UNDEFINED(ignore) Oct 31 15:24:55.878612: | releasing #5's fd-fd@(nil) because deleting state Oct 31 15:24:55.878614: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.878617: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.878626: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:55.878645: | stop processing: state #5 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.878655: | delref logger@0x561a1d2793d8(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.878658: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.878660: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.878668: | State DB: found IKEv2 state #6 in V2_REKEY_CHILD_I0 (v2_expire_unused_ike_sa) Oct 31 15:24:55.878671: | can't expire unused IKE SA #1; it has the child #6 Oct 31 15:24:55.878674: | in statetime_stop() and could not find #5 Oct 31 15:24:55.878677: | processing: STOP state #0 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.878694: | processing resume sending helper answer back to state for #6 Oct 31 15:24:55.878701: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:55.878706: | unsuspending #6 MD (nil) Oct 31 15:24:55.878710: | job 9 for #6: Child Rekey Initiator KE and nonce ni (build KE and nonce): processing response from helper 2 Oct 31 15:24:55.878712: | job 9 for #6: Child Rekey Initiator KE and nonce ni (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:55.878721: | ikev2_child_outI_continue() for #6 STATE_V2_REKEY_CHILD_I0 Oct 31 15:24:55.878726: | DH secret MODP3072@0x7f70540106e8: transferring ownership from helper KE to state #6 Oct 31 15:24:55.878729: | adding CHILD SA #6 to IKE SA #1 message initiator queue Oct 31 15:24:55.878738: | Message ID: CHILD #1.#6 wakeing IKE SA for next initiator (unack 0): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:55.878742: | scheduling callback v2_msgid_schedule_next_initiator (#1) Oct 31 15:24:55.878746: | libevent_malloc: newref ptr-libevent@0x7f7048002de8 size 128 Oct 31 15:24:55.878753: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.878757: | #6 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I1 with status STF_SUSPEND Oct 31 15:24:55.878760: | no MD to suspend Oct 31 15:24:55.878764: | delref logger@0x561a1d27f9e8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:55.878766: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.878769: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.878773: | resume sending helper answer back to state for #6 suppresed complete_v2_state_transition() Oct 31 15:24:55.878776: | delref mdp@NULL (in resume_handler() at server.c:743) Oct 31 15:24:55.878782: | #6 spent 0.0698 (0.0742) milliseconds in resume sending helper answer back to state Oct 31 15:24:55.878788: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:55.878791: | libevent_free: delref ptr-libevent@0x7f7054010538 Oct 31 15:24:55.878794: | processing signal PLUTO_SIGCHLD Oct 31 15:24:55.878799: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:55.878804: | spent 0.00523 (0.00522) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:55.878816: | spent 0.00206 (0.00203) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.878826: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.878829: | newref alloc logger@0x561a1d288308(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.878835: | *received 80 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:55.878838: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.878841: | 2e 20 25 00 00 00 00 02 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.878843: | ac b9 6f d4 38 9c 6e 51 38 5b fe 8f 26 06 3b ed Oct 31 15:24:55.878846: | 48 13 ba f5 87 7a a4 1b e8 f1 bd 1a 57 6f ec 4b Oct 31 15:24:55.878848: | ea 5d 5a 4f e7 56 40 a4 62 2d 22 59 a1 5a 9f f3 Oct 31 15:24:55.878852: | **parse ISAKMP Message: Oct 31 15:24:55.878857: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.878861: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.878864: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:55.878869: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.878871: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.878874: | flags: none (0x0) Oct 31 15:24:55.878878: | Message ID: 2 (00 00 00 02) Oct 31 15:24:55.878881: | length: 80 (00 00 00 50) Oct 31 15:24:55.878884: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Oct 31 15:24:55.878887: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Oct 31 15:24:55.878892: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:55.878898: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:55.878902: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Oct 31 15:24:55.878906: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:55.878908: | #1 is idle Oct 31 15:24:55.878920: | Message ID: IKE #1 not a duplicate - message request 2 is new: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.878927: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:55.878929: | unpacking clear payload Oct 31 15:24:55.878933: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:55.878936: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:55.878939: | next payload type: ISAKMP_NEXT_v2D (0x2a) Oct 31 15:24:55.878942: | flags: none (0x0) Oct 31 15:24:55.878946: | length: 52 (00 34) Oct 31 15:24:55.878948: | processing payload: ISAKMP_NEXT_v2SK (len=48) Oct 31 15:24:55.878951: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:24:55.878979: | authenticator matched Oct 31 15:24:55.878991: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Oct 31 15:24:55.878995: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Oct 31 15:24:55.878999: | **parse IKEv2 Delete Payload: Oct 31 15:24:55.879001: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879004: | flags: none (0x0) Oct 31 15:24:55.879007: | length: 12 (00 0c) Oct 31 15:24:55.879010: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.879013: | SPI size: 4 (04) Oct 31 15:24:55.879016: | number of SPIs: 1 (00 01) Oct 31 15:24:55.879019: | processing payload: ISAKMP_NEXT_v2D (len=4) Oct 31 15:24:55.879022: | selected state microcode Informational Request Oct 31 15:24:55.879029: | Message ID: IKE #1 responder starting message request 2: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=-1->2 Oct 31 15:24:55.879032: | calling processor Informational Request Oct 31 15:24:55.879036: | an informational request should send a response Oct 31 15:24:55.879042: | opening output PBS information exchange reply packet Oct 31 15:24:55.879044: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Oct 31 15:24:55.879047: | **emit ISAKMP Message: Oct 31 15:24:55.879050: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.879052: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879054: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.879056: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.879057: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.879059: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Oct 31 15:24:55.879061: | Message ID: 2 (00 00 00 02) Oct 31 15:24:55.879068: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.879070: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.879071: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879075: | flags: none (0x0) Oct 31 15:24:55.879077: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.879078: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.879080: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.879087: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Oct 31 15:24:55.879088: | SPI Oct 31 15:24:55.879090: | ad 7c bd fe Oct 31 15:24:55.879092: | delete IKEv2_SEC_PROTO_ESP SA(0xad7cbdfe) Oct 31 15:24:55.879094: | v2 CHILD SA #3 found using their inbound (our outbound) SPI, in STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:55.879096: | State DB: found IKEv2 state #3 in ESTABLISHED_CHILD_SA (find_v2_child_sa_by_outbound_spi) Oct 31 15:24:55.879097: | our side SPI that needs to be deleted: IKEv2_SEC_PROTO_ESP SA(0xad7cbdfe) Oct 31 15:24:55.879100: "north-eastnets/0x2" #1: received Delete SA payload: delete IPsec State #3 now Oct 31 15:24:55.879102: | pstats #3 ikev2.child deleted completed Oct 31 15:24:55.879105: | #3 main thread spent 1.7 (35.2) milliseconds helper thread spent 4.72 (4.85) milliseconds in total Oct 31 15:24:55.879108: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.879111: | start processing: state #3 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.879113: | should_send_delete: no, just because Oct 31 15:24:55.879115: "north-eastnets/0x2" #3: deleting other state #3 (STATE_V2_ESTABLISHED_CHILD_SA) aged 2.354253s and NOT sending notification Oct 31 15:24:55.879117: | child state #3: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:24:55.879120: | get_sa_info esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:55.879129: | get_sa_info esp.45971e75@192.1.3.33 Oct 31 15:24:55.879134: "north-eastnets/0x2" #3: ESP traffic information: in=336B out=336B Oct 31 15:24:55.879137: | unsuspending #3 MD (nil) Oct 31 15:24:55.879138: | should_send_delete: no, just because Oct 31 15:24:55.879140: | child state #3: ESTABLISHED_CHILD_SA(established CHILD SA) => CHILDSA_DEL(informational) Oct 31 15:24:55.879142: | state #3 deleting .st_event EVENT_SA_REKEY Oct 31 15:24:55.879144: | libevent_free: delref ptr-libevent@0x561a1d280228 Oct 31 15:24:55.879146: | free_event_entry: delref EVENT_SA_REKEY-pe@0x561a1d269e98 Oct 31 15:24:55.879148: | #3 STATE_CHILDSA_DEL: retransmits: cleared Oct 31 15:24:55.879192: | delete esp.ad7cbdfe@192.1.2.23 Oct 31 15:24:55.879197: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.879228: | netlink response for Del SA esp.ad7cbdfe@192.1.2.23 included non-error error Oct 31 15:24:55.879232: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:55.879239: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk.10000@192.1.3.33 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:55.879251: | raw_eroute result=success Oct 31 15:24:55.879256: | delete esp.45971e75@192.1.3.33 Oct 31 15:24:55.879259: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.879275: | netlink response for Del SA esp.45971e75@192.1.3.33 included non-error error Oct 31 15:24:55.879280: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:55.879283: | State DB: deleting IKEv2 state #3 in CHILDSA_DEL Oct 31 15:24:55.879286: | child state #3: CHILDSA_DEL(informational) => UNDEFINED(ignore) Oct 31 15:24:55.879289: | releasing #3's fd-fd@(nil) because deleting state Oct 31 15:24:55.879292: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.879295: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.879297: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:55.879312: | stop processing: state #3 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.879317: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.879327: | delref logger@0x561a1d277d98(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.879330: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.879333: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.879342: | ****emit IKEv2 Delete Payload: Oct 31 15:24:55.879345: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879347: | flags: none (0x0) Oct 31 15:24:55.879350: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.879354: | SPI size: 4 (04) Oct 31 15:24:55.879357: | number of SPIs: 1 (00 01) Oct 31 15:24:55.879360: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:24:55.879362: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.879366: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Oct 31 15:24:55.879370: | local SPIs: 45 97 1e 75 Oct 31 15:24:55.879372: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:24:55.879375: | adding 4 bytes of padding (including 1 byte padding-length) Oct 31 15:24:55.879378: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.879381: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.879384: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.879387: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.879390: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:55.879392: | emitting length of IKEv2 Encryption Payload: 52 Oct 31 15:24:55.879395: | emitting length of ISAKMP Message: 80 Oct 31 15:24:55.879428: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.879432: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879434: | 2e 20 25 28 00 00 00 02 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.879437: | ab 8e 13 b2 8c db 43 b3 29 1a 84 bd 31 e4 44 88 Oct 31 15:24:55.879440: | 29 d4 e6 cb 59 42 c7 ac 91 4d 17 43 51 27 26 b8 Oct 31 15:24:55.879442: | ea d0 bc f0 ed 2e 89 0a f3 02 57 ec 19 8a e9 0d Oct 31 15:24:55.879474: | sent 1 messages Oct 31 15:24:55.879482: | Message ID: IKE #1 XXX: in process_encrypted_informational_ikev2() hacking around record 'n' send bypassing send queue hacking around delete_ike_family(): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=2 Oct 31 15:24:55.879486: | Message ID: IKE #1 updating responder sent message response 2: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=1->2 ike.responder.recv=1 ike.responder.last_contact=744570.300843 ike.wip.initiator=-1 ike.wip.responder=2 Oct 31 15:24:55.879491: | #1 spent 0.42 (0.454) milliseconds in processing: Informational Request in v2_dispatch() Oct 31 15:24:55.879495: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.879498: | #1 complete_v2_state_transition() ESTABLISHED_IKE_SA->ESTABLISHED_IKE_SA with status STF_OK; .st_v2_transition=PARENT_I0->PARENT_I1 Oct 31 15:24:55.879500: | Message ID: updating counters for #1 Oct 31 15:24:55.879504: | Message ID: IKE #1 updating responder received message request 2: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=1->2 ike.responder.last_contact=744570.300843->744570.312298 ike.wip.initiator=-1 ike.wip.responder=2->-1 Oct 31 15:24:55.879509: | Message ID: IKE #1 updating responder sent message response 2: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.879513: | Message ID: CHILD #1.#6 wakeing IKE SA for next initiator (unack 0): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:55.879515: | scheduling callback v2_msgid_schedule_next_initiator (#1) Oct 31 15:24:55.879517: | libevent_malloc: newref ptr-libevent@0x7f7054010538 size 128 Oct 31 15:24:55.879519: | announcing the state transition Oct 31 15:24:55.879521: "north-eastnets/0x2" #1: established IKE SA Oct 31 15:24:55.879525: | sending 80 bytes for STATE_V2_ESTABLISHED_IKE_SA through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.879527: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879528: | 2e 20 25 28 00 00 00 02 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.879530: | ab 8e 13 b2 8c db 43 b3 29 1a 84 bd 31 e4 44 88 Oct 31 15:24:55.879531: | 29 d4 e6 cb 59 42 c7 ac 91 4d 17 43 51 27 26 b8 Oct 31 15:24:55.879533: | ea d0 bc f0 ed 2e 89 0a f3 02 57 ec 19 8a e9 0d Oct 31 15:24:55.879545: | sent 1 messages Oct 31 15:24:55.879547: | #1 is retaining EVENT_SA_REKEY with is previously set timeout Oct 31 15:24:55.879551: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:55.879554: | #1 spent 0.698 (0.742) milliseconds in ikev2_process_packet() Oct 31 15:24:55.879556: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.879559: | delref mdp@0x561a1d2864c8(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.879561: | delref logger@0x561a1d288308(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.879562: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.879564: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.879567: | spent 0.711 (0.755) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.879570: | libevent_free: delref ptr-libevent@0x7f7048002de8 Oct 31 15:24:55.879571: | processing callback v2_msgid_schedule_next_initiator for #1 Oct 31 15:24:55.879575: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:828) Oct 31 15:24:55.879579: | Message ID: CHILD #1.#6 resuming SA using IKE SA (unack 0): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:55.879582: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:675) Oct 31 15:24:55.879584: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:675) Oct 31 15:24:55.879586: | unsuspending #6 MD (nil) Oct 31 15:24:55.879590: | opening output PBS reply packet Oct 31 15:24:55.879592: | **emit ISAKMP Message: Oct 31 15:24:55.879594: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.879597: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879598: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.879600: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.879601: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:24:55.879603: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:55.879605: | Message ID: 3 (00 00 00 03) Oct 31 15:24:55.879607: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.879609: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.879611: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879613: | flags: none (0x0) Oct 31 15:24:55.879615: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.879617: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.879619: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.879632: | netlink_get_spi: allocated 0xedd07e43 for esp.0@192.1.3.33 Oct 31 15:24:55.879635: | Emitting ikev2_proposals ... Oct 31 15:24:55.879636: | ****emit IKEv2 Security Association Payload: Oct 31 15:24:55.879638: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879639: | flags: none (0x0) Oct 31 15:24:55.879641: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:55.879643: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.879646: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.879648: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.879650: | prop #: 1 (01) Oct 31 15:24:55.879651: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.879653: | spi size: 4 (04) Oct 31 15:24:55.879654: | # transforms: 4 (04) Oct 31 15:24:55.879656: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:55.879658: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:24:55.879660: | our spi: ed d0 7e 43 Oct 31 15:24:55.879662: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.879663: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879665: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.879666: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.879668: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.879670: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.879672: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.879674: | length/value: 128 (00 80) Oct 31 15:24:55.879675: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:55.879677: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.879678: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879680: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.879681: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:55.879683: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879685: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.879686: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.879688: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.879689: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879691: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.879692: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:55.879694: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879695: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.879697: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.879698: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.879700: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.879704: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.879706: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.879708: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.879709: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.879711: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.879712: | emitting length of IKEv2 Proposal Substructure Payload: 48 Oct 31 15:24:55.879714: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:55.879715: | emitting length of IKEv2 Security Association Payload: 52 Oct 31 15:24:55.879717: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:55.879719: "north-eastnets/0x2" #6: CHILD SA to rekey #5 vanished abort this exchange Oct 31 15:24:55.879721: | ikev2_child_sa_respond returned STF_INTERNAL_ERROR Oct 31 15:24:55.879724: | [RE]START processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.879726: | #6 complete_v2_state_transition() V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I1 with status STF_INTERNAL_ERROR Oct 31 15:24:55.879763: "north-eastnets/0x2" #6: state transition function for STATE_V2_REKEY_CHILD_I0 had internal error Oct 31 15:24:55.879768: | release_pending_whacks: state #6 has no whack fd Oct 31 15:24:55.879771: | delref mdp@NULL (in initiate_next() at ikev2_msgid.c:705) Oct 31 15:24:55.879776: | stop processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:707) Oct 31 15:24:55.879781: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in initiate_next() at ikev2_msgid.c:707) Oct 31 15:24:55.879785: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:832) Oct 31 15:24:55.879790: | spent 0.212 (0.215) milliseconds in callback v2_msgid_schedule_next_initiator Oct 31 15:24:55.879802: | spent 0.00179 (0.00177) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.879810: | newref struct msg_digest@0x561a1d2864c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.879814: | newref alloc logger@0x561a1d269e98(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.879819: | *received 80 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:55.879822: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879824: | 2e 20 25 00 00 00 00 03 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.879826: | 00 4c 4e bc 5e 56 6b cb 15 3a 6a 04 c8 50 fb ab Oct 31 15:24:55.879829: | b9 26 1e 1d f6 7a 0e 88 44 35 54 d3 c4 56 98 96 Oct 31 15:24:55.879831: | 3d 86 44 10 5a 16 95 cc e2 38 ea 43 ab 03 43 fa Oct 31 15:24:55.879835: | **parse ISAKMP Message: Oct 31 15:24:55.879840: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.879843: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879846: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:55.879849: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.879851: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.879854: | flags: none (0x0) Oct 31 15:24:55.879857: | Message ID: 3 (00 00 00 03) Oct 31 15:24:55.879861: | length: 80 (00 00 00 50) Oct 31 15:24:55.879864: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Oct 31 15:24:55.879867: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Oct 31 15:24:55.879871: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:55.879878: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:55.879881: | #1 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 Oct 31 15:24:55.879883: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:55.879885: | #1 is idle Oct 31 15:24:55.879889: | Message ID: IKE #1 not a duplicate - message request 3 is new: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.879892: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:55.879893: | unpacking clear payload Oct 31 15:24:55.879895: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:55.879897: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:55.879898: | next payload type: ISAKMP_NEXT_v2D (0x2a) Oct 31 15:24:55.879900: | flags: none (0x0) Oct 31 15:24:55.879902: | length: 52 (00 34) Oct 31 15:24:55.879903: | processing payload: ISAKMP_NEXT_v2SK (len=48) Oct 31 15:24:55.879905: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:24:55.879923: | authenticator matched Oct 31 15:24:55.879930: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Oct 31 15:24:55.879932: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Oct 31 15:24:55.879934: | **parse IKEv2 Delete Payload: Oct 31 15:24:55.879936: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879937: | flags: none (0x0) Oct 31 15:24:55.879939: | length: 12 (00 0c) Oct 31 15:24:55.879941: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.879942: | SPI size: 4 (04) Oct 31 15:24:55.879944: | number of SPIs: 1 (00 01) Oct 31 15:24:55.879946: | processing payload: ISAKMP_NEXT_v2D (len=4) Oct 31 15:24:55.879947: | selected state microcode Informational Request Oct 31 15:24:55.879951: | Message ID: IKE #1 responder starting message request 3: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 ike.wip.initiator=-1 ike.wip.responder=-1->3 Oct 31 15:24:55.879953: | calling processor Informational Request Oct 31 15:24:55.879955: | an informational request should send a response Oct 31 15:24:55.879958: | opening output PBS information exchange reply packet Oct 31 15:24:55.879960: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Oct 31 15:24:55.879962: | **emit ISAKMP Message: Oct 31 15:24:55.879965: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.879971: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.879974: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.879977: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.879979: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.879982: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Oct 31 15:24:55.879985: | Message ID: 3 (00 00 00 03) Oct 31 15:24:55.879988: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.879991: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.879994: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.879996: | flags: none (0x0) Oct 31 15:24:55.879999: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.880002: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.880005: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.880011: | parsing 4 raw bytes of IKEv2 Delete Payload into SPI Oct 31 15:24:55.880014: | SPI Oct 31 15:24:55.880017: | 1c 19 67 03 Oct 31 15:24:55.880020: | delete IKEv2_SEC_PROTO_ESP SA(0x1c196703) Oct 31 15:24:55.880025: | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:55.880028: | State DB: found IKEv2 state #2 in ESTABLISHED_CHILD_SA (find_v2_child_sa_by_outbound_spi) Oct 31 15:24:55.880031: | our side SPI that needs to be deleted: IKEv2_SEC_PROTO_ESP SA(0x1c196703) Oct 31 15:24:55.880034: "north-eastnets/0x2" #1: received Delete SA payload: replace IPsec State #2 now Oct 31 15:24:55.880036: | #2 requesting EVENT_SA_REKEY-pe@0x561a1d279218 be deleted Oct 31 15:24:55.880039: | libevent_free: delref ptr-libevent@0x561a1d282788 Oct 31 15:24:55.880041: | free_event_entry: delref EVENT_SA_REKEY-pe@0x561a1d279218 Oct 31 15:24:55.880043: | event_schedule: newref EVENT_SA_REPLACE-pe@0x561a1d27f9e8 Oct 31 15:24:55.880045: | inserting event EVENT_SA_REPLACE, timeout in 0 seconds for #2 Oct 31 15:24:55.880047: | libevent_malloc: newref ptr-libevent@0x7f7048002de8 size 128 Oct 31 15:24:55.880049: | ****emit IKEv2 Delete Payload: Oct 31 15:24:55.880051: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.880052: | flags: none (0x0) Oct 31 15:24:55.880054: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.880056: | SPI size: 4 (04) Oct 31 15:24:55.880058: | number of SPIs: 1 (00 01) Oct 31 15:24:55.880059: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:24:55.880061: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.880063: | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload Oct 31 15:24:55.880065: | local SPIs: 1e ac a1 14 Oct 31 15:24:55.880066: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:24:55.880068: | adding 4 bytes of padding (including 1 byte padding-length) Oct 31 15:24:55.880070: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.880071: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.880073: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.880074: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.880076: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:55.880077: | emitting length of IKEv2 Encryption Payload: 52 Oct 31 15:24:55.880079: | emitting length of ISAKMP Message: 80 Oct 31 15:24:55.880099: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.880101: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.880103: | 2e 20 25 28 00 00 00 03 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.880104: | 4b a0 83 b2 39 ca aa f9 e4 30 34 4b f5 17 fb a9 Oct 31 15:24:55.880105: | c9 f1 b3 f9 f3 3c ba c3 e7 98 e6 27 88 cc 80 76 Oct 31 15:24:55.880107: | c9 bc 34 22 47 e0 8c 8e 94 89 eb 25 8a 58 13 59 Oct 31 15:24:55.880127: | sent 1 messages Oct 31 15:24:55.880132: | Message ID: IKE #1 XXX: in process_encrypted_informational_ikev2() hacking around record 'n' send bypassing send queue hacking around delete_ike_family(): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744570.312298 ike.wip.initiator=-1 ike.wip.responder=3 Oct 31 15:24:55.880136: | Message ID: IKE #1 updating responder sent message response 3: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=2->3 ike.responder.recv=2 ike.responder.last_contact=744570.312298 ike.wip.initiator=-1 ike.wip.responder=3 Oct 31 15:24:55.880140: | #1 spent 0.174 (0.184) milliseconds in processing: Informational Request in v2_dispatch() Oct 31 15:24:55.880144: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.880148: | #1 complete_v2_state_transition() ESTABLISHED_IKE_SA->ESTABLISHED_IKE_SA with status STF_OK; .st_v2_transition=PARENT_I0->PARENT_I1 Oct 31 15:24:55.880150: | Message ID: updating counters for #1 Oct 31 15:24:55.880154: | Message ID: IKE #1 updating responder received message request 3: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=2->3 ike.responder.last_contact=744570.312298->744570.312948 ike.wip.initiator=-1 ike.wip.responder=3->-1 Oct 31 15:24:55.880158: | Message ID: IKE #1 updating responder sent message response 3: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.880161: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.880162: | announcing the state transition Oct 31 15:24:55.880164: "north-eastnets/0x2" #1: established IKE SA Oct 31 15:24:55.880168: | sending 80 bytes for STATE_V2_ESTABLISHED_IKE_SA through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.880169: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.880171: | 2e 20 25 28 00 00 00 03 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.880172: | 4b a0 83 b2 39 ca aa f9 e4 30 34 4b f5 17 fb a9 Oct 31 15:24:55.880173: | c9 f1 b3 f9 f3 3c ba c3 e7 98 e6 27 88 cc 80 76 Oct 31 15:24:55.880175: | c9 bc 34 22 47 e0 8c 8e 94 89 eb 25 8a 58 13 59 Oct 31 15:24:55.880184: | sent 1 messages Oct 31 15:24:55.880187: | #1 is retaining EVENT_SA_REKEY with is previously set timeout Oct 31 15:24:55.880190: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:55.880193: | #1 spent 0.381 (0.395) milliseconds in ikev2_process_packet() Oct 31 15:24:55.880195: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.880197: | delref mdp@0x561a1d2864c8(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.880224: | delref logger@0x561a1d269e98(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.880227: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.880228: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.880232: | spent 0.399 (0.434) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.880234: | libevent_free: delref ptr-libevent@0x7f7054010538 Oct 31 15:24:55.880236: | processing callback v2_msgid_schedule_next_initiator for #1 Oct 31 15:24:55.880240: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:828) Oct 31 15:24:55.880242: | stop processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in callback_handler() at server.c:832) Oct 31 15:24:55.880245: | spent 0.00623 (0.00623) milliseconds in callback v2_msgid_schedule_next_initiator Oct 31 15:24:55.880249: | timer_event_cb: processing event@0x561a1d27f9e8 Oct 31 15:24:55.880251: | handling event EVENT_SA_REPLACE for child state #2 Oct 31 15:24:55.880253: | libevent_free: delref ptr-libevent@0x7f7048002de8 Oct 31 15:24:55.880254: | free_event_entry: delref EVENT_SA_REPLACE-pe@0x561a1d27f9e8 Oct 31 15:24:55.880257: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.880260: | picked newest_ipsec_sa #2 for #2 Oct 31 15:24:55.880262: | replacing stale CHILD SA Oct 31 15:24:55.880265: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:55.880267: | FOR_EACH_STATE_... in find_pending_phase2 Oct 31 15:24:55.880271: | newref alloc logger@0x561a1d279218(0->1) (in new_state() at state.c:576) Oct 31 15:24:55.880274: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:55.880276: | creating state object #7 at 0x561a1d285198 Oct 31 15:24:55.880278: | State DB: adding IKEv2 state #7 in UNDEFINED Oct 31 15:24:55.880281: | pstats #7 ikev2.child started Oct 31 15:24:55.880283: | duplicating state object #1 "north-eastnets/0x2" as #7 for IPSEC SA Oct 31 15:24:55.880286: | #7 setting local endpoint to 192.1.3.33:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:55.880291: | Message ID: CHILD #1.#7 initializing (CHILD SA): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:55.880294: | child state #7: UNDEFINED(ignore) => V2_REKEY_CHILD_I0(established IKE SA) Oct 31 15:24:55.880296: | #7.st_v2_transition NULL -> V2_REKEY_CHILD_I0->V2_REKEY_CHILD_I1 (in new_v2_child_state() at state.c:1666) Oct 31 15:24:55.880298: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:55.880301: | suspend processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:55.880303: | start processing: state #7 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:5960) Oct 31 15:24:55.880306: | create child proposal's DH changed from no-PFS to MODP2048, flushing Oct 31 15:24:55.880308: | constructing ESP/AH proposals with default DH MODP2048 for north-eastnets/0x1 (ESP/AH initiator emitting proposals) Oct 31 15:24:55.880312: | converting proposal AES_CBC_128-HMAC_SHA2_512_256-MODP3072 to ikev2 ... Oct 31 15:24:55.880317: | ... ikev2_proposal: 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:55.880319: "north-eastnets/0x1": local ESP/AH proposals (ESP/AH initiator emitting proposals): Oct 31 15:24:55.880321: "north-eastnets/0x1": 1:ESP=AES_CBC_128-HMAC_SHA2_512_256-MODP3072-DISABLED Oct 31 15:24:55.880325: | #7 schedule rekey initiate IPsec SA RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 to replace #2 using IKE# 1 pfs=MODP3072 Oct 31 15:24:55.880327: | event_schedule: newref EVENT_v2_INITIATE_CHILD-pe@0x561a1d2793d8 Oct 31 15:24:55.880329: | inserting event EVENT_v2_INITIATE_CHILD, timeout in 0 seconds for #7 Oct 31 15:24:55.880331: | libevent_malloc: newref ptr-libevent@0x561a1d282788 size 128 Oct 31 15:24:55.880334: | RESET processing: state #7 connection "north-eastnets/0x1" from 192.1.2.23:500 (in ikev2_initiate_child_sa() at ikev2_parent.c:6035) Oct 31 15:24:55.880336: | event_schedule: newref EVENT_SA_EXPIRE-pe@0x561a1d277d98 Oct 31 15:24:55.880337: | inserting event EVENT_SA_EXPIRE, timeout in 0 seconds for #2 Oct 31 15:24:55.880339: | libevent_malloc: newref ptr-libevent@0x7f7048002e98 size 128 Oct 31 15:24:55.880342: | #2 spent 0.092 (0.0921) milliseconds in timer_event_cb() EVENT_SA_REPLACE Oct 31 15:24:55.880344: | processing: STOP state #0 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.880347: | timer_event_cb: processing event@0x561a1d2793d8 Oct 31 15:24:55.880349: | handling event EVENT_v2_INITIATE_CHILD for child state #7 Oct 31 15:24:55.880350: | libevent_free: delref ptr-libevent@0x561a1d282788 Oct 31 15:24:55.880352: | free_event_entry: delref EVENT_v2_INITIATE_CHILD-pe@0x561a1d2793d8 Oct 31 15:24:55.880354: | start processing: state #7 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.880358: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:55.880360: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:55.880362: | newref clone logger@0x561a1d288308(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:55.880364: | job 10 for #7: Child Rekey Initiator KE and nonce ni (build KE and nonce): adding job to queue Oct 31 15:24:55.880365: | state #7 has no .st_event to delete Oct 31 15:24:55.880368: | #7 STATE_V2_REKEY_CHILD_I0: retransmits: cleared Oct 31 15:24:55.880370: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27f9e8 Oct 31 15:24:55.880371: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #7 Oct 31 15:24:55.880373: | libevent_malloc: newref ptr-libevent@0x561a1d282788 size 128 Oct 31 15:24:55.880381: | #7 spent 0.0329 (0.033) milliseconds in timer_event_cb() EVENT_v2_INITIATE_CHILD Oct 31 15:24:55.880384: | stop processing: state #7 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.880386: | timer_event_cb: processing event@0x561a1d277d98 Oct 31 15:24:55.880387: | handling event EVENT_SA_EXPIRE for child state #2 Oct 31 15:24:55.880389: | libevent_free: delref ptr-libevent@0x7f7048002e98 Oct 31 15:24:55.880391: | free_event_entry: delref EVENT_SA_EXPIRE-pe@0x561a1d277d98 Oct 31 15:24:55.880393: | start processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in timer_event_cb() at timer.c:188) Oct 31 15:24:55.880395: | picked newest_ipsec_sa #2 for #2 Oct 31 15:24:55.880397: | un-established partial CHILD SA timeout (SA expired) Oct 31 15:24:55.880398: | pstats #2 ikev2.child re-failed exchange-timeout Oct 31 15:24:55.880400: | should_send_delete: no, just because Oct 31 15:24:55.880402: | pstats #2 ikev2.child deleted completed Oct 31 15:24:55.880405: | #2 main thread spent 2.17 (74.6) milliseconds helper thread spent 0 (0) milliseconds in total Oct 31 15:24:55.880407: | [RE]START processing: state #2 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.880409: | should_send_delete: no, just because Oct 31 15:24:55.880411: "north-eastnets/0x1" #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 2.505919s and NOT sending notification Oct 31 15:24:55.880413: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:24:55.880416: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:55.880427: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:55.880433: "north-eastnets/0x1" #2: ESP traffic information: in=840B out=840B Oct 31 15:24:55.880435: | unsuspending #2 MD (nil) Oct 31 15:24:55.880436: | should_send_delete: no, just because Oct 31 15:24:55.880438: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => CHILDSA_DEL(informational) Oct 31 15:24:55.880440: | state #2 has no .st_event to delete Oct 31 15:24:55.880441: | #2 STATE_CHILDSA_DEL: retransmits: cleared Oct 31 15:24:55.880447: | job 10 for #7: Child Rekey Initiator KE and nonce ni (build KE and nonce): helper 3 starting job Oct 31 15:24:55.880490: | running updown command "ipsec _updown" for verb down Oct 31 15:24:55.880497: | command executing down-client Oct 31 15:24:55.880503: | get_sa_info esp.1c196703@192.1.2.23 Oct 31 15:24:55.880585: | get_sa_info esp.1eaca114@192.1.3.33 Oct 31 15:24:55.880621: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU... Oct 31 15:24:55.880626: | popen cmd is 1146 chars long Oct 31 15:24:55.880629: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x: Oct 31 15:24:55.880633: | cmd( 80):1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO: Oct 31 15:24:55.880636: | cmd( 160):_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIEN: Oct 31 15:24:55.880639: | cmd( 240):T='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.2: Oct 31 15:24:55.880641: | cmd( 320):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: Oct 31 15:24:55.880643: | cmd( 400):PE='ESP' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.: Oct 31 15:24:55.880646: | cmd( 480):2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0': Oct 31 15:24:55.880648: | cmd( 560): PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm': Oct 31 15:24:55.880651: | cmd( 640): PLUTO_ADDTIME='1604157893' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+U: Oct 31 15:24:55.880653: | cmd( 720):P+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' : Oct 31 15:24:55.880655: | cmd( 800):PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_D: Oct 31 15:24:55.880658: | cmd( 880):NS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' P: Oct 31 15:24:55.880660: | cmd( 960):LUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='840' PLUTO_OUTBYTES=': Oct 31 15:24:55.880662: | cmd(1040):840' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x1c196703 SPI_OUT=0x1: Oct 31 15:24:55.880665: | cmd(1120):eaca114 ipsec _updown 2>&1: Oct 31 15:24:55.884377: | "north-eastnets/0x1" #7: spent 3.84 (3.93) milliseconds in helper 3 processing job 10 for state #7: Child Rekey Initiator KE and nonce ni (pcr) Oct 31 15:24:55.884392: | job 10 for #7: Child Rekey Initiator KE and nonce ni (build KE and nonce): helper thread 3 sending result back to state Oct 31 15:24:55.884395: | scheduling resume sending helper answer back to state for #7 Oct 31 15:24:55.884398: | libevent_malloc: newref ptr-libevent@0x7f7058006da8 size 128 Oct 31 15:24:55.884404: | helper thread 3 has nothing to do Oct 31 15:24:55.889880: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.3.0/24:0 --0->- 192.0.2.0/24:0 Oct 31 15:24:55.889895: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.2.0/24:0 Oct 31 15:24:55.889899: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:55.889903: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:55.889934: | delete esp.1c196703@192.1.2.23 Oct 31 15:24:55.889939: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.889960: | netlink response for Del SA esp.1c196703@192.1.2.23 included non-error error Oct 31 15:24:55.889965: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:55.889972: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk.10000@192.1.3.33 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:55.889999: | raw_eroute result=success Oct 31 15:24:55.890005: | delete esp.1eaca114@192.1.3.33 Oct 31 15:24:55.890008: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:55.890022: | netlink response for Del SA esp.1eaca114@192.1.3.33 included non-error error Oct 31 15:24:55.890027: | in connection_discard for connection north-eastnets/0x1 Oct 31 15:24:55.890030: | State DB: deleting IKEv2 state #2 in CHILDSA_DEL Oct 31 15:24:55.890035: | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) Oct 31 15:24:55.890038: | releasing #2's fd-fd@(nil) because deleting state Oct 31 15:24:55.890041: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890043: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890046: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:55.890053: | stop processing: state #2 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890060: | delref logger@0x561a1d277c48(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.890066: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890068: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.890072: | State DB: found IKEv2 state #7 in V2_REKEY_CHILD_I0 (v2_expire_unused_ike_sa) Oct 31 15:24:55.890075: | can't expire unused IKE SA #1; it has the child #7 Oct 31 15:24:55.890078: | in statetime_stop() and could not find #2 Oct 31 15:24:55.890081: | processing: STOP state #0 (in timer_event_cb() at timer.c:447) Oct 31 15:24:55.890102: | spent 0.00245 (0.00214) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.890116: | newref struct msg_digest@0x561a1d294018(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.890120: | newref alloc logger@0x561a1d269e98(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.890126: | *received 80 bytes from 192.1.2.23:500 on eth1 192.1.3.33:500 using UDP Oct 31 15:24:55.890129: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.890131: | 2e 20 25 00 00 00 00 04 00 00 00 50 2a 00 00 34 Oct 31 15:24:55.890133: | 17 c4 5f 8b 08 4b 8a eb 34 52 15 20 71 ae 10 fe Oct 31 15:24:55.890135: | 37 80 f0 8a 23 5e a3 ac 5e ff d9 c8 14 dd 31 59 Oct 31 15:24:55.890137: | a2 32 a5 0f d4 52 ca 00 fa a3 ff 49 e2 9d 16 ab Oct 31 15:24:55.890141: | **parse ISAKMP Message: Oct 31 15:24:55.890146: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.890150: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.890153: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:55.890155: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.890157: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.890160: | flags: none (0x0) Oct 31 15:24:55.890164: | Message ID: 4 (00 00 00 04) Oct 31 15:24:55.890167: | length: 80 (00 00 00 50) Oct 31 15:24:55.890170: | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) Oct 31 15:24:55.890173: | I am the IKE SA Original Initiator receiving an IKEv2 INFORMATIONAL request Oct 31 15:24:55.890177: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:24:55.890184: | start processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:55.890187: | #1 st.st_msgid_lastrecv 3 md.hdr.isa_msgid 00000004 Oct 31 15:24:55.890190: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:55.890193: | #1 is idle Oct 31 15:24:55.890220: | Message ID: IKE #1 not a duplicate - message request 4 is new: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.890229: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:55.890232: | unpacking clear payload Oct 31 15:24:55.890235: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:55.890239: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:55.890241: | next payload type: ISAKMP_NEXT_v2D (0x2a) Oct 31 15:24:55.890244: | flags: none (0x0) Oct 31 15:24:55.890247: | length: 52 (00 34) Oct 31 15:24:55.890250: | processing payload: ISAKMP_NEXT_v2SK (len=48) Oct 31 15:24:55.890253: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:24:55.890284: | authenticator matched Oct 31 15:24:55.890294: | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success Oct 31 15:24:55.890296: | Now let's proceed with payload (ISAKMP_NEXT_v2D) Oct 31 15:24:55.890300: | **parse IKEv2 Delete Payload: Oct 31 15:24:55.890302: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.890304: | flags: none (0x0) Oct 31 15:24:55.890307: | length: 8 (00 08) Oct 31 15:24:55.890310: | protocol ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.890313: | SPI size: 0 (00) Oct 31 15:24:55.890316: | number of SPIs: 0 (00 00) Oct 31 15:24:55.890319: | processing payload: ISAKMP_NEXT_v2D (len=0) Oct 31 15:24:55.890322: | selected state microcode Informational Request Oct 31 15:24:55.890329: | Message ID: IKE #1 responder starting message request 4: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=-1->4 Oct 31 15:24:55.890332: | calling processor Informational Request Oct 31 15:24:55.890336: | an informational request should send a response Oct 31 15:24:55.890341: | opening output PBS information exchange reply packet Oct 31 15:24:55.890343: | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness Oct 31 15:24:55.890346: | **emit ISAKMP Message: Oct 31 15:24:55.890351: | initiator SPI: 3e 8d 75 fe ee 1c ba 7c Oct 31 15:24:55.890355: | responder SPI: 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.890357: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.890360: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.890362: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:55.890365: | flags: ISAKMP_FLAG_v2_IKE_INIT+ISAKMP_FLAG_v2_MSG_RESPONSE (0x28) Oct 31 15:24:55.890368: | Message ID: 4 (00 00 00 04) Oct 31 15:24:55.890371: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.890374: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.890377: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.890379: | flags: none (0x0) Oct 31 15:24:55.890382: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.890385: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' Oct 31 15:24:55.890388: | emitting 16 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.890394: | adding 16 bytes of padding (including 1 byte padding-length) Oct 31 15:24:55.890397: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890399: | emitting 1 0x01 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890402: | emitting 1 0x02 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890404: | emitting 1 0x03 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890406: | emitting 1 0x04 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890409: | emitting 1 0x05 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890411: | emitting 1 0x06 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890413: | emitting 1 0x07 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890416: | emitting 1 0x08 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890419: | emitting 1 0x09 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890421: | emitting 1 0x0a repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890424: | emitting 1 0x0b repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890426: | emitting 1 0x0c repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890429: | emitting 1 0x0d repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890431: | emitting 1 0x0e repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890433: | emitting 1 0x0f repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.890436: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:55.890439: | emitting length of IKEv2 Encryption Payload: 52 Oct 31 15:24:55.890441: | emitting length of ISAKMP Message: 80 Oct 31 15:24:55.890477: | sending 80 bytes for reply packet for process_encrypted_informational_ikev2 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #1) Oct 31 15:24:55.890481: | 3e 8d 75 fe ee 1c ba 7c 48 73 1e 97 36 39 93 72 Oct 31 15:24:55.890484: | 2e 20 25 28 00 00 00 04 00 00 00 50 00 00 00 34 Oct 31 15:24:55.890486: | 9f ff a1 54 89 05 aa 91 1c 8a df 7d 92 90 b1 01 Oct 31 15:24:55.890488: | 71 5e c2 24 0c bf f6 99 6e 24 e5 d3 5a 92 45 8f Oct 31 15:24:55.890490: | f7 6a fd c6 38 55 f5 03 de b3 5c f2 8a 28 6c 9b Oct 31 15:24:55.890527: | sent 1 messages Oct 31 15:24:55.890536: | Message ID: IKE #1 XXX: in process_encrypted_informational_ikev2() hacking around record 'n' send bypassing send queue hacking around delete_ike_family(): ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=4 Oct 31 15:24:55.890543: | Message ID: IKE #1 updating responder sent message response 4: ike.initiator.sent=2 ike.initiator.recv=2 ike.initiator.last_contact=744568.014427 ike.responder.sent=3->4 ike.responder.recv=3 ike.responder.last_contact=744570.312948 ike.wip.initiator=-1 ike.wip.responder=4 Oct 31 15:24:55.890547: | pstats #7 ikev2.child deleted other Oct 31 15:24:55.890553: | #7 main thread spent 0.0329 (0.033) milliseconds helper thread spent 0 (0) milliseconds in total Oct 31 15:24:55.890558: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.890563: | start processing: state #7 connection "north-eastnets/0x1" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.890566: | should_send_delete: no, just because Oct 31 15:24:55.890571: "north-eastnets/0x1" #7: deleting other state #7 connection (STATE_V2_REKEY_CHILD_I0) "north-eastnets/0x1" aged 0.010298s and NOT sending notification Oct 31 15:24:55.890574: | child state #7: V2_REKEY_CHILD_I0(established IKE SA) => delete Oct 31 15:24:55.890577: | unsuspending #7 MD (nil) Oct 31 15:24:55.890580: | should_send_delete: no, just because Oct 31 15:24:55.890583: | child state #7: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Oct 31 15:24:55.890586: | state #7 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:55.890591: | libevent_free: delref ptr-libevent@0x561a1d282788 Oct 31 15:24:55.890594: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d27f9e8 Oct 31 15:24:55.890597: | #7 STATE_CHILDSA_DEL: retransmits: cleared Oct 31 15:24:55.890601: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:55.890609: | delete inbound eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => unk.10000@192.1.3.33 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:55.890622: | raw_eroute result=success Oct 31 15:24:55.890626: | in connection_discard for connection north-eastnets/0x1 Oct 31 15:24:55.890629: | State DB: deleting IKEv2 state #7 in CHILDSA_DEL Oct 31 15:24:55.890633: | child state #7: CHILDSA_DEL(informational) => UNDEFINED(ignore) Oct 31 15:24:55.890636: | releasing #7's fd-fd@(nil) because deleting state Oct 31 15:24:55.890639: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890641: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890643: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:55.890648: | stop processing: state #7 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890654: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890658: | delref logger@0x561a1d279218(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.890660: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890662: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.890666: | pstats #6 ikev2.child deleted other Oct 31 15:24:55.890670: | #6 main thread spent 0.121 (0.125) milliseconds helper thread spent 3.3 (3.35) milliseconds in total Oct 31 15:24:55.890677: | suspend processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.890682: | start processing: state #6 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.890684: | should_send_delete: no, just because Oct 31 15:24:55.890688: "north-eastnets/0x2" #6: deleting other state #6 (STATE_V2_REKEY_CHILD_I0) aged 0.022554s and NOT sending notification Oct 31 15:24:55.890691: | child state #6: V2_REKEY_CHILD_I0(established IKE SA) => delete Oct 31 15:24:55.890694: | unsuspending #6 MD (nil) Oct 31 15:24:55.890696: | should_send_delete: no, just because Oct 31 15:24:55.890699: | child state #6: V2_REKEY_CHILD_I0(established IKE SA) => CHILDSA_DEL(informational) Oct 31 15:24:55.890702: | state #6 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:55.890705: | libevent_free: delref ptr-libevent@0x561a1d2800f8 Oct 31 15:24:55.890708: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d26a1a8 Oct 31 15:24:55.890710: | #6 STATE_CHILDSA_DEL: retransmits: cleared Oct 31 15:24:55.890713: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:55.890722: | delete inbound eroute 192.0.22.0/24:0 --0-> 192.0.3.0/24:0 => unk.10000@192.1.3.33 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:55.890735: | raw_eroute result=success Oct 31 15:24:55.890738: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:55.890741: | State DB: deleting IKEv2 state #6 in CHILDSA_DEL Oct 31 15:24:55.890744: | child state #6: CHILDSA_DEL(informational) => UNDEFINED(ignore) Oct 31 15:24:55.890747: | releasing #6's fd-fd@(nil) because deleting state Oct 31 15:24:55.890749: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890751: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890754: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:55.890767: | stop processing: state #6 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890772: | resume processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890776: | delref logger@0x561a1d287e88(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.890778: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890780: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.890783: | State DB: IKEv2 state not found (delete_ike_family) Oct 31 15:24:55.890785: | pstats #1 ikev2.ike deleted completed Oct 31 15:24:55.890790: | #1 main thread spent 7.84 (81) milliseconds helper thread spent 7.68 (7.95) milliseconds in total Oct 31 15:24:55.890794: | [RE]START processing: state #1 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:55.890796: | should_send_delete: no, just because Oct 31 15:24:55.890800: "north-eastnets/0x2" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2.529871s and NOT sending notification Oct 31 15:24:55.890803: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => delete Oct 31 15:24:55.890848: | unsuspending #1 MD (nil) Oct 31 15:24:55.890852: | should_send_delete: no, just because Oct 31 15:24:55.890854: | state #1 deleting .st_event EVENT_SA_REKEY Oct 31 15:24:55.890858: | libevent_free: delref ptr-libevent@0x7f7058000d38 Oct 31 15:24:55.890860: | free_event_entry: delref EVENT_SA_REKEY-pe@0x561a1d282238 Oct 31 15:24:55.890863: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: cleared Oct 31 15:24:55.890866: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:24:55.890869: | picked newest_isakmp_sa #0 for #1 Oct 31 15:24:55.890872: "north-eastnets/0x2" #1: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Oct 31 15:24:55.890876: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 0 seconds Oct 31 15:24:55.890881: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 0 seconds Oct 31 15:24:55.890885: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:55.890888: | State DB: deleting IKEv2 state #1 in ESTABLISHED_IKE_SA Oct 31 15:24:55.890891: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => UNDEFINED(ignore) Oct 31 15:24:55.890893: | releasing #1's fd-fd@(nil) because deleting state Oct 31 15:24:55.890896: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890898: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:55.890901: | delref pkp@0x561a1d278ed8(2->1) (in delete_state() at state.c:1202) Oct 31 15:24:55.890914: | stop processing: state #1 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:55.890931: | delref logger@0x561a1d27cb88(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:55.890933: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890936: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.890939: | in statetime_stop() and could not find #1 Oct 31 15:24:55.890942: | XXX: processor 'Informational Request' for #1 deleted state MD.ST Oct 31 15:24:55.890945: | processing: STOP state #0 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:55.890947: | in statetime_stop() and could not find #1 Oct 31 15:24:55.890949: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.890953: | delref mdp@0x561a1d294018(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.890955: | delref logger@0x561a1d269e98(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.890958: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890960: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.890966: | spent 0.83 (0.869) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.890974: | processing resume sending helper answer back to state for #7 Oct 31 15:24:55.890978: | job 10 for #7: Child Rekey Initiator KE and nonce ni (build KE and nonce): processing response from helper 3 Oct 31 15:24:55.890980: | job 10 for #7: Child Rekey Initiator KE and nonce ni (build KE and nonce): was cancelled; ignoring respose Oct 31 15:24:55.890992: | delref logger@0x561a1d288308(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:55.890994: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.890996: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.891002: | (#7) spent 0.0233 (0.0233) milliseconds in resume sending helper answer back to state Oct 31 15:24:55.891004: | libevent_free: delref ptr-libevent@0x7f7058006da8 Oct 31 15:24:55.891007: | processing signal PLUTO_SIGCHLD Oct 31 15:24:55.891012: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:55.891016: | spent 0.00505 (0.00501) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:55.891022: | processing global timer EVENT_REVIVE_CONNS Oct 31 15:24:55.891024: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:55.891028: "north-eastnets/0x2": initiating connection which received a Delete/Notify but must remain up per local policy Oct 31 15:24:55.891032: | connection 'north-eastnets/0x2' +POLICY_UP Oct 31 15:24:55.891034: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:55.891044: | newref alloc logger@0x561a1d27f9e8(0->1) (in new_state() at state.c:576) Oct 31 15:24:55.891046: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:55.891049: | creating state object #8 at 0x561a1d27dd38 Oct 31 15:24:55.891051: | State DB: adding IKEv2 state #8 in UNDEFINED Oct 31 15:24:55.891058: | pstats #8 ikev2.ike started Oct 31 15:24:55.891061: | parent state #8: UNDEFINED(ignore) => PARENT_I0(ignore) Oct 31 15:24:55.891065: | #8.st_v2_transition NULL -> PARENT_I0->PARENT_I1 (in new_v2_ike_state() at state.c:620) Oct 31 15:24:55.891073: | Message ID: IKE #8 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744570.323863 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744570.323863 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:24:55.891078: | orienting north-eastnets/0x2 Oct 31 15:24:55.891083: | north-eastnets/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:24:55.891087: | north-eastnets/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:24:55.891091: | north-eastnets/0x2 doesn't match 192.0.3.254:4500 at all Oct 31 15:24:55.891094: | north-eastnets/0x2 doesn't match 192.0.3.254:500 at all Oct 31 15:24:55.891098: | north-eastnets/0x2 doesn't match 192.1.3.33:4500 at all Oct 31 15:24:55.891100: | oriented north-eastnets/0x2's this Oct 31 15:24:55.891106: | start processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:544) Oct 31 15:24:55.891110: | addref fd@NULL (in add_pending() at pending.c:86) Oct 31 15:24:55.891114: | queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #8 "north-eastnets/0x2" Oct 31 15:24:55.891117: "north-eastnets/0x2" #8: initiating IKEv2 connection Oct 31 15:24:55.891123: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator selecting KE): 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:55.891129: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:55.891132: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:55.891135: | newref clone logger@0x561a1d2822a8(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:55.891137: | job 11 for #8: ikev2_outI1 KE (build KE and nonce): adding job to queue Oct 31 15:24:55.891139: | state #8 has no .st_event to delete Oct 31 15:24:55.891142: | #8 STATE_PARENT_I0: retransmits: cleared Oct 31 15:24:55.891144: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d2793d8 Oct 31 15:24:55.891147: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #8 Oct 31 15:24:55.891150: | libevent_malloc: newref ptr-libevent@0x561a1d280248 size 128 Oct 31 15:24:55.891161: | #8 spent 0.129 (0.129) milliseconds in ikev2_parent_outI1() Oct 31 15:24:55.891166: | RESET processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in ikev2_parent_outI1() at ikev2_parent.c:640) Oct 31 15:24:55.891168: | job 11 for #8: ikev2_outI1 KE (build KE and nonce): helper 4 starting job Oct 31 15:24:55.891171: | spent 0.145 (0.145) milliseconds in global timer EVENT_REVIVE_CONNS Oct 31 15:24:55.892350: | "north-eastnets/0x2" #8: spent 1.15 (1.18) milliseconds in helper 4 processing job 11 for state #8: ikev2_outI1 KE (pcr) Oct 31 15:24:55.892362: | job 11 for #8: ikev2_outI1 KE (build KE and nonce): helper thread 4 sending result back to state Oct 31 15:24:55.892365: | scheduling resume sending helper answer back to state for #8 Oct 31 15:24:55.892367: | libevent_malloc: newref ptr-libevent@0x7f704c001648 size 128 Oct 31 15:24:55.892374: | helper thread 4 has nothing to do Oct 31 15:24:55.892402: | processing resume sending helper answer back to state for #8 Oct 31 15:24:55.892411: | start processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:641) Oct 31 15:24:55.892415: | unsuspending #8 MD (nil) Oct 31 15:24:55.892417: | job 11 for #8: ikev2_outI1 KE (build KE and nonce): processing response from helper 4 Oct 31 15:24:55.892420: | job 11 for #8: ikev2_outI1 KE (build KE and nonce): calling continuation function 0x561a1cf20fe7 Oct 31 15:24:55.892422: | ikev2_parent_outI1_continue() for #8 STATE_PARENT_I0 Oct 31 15:24:55.892424: | DH secret MODP2048@0x7f704c004ed8: transferring ownership from helper KE to state #8 Oct 31 15:24:55.892428: | opening output PBS reply packet Oct 31 15:24:55.892430: | **emit ISAKMP Message: Oct 31 15:24:55.892434: | initiator SPI: 2c 0e 81 fa 7d ad 91 1a Oct 31 15:24:55.892436: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:55.892438: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.892440: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.892442: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:55.892444: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:55.892450: | Message ID: 0 (00 00 00 00) Oct 31 15:24:55.892452: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.892457: | using existing local IKE proposals for connection north-eastnets/0x2 (IKE SA initiator emitting local proposals): 1:IKE=AES_CBC_256-HMAC_SHA2_256-HMAC_SHA2_256_128-MODP2048 Oct 31 15:24:55.892459: | Emitting ikev2_proposals ... Oct 31 15:24:55.892461: | ***emit IKEv2 Security Association Payload: Oct 31 15:24:55.892463: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892464: | flags: none (0x0) Oct 31 15:24:55.892467: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:55.892469: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892472: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.892473: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.892475: | prop #: 1 (01) Oct 31 15:24:55.892477: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.892479: | spi size: 0 (00) Oct 31 15:24:55.892481: | # transforms: 4 (04) Oct 31 15:24:55.892482: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:55.892485: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.892487: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892488: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.892490: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.892491: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.892493: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.892495: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.892497: | length/value: 256 (01 00) Oct 31 15:24:55.892499: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:55.892501: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.892503: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892504: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.892506: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:55.892508: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892510: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.892512: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.892513: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.892515: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892516: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.892518: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:55.892520: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892521: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.892523: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.892525: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.892526: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.892528: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.892530: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.892531: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.892534: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.892536: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.892537: | emitting length of IKEv2 Proposal Substructure Payload: 44 Oct 31 15:24:55.892539: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:55.892541: | emitting length of IKEv2 Security Association Payload: 48 Oct 31 15:24:55.892542: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:55.892544: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:24:55.892546: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892547: | flags: none (0x0) Oct 31 15:24:55.892561: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.892563: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:55.892565: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892567: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:55.892569: | ikev2 g^x: Oct 31 15:24:55.892570: | db fb 02 ee 6e 54 9f 50 24 8f e9 5a 5b e4 fd a8 Oct 31 15:24:55.892572: | 9b 2f 14 f4 66 23 43 3d 9b 8f 32 82 00 d9 f1 d2 Oct 31 15:24:55.892573: | d8 33 33 a4 ce 3f cf f2 29 64 aa d2 4a 86 2e ac Oct 31 15:24:55.892574: | f5 57 fd c1 6f c1 3b 40 a3 bb 6f a9 2b b5 cb 0b Oct 31 15:24:55.892576: | 4f fb a0 1a be 8d f9 b8 a1 77 44 dd 47 d6 0c fa Oct 31 15:24:55.892577: | 55 97 63 18 14 75 17 5a 9b eb 2d 7d 6e 96 ba dd Oct 31 15:24:55.892578: | 6c 18 ad de a8 58 d7 de 6e 4d 1e e3 07 53 b5 2d Oct 31 15:24:55.892580: | a8 4f a9 7f bc 7c 42 ea 2d 95 b8 f8 73 43 b3 cf Oct 31 15:24:55.892581: | ba e1 31 f6 03 73 45 86 c8 5d 1e 8f 4b 52 4c 4d Oct 31 15:24:55.892582: | 3c c7 9d 58 cc cd d4 34 7b ac 49 ef dd cb 60 86 Oct 31 15:24:55.892583: | ac 58 ac 2c 40 6d 6b ec 19 0f fe a8 4a ed 39 c3 Oct 31 15:24:55.892585: | 6d 5a 69 c0 5d 3b 75 38 85 0e bf 4c 5e 2d 35 91 Oct 31 15:24:55.892586: | 2b 0c bc c7 4d 1d e9 0e cd 8d 5f d6 7b 69 28 ca Oct 31 15:24:55.892587: | d2 c2 bd 6b 25 c9 b1 7b df 65 70 00 05 2d 08 2d Oct 31 15:24:55.892589: | 1e a2 4d 0c cb 3d e1 58 38 f4 bd 3d ac bc 7b 8a Oct 31 15:24:55.892590: | c3 46 db 65 87 5d 16 f1 2f a3 a9 72 15 c6 54 19 Oct 31 15:24:55.892592: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:24:55.892593: | ***emit IKEv2 Nonce Payload: Oct 31 15:24:55.892595: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892596: | flags: none (0x0) Oct 31 15:24:55.892598: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:55.892599: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892601: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:55.892602: | IKEv2 nonce: Oct 31 15:24:55.892604: | f4 c8 91 be e1 3f b8 5b 06 4b b1 a6 33 33 fe cf Oct 31 15:24:55.892605: | 61 02 27 c8 9d be cb b6 34 2c 1f ea b4 0a 57 05 Oct 31 15:24:55.892607: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:55.892609: | adding a v2N Payload Oct 31 15:24:55.892610: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.892611: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892613: | flags: none (0x0) Oct 31 15:24:55.892615: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.892616: | SPI size: 0 (00) Oct 31 15:24:55.892618: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:55.892620: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.892622: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892624: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:24:55.892625: | adding a v2N Payload Oct 31 15:24:55.892627: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.892628: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892629: | flags: none (0x0) Oct 31 15:24:55.892631: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.892632: | SPI size: 0 (00) Oct 31 15:24:55.892634: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:24:55.892635: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.892637: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892639: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256 into IKEv2 Notify Payload Oct 31 15:24:55.892640: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256: 00 02 Oct 31 15:24:55.892642: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384 into IKEv2 Notify Payload Oct 31 15:24:55.892643: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384: 00 03 Oct 31 15:24:55.892645: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512 into IKEv2 Notify Payload Oct 31 15:24:55.892647: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512: 00 04 Oct 31 15:24:55.892648: | emitting length of IKEv2 Notify Payload: 14 Oct 31 15:24:55.892650: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:24:55.892651: | nat: IKE.SPIr is zero Oct 31 15:24:55.892660: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:55.892662: | natd_hash: icookie= Oct 31 15:24:55.892663: | 2c 0e 81 fa 7d ad 91 1a Oct 31 15:24:55.892665: | natd_hash: rcookie= Oct 31 15:24:55.892666: | 00 00 00 00 00 00 00 00 Oct 31 15:24:55.892667: | natd_hash: ip= Oct 31 15:24:55.892669: | c0 01 03 21 Oct 31 15:24:55.892670: | natd_hash: port= Oct 31 15:24:55.892671: | 01 f4 Oct 31 15:24:55.892673: | natd_hash: hash= Oct 31 15:24:55.892674: | cc 20 f6 42 ba 0d 76 6d 0c 14 19 11 77 79 8a a1 Oct 31 15:24:55.892675: | 32 d5 0d d4 Oct 31 15:24:55.892677: | adding a v2N Payload Oct 31 15:24:55.892678: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.892680: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892681: | flags: none (0x0) Oct 31 15:24:55.892682: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.892684: | SPI size: 0 (00) Oct 31 15:24:55.892686: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:55.892687: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.892689: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892691: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:55.892692: | Notify data: Oct 31 15:24:55.892693: | cc 20 f6 42 ba 0d 76 6d 0c 14 19 11 77 79 8a a1 Oct 31 15:24:55.892695: | 32 d5 0d d4 Oct 31 15:24:55.892696: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:55.892697: | nat: IKE.SPIr is zero Oct 31 15:24:55.892701: | natd_hash: hasher=0x561a1d012f80(20) Oct 31 15:24:55.892703: | natd_hash: icookie= Oct 31 15:24:55.892704: | 2c 0e 81 fa 7d ad 91 1a Oct 31 15:24:55.892705: | natd_hash: rcookie= Oct 31 15:24:55.892707: | 00 00 00 00 00 00 00 00 Oct 31 15:24:55.892708: | natd_hash: ip= Oct 31 15:24:55.892709: | c0 01 02 17 Oct 31 15:24:55.892710: | natd_hash: port= Oct 31 15:24:55.892712: | 01 f4 Oct 31 15:24:55.892713: | natd_hash: hash= Oct 31 15:24:55.892714: | 9f 5f 46 c3 12 03 79 80 06 6d 1c cc e9 0c 62 67 Oct 31 15:24:55.892717: | 1e b7 ae 15 Oct 31 15:24:55.892718: | adding a v2N Payload Oct 31 15:24:55.892720: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.892721: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.892722: | flags: none (0x0) Oct 31 15:24:55.892724: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.892725: | SPI size: 0 (00) Oct 31 15:24:55.892727: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:55.892728: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.892730: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.892731: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:55.892733: | Notify data: Oct 31 15:24:55.892739: | 9f 5f 46 c3 12 03 79 80 06 6d 1c cc e9 0c 62 67 Oct 31 15:24:55.892740: | 1e b7 ae 15 Oct 31 15:24:55.892755: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:55.892757: | emitting length of ISAKMP Message: 454 Oct 31 15:24:55.892765: | [RE]START processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.892771: | #8 complete_v2_state_transition() PARENT_I0->PARENT_I1 with status STF_OK Oct 31 15:24:55.892775: | transitioning from state STATE_PARENT_I0 to state STATE_PARENT_I1 Oct 31 15:24:55.892777: | Message ID: updating counters for #8 Oct 31 15:24:55.892780: | Message ID: IKE #8 skipping update_recv as MD is fake Oct 31 15:24:55.892787: | Message ID: IKE #8 scheduling EVENT_RETRANSMIT: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744570.323863 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744570.323863 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:24:55.892791: | event_schedule: newref EVENT_RETRANSMIT-pe@0x561a1d288308 Oct 31 15:24:55.892794: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #8 Oct 31 15:24:55.892798: | libevent_malloc: newref ptr-libevent@0x561a1d2800f8 size 128 Oct 31 15:24:55.892803: | #8 STATE_PARENT_I0: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744570.325586 Oct 31 15:24:55.892810: | Message ID: IKE #8 updating initiator sent message request 0: ike.initiator.sent=-1->0 ike.initiator.recv=-1 ike.initiator.last_contact=744570.323863 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744570.323863 ike.wip.initiator=-1->0 ike.wip.responder=-1 Oct 31 15:24:55.892814: | Message ID: IKE #8 no pending message initiators to schedule: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744570.323863 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744570.323863 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:24:55.892817: | parent state #8: PARENT_I0(ignore) => PARENT_I1(half-open IKE SA) Oct 31 15:24:55.892819: | announcing the state transition Oct 31 15:24:55.892821: "north-eastnets/0x2" #8: sent IKE_SA_INIT request Oct 31 15:24:55.892826: | sending 454 bytes for STATE_PARENT_I0 through eth1 from 192.1.3.33:500 to 192.1.2.23:500 using UDP (for #8) Oct 31 15:24:55.892828: | 2c 0e 81 fa 7d ad 91 1a 00 00 00 00 00 00 00 00 Oct 31 15:24:55.892829: | 21 20 22 08 00 00 00 00 00 00 01 c6 22 00 00 30 Oct 31 15:24:55.892831: | 00 00 00 2c 01 01 00 04 03 00 00 0c 01 00 00 0c Oct 31 15:24:55.892832: | 80 0e 01 00 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:55.892833: | 03 00 00 0c 00 00 00 08 04 00 00 0e 28 00 01 08 Oct 31 15:24:55.892835: | 00 0e 00 00 db fb 02 ee 6e 54 9f 50 24 8f e9 5a Oct 31 15:24:55.892836: | 5b e4 fd a8 9b 2f 14 f4 66 23 43 3d 9b 8f 32 82 Oct 31 15:24:55.892837: | 00 d9 f1 d2 d8 33 33 a4 ce 3f cf f2 29 64 aa d2 Oct 31 15:24:55.892839: | 4a 86 2e ac f5 57 fd c1 6f c1 3b 40 a3 bb 6f a9 Oct 31 15:24:55.892840: | 2b b5 cb 0b 4f fb a0 1a be 8d f9 b8 a1 77 44 dd Oct 31 15:24:55.892843: | 47 d6 0c fa 55 97 63 18 14 75 17 5a 9b eb 2d 7d Oct 31 15:24:55.892844: | 6e 96 ba dd 6c 18 ad de a8 58 d7 de 6e 4d 1e e3 Oct 31 15:24:55.892846: | 07 53 b5 2d a8 4f a9 7f bc 7c 42 ea 2d 95 b8 f8 Oct 31 15:24:55.892847: | 73 43 b3 cf ba e1 31 f6 03 73 45 86 c8 5d 1e 8f Oct 31 15:24:55.892848: | 4b 52 4c 4d 3c c7 9d 58 cc cd d4 34 7b ac 49 ef Oct 31 15:24:55.892850: | dd cb 60 86 ac 58 ac 2c 40 6d 6b ec 19 0f fe a8 Oct 31 15:24:55.892851: | 4a ed 39 c3 6d 5a 69 c0 5d 3b 75 38 85 0e bf 4c Oct 31 15:24:55.892852: | 5e 2d 35 91 2b 0c bc c7 4d 1d e9 0e cd 8d 5f d6 Oct 31 15:24:55.892854: | 7b 69 28 ca d2 c2 bd 6b 25 c9 b1 7b df 65 70 00 Oct 31 15:24:55.892855: | 05 2d 08 2d 1e a2 4d 0c cb 3d e1 58 38 f4 bd 3d Oct 31 15:24:55.892856: | ac bc 7b 8a c3 46 db 65 87 5d 16 f1 2f a3 a9 72 Oct 31 15:24:55.892858: | 15 c6 54 19 29 00 00 24 f4 c8 91 be e1 3f b8 5b Oct 31 15:24:55.892859: | 06 4b b1 a6 33 33 fe cf 61 02 27 c8 9d be cb b6 Oct 31 15:24:55.892860: | 34 2c 1f ea b4 0a 57 05 29 00 00 08 00 00 40 2e Oct 31 15:24:55.892862: | 29 00 00 0e 00 00 40 2f 00 02 00 03 00 04 29 00 Oct 31 15:24:55.892863: | 00 1c 00 00 40 04 cc 20 f6 42 ba 0d 76 6d 0c 14 Oct 31 15:24:55.892864: | 19 11 77 79 8a a1 32 d5 0d d4 00 00 00 1c 00 00 Oct 31 15:24:55.892866: | 40 05 9f 5f 46 c3 12 03 79 80 06 6d 1c cc e9 0c Oct 31 15:24:55.892867: | 62 67 1e b7 ae 15 Oct 31 15:24:55.892907: | sent 1 messages Oct 31 15:24:55.892909: | checking that a retransmit timeout_event was already Oct 31 15:24:55.892911: | state #8 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:55.892914: | libevent_free: delref ptr-libevent@0x561a1d280248 Oct 31 15:24:55.892916: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x561a1d2793d8 Oct 31 15:24:55.892918: | delref logger@0x561a1d2822a8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:55.892920: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.892921: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.892924: | resume sending helper answer back to state for #8 suppresed complete_v2_state_transition() Oct 31 15:24:55.892930: | delref mdp@NULL (in resume_handler() at server.c:743) Oct 31 15:24:55.892935: | #8 spent 0.49 (0.518) milliseconds in resume sending helper answer back to state Oct 31 15:24:55.892938: | stop processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in resume_handler() at server.c:745) Oct 31 15:24:55.892940: | libevent_free: delref ptr-libevent@0x7f704c001648 Oct 31 15:24:56.012302: | kernel_process_msg_cb process netlink message Oct 31 15:24:56.012326: | netlink_get: XFRM_MSG_ACQUIRE message Oct 31 15:24:56.012330: | xfrm netlink msg len 376 Oct 31 15:24:56.012337: | xfrm acquire rtattribute type 5 ... Oct 31 15:24:56.012340: | ... xfrm template attribute with reqid:0, spi:0, proto:50 Oct 31 15:24:56.012342: | xfrm acquire rtattribute type 16 ... Oct 31 15:24:56.012345: | ... xfrm policy type ignored Oct 31 15:24:56.012358: | add bare shunt 0x561a1d28ff38 192.0.3.254/32:0 --1--> 192.0.2.254/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.012364: | stripping address 192.0.3.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.012368: | stripping address 192.0.2.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.012376: initiate on demand from 192.0.3.254:0 to 192.0.2.254:0 proto=1 because: acquire Oct 31 15:24:56.012383: | find_connection: looking for policy for connection: 192.0.3.254:1/0 -> 192.0.2.254:1/0 Oct 31 15:24:56.012386: | FOR_EACH_CONNECTION_... in find_connection_for_clients Oct 31 15:24:56.012393: | find_connection: conn "north-eastnets/0x1" has compatible peers: 192.0.3.0/24:0 -> 192.0.2.0/24:0 [pri: 25214988] Oct 31 15:24:56.012396: | find_connection: first OK "north-eastnets/0x1" [pri:25214988]{0x561a1d277f98} (child none) Oct 31 15:24:56.012399: | find_connection: concluding with "north-eastnets/0x1" [pri:25214988]{0x561a1d277f98} kind=CK_PERMANENT Oct 31 15:24:56.012406: | assign hold, routing was prospective erouted, needs to be erouted HOLD Oct 31 15:24:56.012409: | assign_holdpass() need broad(er) shunt Oct 31 15:24:56.012412: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:56.012419: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => %hold>%hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.012422: | netlink_raw_eroute: SPI_HOLD implemented as no-op Oct 31 15:24:56.012424: | raw_eroute result=success Oct 31 15:24:56.012426: | assign_holdpass() eroute_connection() done Oct 31 15:24:56.012429: | fiddle_bare_shunt called Oct 31 15:24:56.012432: | subnet from address 192.0.3.254 (in fiddle_bare_shunt() at kernel.c:1338) Oct 31 15:24:56.012435: | subnet from address 192.0.2.254 (in fiddle_bare_shunt() at kernel.c:1339) Oct 31 15:24:56.012436: | fiddle_bare_shunt with transport_proto 1 Oct 31 15:24:56.012438: | removing specific host-to-host bare shunt Oct 31 15:24:56.012441: | delete narrow %hold eroute 192.0.3.254/32:0 --1-> 192.0.2.254/32:0 => %hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.012443: | netlink_raw_eroute: SPI_PASS Oct 31 15:24:56.012457: | raw_eroute result=success Oct 31 15:24:56.012460: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Oct 31 15:24:56.012463: | delete bare shunt 0x561a1d28ff38 192.0.3.254/32:0 --1--> 192.0.2.254/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.012466: assign_holdpass() delete_bare_shunt() failed Oct 31 15:24:56.012467: initiate_ondemand_body() failed to install negotiation_shunt, Oct 31 15:24:56.012469: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:56.012473: | addref fd@NULL (in add_pending() at pending.c:86) Oct 31 15:24:56.012476: "north-eastnets/0x1": queuing pending IPsec SA negotiating with 192.1.2.23 IKE SA #8 "north-eastnets/0x2" Oct 31 15:24:56.012479: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.2.254 Oct 31 15:24:56.012483: | netlink_get: XFRM_MSG_ACQUIRE message Oct 31 15:24:56.012484: | xfrm netlink msg len 376 Oct 31 15:24:56.012486: | xfrm acquire rtattribute type 5 ... Oct 31 15:24:56.012488: | ... xfrm template attribute with reqid:0, spi:0, proto:50 Oct 31 15:24:56.012489: | xfrm acquire rtattribute type 16 ... Oct 31 15:24:56.012490: | ... xfrm policy type ignored Oct 31 15:24:56.012494: | add bare shunt 0x561a1d282788 192.0.3.254/32:0 --1--> 192.0.2.251/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.012497: | stripping address 192.0.3.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.012499: | stripping address 192.0.2.251 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.012503: initiate on demand from 192.0.3.254:0 to 192.0.2.251:0 proto=1 because: acquire Oct 31 15:24:56.012506: | find_connection: looking for policy for connection: 192.0.3.254:1/0 -> 192.0.2.251:1/0 Oct 31 15:24:56.012508: | FOR_EACH_CONNECTION_... in find_connection_for_clients Oct 31 15:24:56.012511: | find_connection: conn "north-eastnets/0x1" has compatible peers: 192.0.3.0/24:0 -> 192.0.2.0/24:0 [pri: 25214988] Oct 31 15:24:56.012513: | find_connection: first OK "north-eastnets/0x1" [pri:25214988]{0x561a1d277f98} (child none) Oct 31 15:24:56.012515: | find_connection: concluding with "north-eastnets/0x1" [pri:25214988]{0x561a1d277f98} kind=CK_PERMANENT Oct 31 15:24:56.012516: | assign hold, routing was prospective erouted, needs to be erouted HOLD Oct 31 15:24:56.012517: | assign_holdpass() need broad(er) shunt Oct 31 15:24:56.012519: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:56.012523: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => %hold>%hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.012524: | netlink_raw_eroute: SPI_HOLD implemented as no-op Oct 31 15:24:56.012525: | raw_eroute result=success Oct 31 15:24:56.012528: | assign_holdpass() eroute_connection() done Oct 31 15:24:56.012530: | fiddle_bare_shunt called Oct 31 15:24:56.012532: | subnet from address 192.0.3.254 (in fiddle_bare_shunt() at kernel.c:1338) Oct 31 15:24:56.012534: | subnet from address 192.0.2.251 (in fiddle_bare_shunt() at kernel.c:1339) Oct 31 15:24:56.012536: | fiddle_bare_shunt with transport_proto 1 Oct 31 15:24:56.012537: | removing specific host-to-host bare shunt Oct 31 15:24:56.012540: | delete narrow %hold eroute 192.0.3.254/32:0 --1-> 192.0.2.251/32:0 => %hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.012542: | netlink_raw_eroute: SPI_PASS Oct 31 15:24:56.012547: | raw_eroute result=success Oct 31 15:24:56.012548: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Oct 31 15:24:56.012552: | delete bare shunt 0x561a1d282788 192.0.3.254/32:0 --1--> 192.0.2.251/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.012553: assign_holdpass() delete_bare_shunt() failed Oct 31 15:24:56.012555: initiate_ondemand_body() failed to install negotiation_shunt, Oct 31 15:24:56.012556: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:56.012559: | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "north-eastnets/0x1" Oct 31 15:24:56.012561: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.2.251 Oct 31 15:24:56.012567: | spent 0.243 (0.243) milliseconds in kernel message Oct 31 15:24:56.077633: | kernel_process_msg_cb process netlink message Oct 31 15:24:56.077655: | netlink_get: XFRM_MSG_ACQUIRE message Oct 31 15:24:56.077660: | xfrm netlink msg len 376 Oct 31 15:24:56.077666: | xfrm acquire rtattribute type 5 ... Oct 31 15:24:56.077669: | ... xfrm template attribute with reqid:0, spi:0, proto:50 Oct 31 15:24:56.077671: | xfrm acquire rtattribute type 16 ... Oct 31 15:24:56.077674: | ... xfrm policy type ignored Oct 31 15:24:56.077685: | add bare shunt 0x561a1d28e968 192.0.3.254/32:0 --1--> 192.0.22.254/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.077690: | stripping address 192.0.3.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.077694: | stripping address 192.0.22.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.077701: initiate on demand from 192.0.3.254:0 to 192.0.22.254:0 proto=1 because: acquire Oct 31 15:24:56.077708: | find_connection: looking for policy for connection: 192.0.3.254:1/0 -> 192.0.22.254:1/0 Oct 31 15:24:56.077710: | FOR_EACH_CONNECTION_... in find_connection_for_clients Oct 31 15:24:56.077716: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.3.0/24:0 -> 192.0.22.0/24:0 [pri: 25214988] Oct 31 15:24:56.077719: | find_connection: first OK "north-eastnets/0x2" [pri:25214988]{0x561a1d279c18} (child none) Oct 31 15:24:56.077723: | find_connection: concluding with "north-eastnets/0x2" [pri:25214988]{0x561a1d279c18} kind=CK_PERMANENT Oct 31 15:24:56.077726: | assign hold, routing was prospective erouted, needs to be erouted HOLD Oct 31 15:24:56.077729: | assign_holdpass() need broad(er) shunt Oct 31 15:24:56.077732: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:56.077740: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => %hold>%hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.077744: | netlink_raw_eroute: SPI_HOLD implemented as no-op Oct 31 15:24:56.077746: | raw_eroute result=success Oct 31 15:24:56.077749: | assign_holdpass() eroute_connection() done Oct 31 15:24:56.077751: | fiddle_bare_shunt called Oct 31 15:24:56.077755: | subnet from address 192.0.3.254 (in fiddle_bare_shunt() at kernel.c:1338) Oct 31 15:24:56.077759: | subnet from address 192.0.22.254 (in fiddle_bare_shunt() at kernel.c:1339) Oct 31 15:24:56.077762: | fiddle_bare_shunt with transport_proto 1 Oct 31 15:24:56.077764: | removing specific host-to-host bare shunt Oct 31 15:24:56.077771: | delete narrow %hold eroute 192.0.3.254/32:0 --1-> 192.0.22.254/32:0 => %hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.077778: | netlink_raw_eroute: SPI_PASS Oct 31 15:24:56.077791: | raw_eroute result=success Oct 31 15:24:56.077796: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Oct 31 15:24:56.077804: | delete bare shunt 0x561a1d28e968 192.0.3.254/32:0 --1--> 192.0.22.254/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.077808: assign_holdpass() delete_bare_shunt() failed Oct 31 15:24:56.077811: initiate_ondemand_body() failed to install negotiation_shunt, Oct 31 15:24:56.077815: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:56.077821: | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "north-eastnets/0x2" Oct 31 15:24:56.077828: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.22.254 Oct 31 15:24:56.077836: | spent 0.182 (0.182) milliseconds in kernel message Oct 31 15:24:56.140339: | kernel_process_msg_cb process netlink message Oct 31 15:24:56.140368: | netlink_get: XFRM_MSG_ACQUIRE message Oct 31 15:24:56.140373: | xfrm netlink msg len 376 Oct 31 15:24:56.140381: | xfrm acquire rtattribute type 5 ... Oct 31 15:24:56.140385: | ... xfrm template attribute with reqid:0, spi:0, proto:50 Oct 31 15:24:56.140388: | xfrm acquire rtattribute type 16 ... Oct 31 15:24:56.140391: | ... xfrm policy type ignored Oct 31 15:24:56.140406: | add bare shunt 0x561a1d28ea68 192.0.3.254/32:0 --1--> 192.0.22.251/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.140413: | stripping address 192.0.3.254 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.140419: | stripping address 192.0.22.251 of is_endpoint=0 hport=0 ipproto=1 (in subnet_prefix() at ip_subnet.c:114) Oct 31 15:24:56.140431: initiate on demand from 192.0.3.254:0 to 192.0.22.251:0 proto=1 because: acquire Oct 31 15:24:56.140440: | find_connection: looking for policy for connection: 192.0.3.254:1/0 -> 192.0.22.251:1/0 Oct 31 15:24:56.140444: | FOR_EACH_CONNECTION_... in find_connection_for_clients Oct 31 15:24:56.140453: | find_connection: conn "north-eastnets/0x2" has compatible peers: 192.0.3.0/24:0 -> 192.0.22.0/24:0 [pri: 25214988] Oct 31 15:24:56.140457: | find_connection: first OK "north-eastnets/0x2" [pri:25214988]{0x561a1d279c18} (child none) Oct 31 15:24:56.140462: | find_connection: concluding with "north-eastnets/0x2" [pri:25214988]{0x561a1d279c18} kind=CK_PERMANENT Oct 31 15:24:56.140467: | assign hold, routing was prospective erouted, needs to be erouted HOLD Oct 31 15:24:56.140471: | assign_holdpass() need broad(er) shunt Oct 31 15:24:56.140475: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:56.140483: | eroute_connection replace %trap with broad %pass or %hold eroute 192.0.3.0/24:0 --0-> 192.0.22.0/24:0 => %hold>%hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.140488: | netlink_raw_eroute: SPI_HOLD implemented as no-op Oct 31 15:24:56.140491: | raw_eroute result=success Oct 31 15:24:56.140495: | assign_holdpass() eroute_connection() done Oct 31 15:24:56.140499: | fiddle_bare_shunt called Oct 31 15:24:56.140505: | subnet from address 192.0.3.254 (in fiddle_bare_shunt() at kernel.c:1338) Oct 31 15:24:56.140511: | subnet from address 192.0.22.251 (in fiddle_bare_shunt() at kernel.c:1339) Oct 31 15:24:56.140515: | fiddle_bare_shunt with transport_proto 1 Oct 31 15:24:56.140518: | removing specific host-to-host bare shunt Oct 31 15:24:56.140526: | delete narrow %hold eroute 192.0.3.254/32:0 --1-> 192.0.22.251/32:0 => %hold using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:56.140530: | netlink_raw_eroute: SPI_PASS Oct 31 15:24:56.140547: | raw_eroute result=success Oct 31 15:24:56.140552: | raw_eroute with op='delete' for transport_proto='1' kernel shunt succeeded, bare shunt lookup succeeded Oct 31 15:24:56.140561: | delete bare shunt 0x561a1d28ea68 192.0.3.254/32:0 --1--> 192.0.22.251/32:0 => %hold 0 %acquire-netlink Oct 31 15:24:56.140565: assign_holdpass() delete_bare_shunt() failed Oct 31 15:24:56.140573: initiate_ondemand_body() failed to install negotiation_shunt, Oct 31 15:24:56.141411: | FOR_EACH_STATE_... in find_phase1_state Oct 31 15:24:56.141425: | Ignored already queued up pending IPsec SA negotiation with 192.1.2.23 "north-eastnets/0x2" Oct 31 15:24:56.141433: | initiate on demand using RSASIG from 192.0.3.254 to 192.0.22.251 Oct 31 15:24:56.141445: | spent 0.262 (1.08) milliseconds in kernel message Oct 31 15:24:56.297865: | newref struct fd@0x561a1d269f38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.297881: | fd_accept: new fd-fd@0x561a1d269f38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.297895: shutting down Oct 31 15:24:56.297903: | leaking fd-fd@0x561a1d269f38's FD; will be closed when pluto exits (in whack_handle_cb() at rcv_whack.c:889) Oct 31 15:24:56.297907: | delref fd@0x561a1d269f38(1->0) (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:24:56.297909: | freeref fd-fd@0x561a1d269f38 (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:24:56.297922: | shutting down helper thread 5 Oct 31 15:24:56.297933: | helper thread 5 exited Oct 31 15:24:56.297945: | shutting down helper thread 6 Oct 31 15:24:56.297958: | helper thread 6 exited Oct 31 15:24:56.297972: | shutting down helper thread 7 Oct 31 15:24:56.298032: | helper thread 7 exited Oct 31 15:24:56.298045: | shutting down helper thread 1 Oct 31 15:24:56.298054: | helper thread 1 exited Oct 31 15:24:56.298065: | shutting down helper thread 2 Oct 31 15:24:56.298078: | helper thread 2 exited Oct 31 15:24:56.298085: | shutting down helper thread 3 Oct 31 15:24:56.298093: | helper thread 3 exited Oct 31 15:24:56.298102: | shutting down helper thread 4 Oct 31 15:24:56.298110: | helper thread 4 exited Oct 31 15:24:56.298114: 7 helper threads shutdown Oct 31 15:24:56.298117: | delref root_certs@NULL (in free_root_certs() at root_certs.c:127) Oct 31 15:24:56.298119: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:24:56.298120: forgetting secrets Oct 31 15:24:56.298132: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:24:56.298135: | delref pkp@0x561a1d278ed8(1->0) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:24:56.298137: | delref pkp@0x561a1d278d88(1->0) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:24:56.298141: | delref fd@NULL (in delete_pending() at pending.c:218) Oct 31 15:24:56.298142: | removing pending policy for no connection {0x561a1d279218} Oct 31 15:24:56.298144: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:24:56.298146: | pass 0 Oct 31 15:24:56.298147: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:56.298149: | state #8 Oct 31 15:24:56.298154: | start processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:24:56.298155: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:24:56.298157: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:24:56.298159: | pstats #8 ikev2.ike deleted other Oct 31 15:24:56.298163: | #8 main thread spent 0.618 (0.647) milliseconds helper thread spent 1.15 (1.18) milliseconds in total Oct 31 15:24:56.298166: | [RE]START processing: state #8 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:56.298169: | should_send_delete: no, not established Oct 31 15:24:56.298172: "north-eastnets/0x2" #8: deleting state (STATE_PARENT_I1) aged 0.407128s and NOT sending notification Oct 31 15:24:56.298175: | parent state #8: PARENT_I1(half-open IKE SA) => delete Oct 31 15:24:56.298177: | unsuspending #8 MD (nil) Oct 31 15:24:56.298178: | should_send_delete: no, not established Oct 31 15:24:56.298180: | state #8 has no .st_event to delete Oct 31 15:24:56.298182: | #8 requesting EVENT_RETRANSMIT-pe@0x561a1d288308 be deleted Oct 31 15:24:56.298185: | libevent_free: delref ptr-libevent@0x561a1d2800f8 Oct 31 15:24:56.298187: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x561a1d288308 Oct 31 15:24:56.298192: | #8 STATE_PARENT_I1: retransmits: cleared Oct 31 15:24:56.298194: | in connection_discard for connection north-eastnets/0x1 Oct 31 15:24:56.298195: | delref fd@NULL (in delete_pending() at pending.c:218) Oct 31 15:24:56.298197: | removing pending policy for "north-eastnets/0x1" {0x561a1d287e88} Oct 31 15:24:56.298206: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:24:56.298209: | picked newest_isakmp_sa #0 for #8 Oct 31 15:24:56.298211: "north-eastnets/0x2" #8: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Oct 31 15:24:56.298213: | add revival: connection 'north-eastnets/0x2' added to the list and scheduled for 5 seconds Oct 31 15:24:56.298215: | global one-shot timer EVENT_REVIVE_CONNS scheduled in 5 seconds Oct 31 15:24:56.298219: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:56.298221: | State DB: deleting IKEv2 state #8 in PARENT_I1 Oct 31 15:24:56.298223: | parent state #8: PARENT_I1(half-open IKE SA) => UNDEFINED(ignore) Oct 31 15:24:56.298225: | releasing #8's fd-fd@(nil) because deleting state Oct 31 15:24:56.298226: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:56.298228: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:56.298230: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:56.298241: | stop processing: state #8 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:56.298244: | delref logger@0x561a1d27f9e8(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:56.298246: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:56.298247: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:56.298249: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:24:56.298251: | state #4 Oct 31 15:24:56.298253: | start processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:24:56.298255: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:24:56.298257: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:24:56.298258: | pstats #4 ikev2.ike deleted other Oct 31 15:24:56.298260: | #4 main thread spent 1.02 (1.05) milliseconds helper thread spent 1.58 (1.65) milliseconds in total Oct 31 15:24:56.298263: | [RE]START processing: state #4 connection "north-eastnets/0x2" from 192.1.2.23:500 (in delete_state() at state.c:935) Oct 31 15:24:56.298264: | should_send_delete: no, not established Oct 31 15:24:56.298267: "north-eastnets/0x2" #4: deleting state (STATE_PARENT_R1) aged 1.9946s and NOT sending notification Oct 31 15:24:56.298269: | parent state #4: PARENT_R1(half-open IKE SA) => delete Oct 31 15:24:56.298270: | unsuspending #4 MD (nil) Oct 31 15:24:56.298272: | should_send_delete: no, not established Oct 31 15:24:56.298273: | state #4 deleting .st_event EVENT_SO_DISCARD Oct 31 15:24:56.298279: | libevent_free: delref ptr-libevent@0x561a1d2828b8 Oct 31 15:24:56.298281: | free_event_entry: delref EVENT_SO_DISCARD-pe@0x561a1d28db48 Oct 31 15:24:56.298282: | #4 STATE_PARENT_R1: retransmits: cleared Oct 31 15:24:56.298284: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:24:56.298286: | picked newest_isakmp_sa #0 for #4 Oct 31 15:24:56.298287: "north-eastnets/0x2" #4: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Oct 31 15:24:56.298289: | in connection_discard for connection north-eastnets/0x2 Oct 31 15:24:56.298291: | State DB: deleting IKEv2 state #4 in PARENT_R1 Oct 31 15:24:56.298293: | parent state #4: PARENT_R1(half-open IKE SA) => UNDEFINED(ignore) Oct 31 15:24:56.298294: | releasing #4's fd-fd@(nil) because deleting state Oct 31 15:24:56.298296: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:56.298297: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:56.298299: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:56.298307: | stop processing: state #4 from 192.1.2.23:500 (in delete_state() at state.c:1239) Oct 31 15:24:56.298311: | delref logger@0x561a1d27f488(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:56.298312: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:56.298313: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:56.298315: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:24:56.298317: | pass 1 Oct 31 15:24:56.298318: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:56.298323: | shunt_eroute() called for connection 'north-eastnets/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.3.0/24:0 --0->- 192.0.22.0/24:0 Oct 31 15:24:56.298326: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.22.0/24:0 Oct 31 15:24:56.298328: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:56.298362: | priority calculation of connection "north-eastnets/0x2" is 2084814 (0x1fcfce) Oct 31 15:24:56.298376: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:56.298381: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:56.298384: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 Oct 31 15:24:56.298387: | conn north-eastnets/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:24:56.298390: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:56.298393: | route owner of "north-eastnets/0x2" unrouted: NULL Oct 31 15:24:56.298395: | running updown command "ipsec _updown" for verb unroute Oct 31 15:24:56.298398: | command executing unroute-client Oct 31 15:24:56.298425: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGU... Oct 31 15:24:56.298428: | popen cmd is 1088 chars long Oct 31 15:24:56.298431: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Oct 31 15:24:56.298436: | cmd( 80):/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PL: Oct 31 15:24:56.298439: | cmd( 160):UTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CL: Oct 31 15:24:56.298441: | cmd( 240):IENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.25: Oct 31 15:24:56.298444: | cmd( 320):5.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA: Oct 31 15:24:56.298446: | cmd( 400):_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='19: Oct 31 15:24:56.298449: | cmd( 480):2.0.22.0/24' PLUTO_PEER_CLIENT_NET='192.0.22.0' PLUTO_PEER_CLIENT_MASK='255.255.: Oct 31 15:24:56.298451: | cmd( 560):255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=: Oct 31 15:24:56.298453: | cmd( 640):'xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+I: Oct 31 15:24:56.298455: | cmd( 720):KEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLU: Oct 31 15:24:56.298458: | cmd( 800):TO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_: Oct 31 15:24:56.298462: | cmd( 880):INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUT: Oct 31 15:24:56.298465: | cmd( 960):O_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARE: Oct 31 15:24:56.298467: | cmd(1040):D='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:24:56.308947: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.308964: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.308967: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.308978: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.308992: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309006: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309027: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309035: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309067: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309097: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309107: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309125: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309137: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309150: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309164: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309252: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309261: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309264: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309715: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309728: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309742: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309759: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309773: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309789: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309804: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309819: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309837: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.309851: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.313965: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:56.313978: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:56.313983: | newref clone logger@0x561a1d277c48(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:56.313986: | flush revival: connection 'north-eastnets/0x2' revival flushed Oct 31 15:24:56.313991: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:24:56.313993: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:24:56.314000: | Connection DB: deleting connection $2 Oct 31 15:24:56.314004: | delref logger@0x561a1d277c48(1->0) (in delete_connection() at connections.c:214) Oct 31 15:24:56.314007: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:56.314009: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:56.314012: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:24:56.314014: | pass 0 Oct 31 15:24:56.314017: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:56.314019: | pass 1 Oct 31 15:24:56.314021: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:56.314028: | shunt_eroute() called for connection 'north-eastnets/0x1' to 'delete' for rt_kind 'unrouted' using protoports 192.0.3.0/24:0 --0->- 192.0.2.0/24:0 Oct 31 15:24:56.314038: | netlink_shunt_eroute for proto 0, and source 192.0.3.0/24:0 dest 192.0.2.0/24:0 Oct 31 15:24:56.314042: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:56.314086: | priority calculation of connection "north-eastnets/0x1" is 2084814 (0x1fcfce) Oct 31 15:24:56.314099: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:56.314103: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 vs Oct 31 15:24:56.314106: | conn north-eastnets/0x1 mark 0/00000000, 0/00000000 Oct 31 15:24:56.314109: | route owner of "north-eastnets/0x1" unrouted: NULL Oct 31 15:24:56.314111: | running updown command "ipsec _updown" for verb unroute Oct 31 15:24:56.314114: | command executing unroute-client Oct 31 15:24:56.314143: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CLIENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='192.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURE... Oct 31 15:24:56.314146: | popen cmd is 1086 chars long Oct 31 15:24:56.314149: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-eastnets: Oct 31 15:24:56.314151: | cmd( 80):/0x1' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PL: Oct 31 15:24:56.314153: | cmd( 160):UTO_NEXT_HOP='192.1.2.23' PLUTO_ME='192.1.3.33' PLUTO_MY_ID='@north' PLUTO_MY_CL: Oct 31 15:24:56.314156: | cmd( 240):IENT='192.0.3.0/24' PLUTO_MY_CLIENT_NET='192.0.3.0' PLUTO_MY_CLIENT_MASK='255.25: Oct 31 15:24:56.314158: | cmd( 320):5.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA: Oct 31 15:24:56.314161: | cmd( 400):_TYPE='none' PLUTO_PEER='192.1.2.23' PLUTO_PEER_ID='@east' PLUTO_PEER_CLIENT='19: Oct 31 15:24:56.314163: | cmd( 480):2.0.2.0/24' PLUTO_PEER_CLIENT_NET='192.0.2.0' PLUTO_PEER_CLIENT_MASK='255.255.25: Oct 31 15:24:56.314165: | cmd( 560):5.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='x: Oct 31 15:24:56.314167: | cmd( 640):frm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+UP+IKE: Oct 31 15:24:56.314169: | cmd( 720):V2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: Oct 31 15:24:56.314172: | cmd( 800):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_IN: Oct 31 15:24:56.314174: | cmd( 880):FO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_: Oct 31 15:24:56.314176: | cmd( 960):CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED=: Oct 31 15:24:56.314179: | cmd(1040):'no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:24:56.326018: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326039: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326043: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326046: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326049: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326054: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326066: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326074: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326084: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326105: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326109: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326113: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326125: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326135: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326145: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326153: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326165: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326189: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326569: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326579: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326588: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326608: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326983: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326990: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326993: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326996: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.326998: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.327000: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:56.337532: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:56.337546: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:56.337549: | newref clone logger@0x561a1d277c48(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:56.337553: | delref hp@0x561a1d27d728(1->0) (in delete_oriented_hp() at hostpair.c:360) Oct 31 15:24:56.337555: | flush revival: connection 'north-eastnets/0x1' wasn't on the list Oct 31 15:24:56.337558: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:24:56.337559: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:24:56.337565: | Connection DB: deleting connection $1 Oct 31 15:24:56.337568: | delref logger@0x561a1d277c48(1->0) (in delete_connection() at connections.c:214) Oct 31 15:24:56.337569: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:56.337571: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:56.337573: | crl fetch request list locked by 'free_crl_fetch' Oct 31 15:24:56.337574: | crl fetch request list unlocked by 'free_crl_fetch' Oct 31 15:24:56.337578: | iface: marking eth1 dead Oct 31 15:24:56.337580: | iface: marking eth0 dead Oct 31 15:24:56.337581: | iface: marking lo dead Oct 31 15:24:56.337582: | updating interfaces - listing interfaces that are going down Oct 31 15:24:56.337587: shutting down interface lo 127.0.0.1:4500 Oct 31 15:24:56.337589: shutting down interface lo 127.0.0.1:500 Oct 31 15:24:56.337592: shutting down interface eth0 192.0.3.254:4500 Oct 31 15:24:56.337594: shutting down interface eth0 192.0.3.254:500 Oct 31 15:24:56.337596: shutting down interface eth1 192.1.3.33:4500 Oct 31 15:24:56.337598: shutting down interface eth1 192.1.3.33:500 Oct 31 15:24:56.337599: | updating interfaces - deleting the dead Oct 31 15:24:56.337603: | FOR_EACH_STATE_... in delete_states_dead_interfaces Oct 31 15:24:56.337610: | libevent_free: delref ptr-libevent@0x561a1d272df8 Oct 31 15:24:56.337612: | delref id@0x561a1d276fc8(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337620: | libevent_free: delref ptr-libevent@0x561a1d236528 Oct 31 15:24:56.337622: | delref id@0x561a1d276fc8(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337630: | libevent_free: delref ptr-libevent@0x561a1d22b7e8 Oct 31 15:24:56.337632: | delref id@0x561a1d276ef8(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337637: | libevent_free: delref ptr-libevent@0x561a1d236628 Oct 31 15:24:56.337638: | delref id@0x561a1d276ef8(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337643: | libevent_free: delref ptr-libevent@0x561a1d233048 Oct 31 15:24:56.337644: | delref id@0x561a1d276dc8(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337649: | libevent_free: delref ptr-libevent@0x561a1d232f98 Oct 31 15:24:56.337651: | delref id@0x561a1d276dc8(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337654: | delref id@0x561a1d276dc8(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337656: | delref id@0x561a1d276ef8(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337658: | delref id@0x561a1d276fc8(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:56.337659: | updating interfaces - checking orientation Oct 31 15:24:56.337661: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:24:56.339282: | libevent_free: delref ptr-libevent@0x561a1d272ea8 Oct 31 15:24:56.339291: | free_event_entry: delref EVENT_NULL-pe@0x561a1d276368 Oct 31 15:24:56.339296: | libevent_free: delref ptr-libevent@0x561a1d236428 Oct 31 15:24:56.339298: | free_event_entry: delref EVENT_NULL-pe@0x561a1d272d88 Oct 31 15:24:56.339300: | libevent_free: delref ptr-libevent@0x561a1d236378 Oct 31 15:24:56.339302: | free_event_entry: delref EVENT_NULL-pe@0x561a1d270d68 Oct 31 15:24:56.339304: | global timer EVENT_REINIT_SECRET uninitialized Oct 31 15:24:56.339305: | global timer EVENT_SHUNT_SCAN uninitialized Oct 31 15:24:56.339307: | global timer EVENT_PENDING_DDNS uninitialized Oct 31 15:24:56.339308: | global timer EVENT_PENDING_PHASE2 uninitialized Oct 31 15:24:56.339309: | global timer EVENT_CHECK_CRLS uninitialized Oct 31 15:24:56.339311: | global timer EVENT_REVIVE_CONNS uninitialized Oct 31 15:24:56.339312: | global timer EVENT_FREE_ROOT_CERTS uninitialized Oct 31 15:24:56.339313: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Oct 31 15:24:56.339315: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Oct 31 15:24:56.339318: | libevent_free: delref ptr-libevent@0x561a1d1c90f8 Oct 31 15:24:56.339319: | signal event handler PLUTO_SIGCHLD uninstalled Oct 31 15:24:56.339321: | libevent_free: delref ptr-libevent@0x561a1d1c8918 Oct 31 15:24:56.339323: | signal event handler PLUTO_SIGTERM uninstalled Oct 31 15:24:56.339328: | libevent_free: delref ptr-libevent@0x561a1d276588 Oct 31 15:24:56.339333: | signal event handler PLUTO_SIGHUP uninstalled Oct 31 15:24:56.339338: | libevent_free: delref ptr-libevent@0x561a1d2767c8 Oct 31 15:24:56.339341: | signal event handler PLUTO_SIGSYS uninstalled Oct 31 15:24:56.339343: | releasing event base Oct 31 15:24:56.339369: | libevent_free: delref ptr-libevent@0x561a1d276698 Oct 31 15:24:56.339372: | libevent_free: delref ptr-libevent@0x561a1d265a88 Oct 31 15:24:56.339389: | libevent_free: delref ptr-libevent@0x561a1d265a38 Oct 31 15:24:56.339392: | libevent_free: delref ptr-libevent@0x561a1d279638 Oct 31 15:24:56.339394: | libevent_free: delref ptr-libevent@0x561a1d265c38 Oct 31 15:24:56.339397: | libevent_free: delref ptr-libevent@0x561a1d269e58 Oct 31 15:24:56.339400: | libevent_free: delref ptr-libevent@0x561a1d269c68 Oct 31 15:24:56.339402: | libevent_free: delref ptr-libevent@0x561a1d265c78 Oct 31 15:24:56.339405: | libevent_free: delref ptr-libevent@0x561a1d269a78 Oct 31 15:24:56.339408: | libevent_free: delref ptr-libevent@0x561a1d269438 Oct 31 15:24:56.339410: | libevent_free: delref ptr-libevent@0x561a1d277ab8 Oct 31 15:24:56.339412: | libevent_free: delref ptr-libevent@0x561a1d277a78 Oct 31 15:24:56.339413: | libevent_free: delref ptr-libevent@0x561a1d277a38 Oct 31 15:24:56.339415: | libevent_free: delref ptr-libevent@0x561a1d2779f8 Oct 31 15:24:56.339416: | libevent_free: delref ptr-libevent@0x561a1d2779b8 Oct 31 15:24:56.339417: | libevent_free: delref ptr-libevent@0x561a1d277978 Oct 31 15:24:56.339421: | libevent_free: delref ptr-libevent@0x561a1d25c208 Oct 31 15:24:56.339427: | libevent_free: delref ptr-libevent@0x561a1d276548 Oct 31 15:24:56.339430: | libevent_free: delref ptr-libevent@0x561a1d276508 Oct 31 15:24:56.339433: | libevent_free: delref ptr-libevent@0x561a1d269ab8 Oct 31 15:24:56.339435: | libevent_free: delref ptr-libevent@0x561a1d276658 Oct 31 15:24:56.339437: | libevent_free: delref ptr-libevent@0x561a1d2763d8 Oct 31 15:24:56.339440: | libevent_free: delref ptr-libevent@0x561a1d238868 Oct 31 15:24:56.339441: | libevent_free: delref ptr-libevent@0x561a1d2380c8 Oct 31 15:24:56.339443: | libevent_free: delref ptr-libevent@0x561a1d22f0a8 Oct 31 15:24:56.339444: | releasing global libevent data Oct 31 15:24:56.339446: | libevent_free: delref ptr-libevent@0x561a1d238408 Oct 31 15:24:56.339448: | libevent_free: delref ptr-libevent@0x561a1d1c88b8 Oct 31 15:24:56.339450: | libevent_free: delref ptr-libevent@0x561a1d2388e8 Oct 31 15:24:56.339482: leak detective found no leaks