Oct 31 15:24:53.846957: | newref logger@0x56001d1bbbb8(0->1) (in main() at plutomain.c:1591) Oct 31 15:24:53.846995: | delref logger@0x56001d1bbbb8(1->0) (in main() at plutomain.c:1592) Oct 31 15:24:53.846999: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:53.847001: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:53.847004: NSS DB directory: sql:/var/lib/ipsec/nss Oct 31 15:24:53.847163: Initializing NSS Oct 31 15:24:53.847170: Opening NSS database "sql:/var/lib/ipsec/nss" read-only Oct 31 15:24:53.877508: FIPS Mode: NO Oct 31 15:24:53.877523: NSS crypto library initialized Oct 31 15:24:53.877557: FIPS mode disabled for pluto daemon Oct 31 15:24:53.877563: FIPS HMAC integrity support [disabled] Oct 31 15:24:53.877637: libcap-ng support [enabled] Oct 31 15:24:53.877644: Linux audit support [enabled] Oct 31 15:24:53.877659: Linux audit activated Oct 31 15:24:53.877665: Starting Pluto (Libreswan Version v4.1-88-gf1d1933837ef-main IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2152624 Oct 31 15:24:53.877667: core dump dir: /tmp Oct 31 15:24:53.877669: secrets file: /etc/ipsec.secrets Oct 31 15:24:53.877670: leak-detective enabled Oct 31 15:24:53.877671: NSS crypto [enabled] Oct 31 15:24:53.877673: XAUTH PAM support [enabled] Oct 31 15:24:53.877727: | libevent is using pluto's memory allocator Oct 31 15:24:53.877732: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Oct 31 15:24:53.877741: | libevent_malloc: newref ptr-libevent@0x56001d23f008 size 40 Oct 31 15:24:53.877743: | libevent_malloc: newref ptr-libevent@0x56001d233118 size 40 Oct 31 15:24:53.877745: | libevent_malloc: newref ptr-libevent@0x56001d23f4e8 size 40 Oct 31 15:24:53.877747: | creating event base Oct 31 15:24:53.877748: | libevent_malloc: newref ptr-libevent@0x56001d23f7e8 size 56 Oct 31 15:24:53.877751: | libevent_malloc: newref ptr-libevent@0x56001d235c18 size 664 Oct 31 15:24:53.877760: | libevent_malloc: newref ptr-libevent@0x56001d26c498 size 24 Oct 31 15:24:53.877761: | libevent_malloc: newref ptr-libevent@0x56001d26c4e8 size 384 Oct 31 15:24:53.877771: | libevent_malloc: newref ptr-libevent@0x56001d26c698 size 16 Oct 31 15:24:53.877773: | libevent_malloc: newref ptr-libevent@0x56001d23f468 size 40 Oct 31 15:24:53.877774: | libevent_malloc: newref ptr-libevent@0x56001d23ecc8 size 48 Oct 31 15:24:53.877778: | libevent_realloc: newref ptr-libevent@0x56001d26c6d8 size 256 Oct 31 15:24:53.877780: | libevent_malloc: newref ptr-libevent@0x56001d26c808 size 16 Oct 31 15:24:53.877784: | libevent_free: delref ptr-libevent@0x56001d23f7e8 Oct 31 15:24:53.877786: | libevent initialized Oct 31 15:24:53.877790: | libevent_realloc: newref ptr-libevent@0x56001d23f7e8 size 64 Oct 31 15:24:53.877792: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Oct 31 15:24:53.877794: | init_nat_traversal() initialized with keep_alive=0s Oct 31 15:24:53.877796: NAT-Traversal support [enabled] Oct 31 15:24:53.877797: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Oct 31 15:24:53.877800: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Oct 31 15:24:53.877803: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Oct 31 15:24:53.877815: | checking IKEv1 state table Oct 31 15:24:53.877819: | MAIN_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.877821: | -> MAIN_R1 EVENT_SO_DISCARD (main_inI1_outR1) Oct 31 15:24:53.877824: | MAIN_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.877825: | -> MAIN_I2 EVENT_RETRANSMIT (main_inR1_outI2) Oct 31 15:24:53.877827: | MAIN_R1: category: open IKE SA; flags: 0: Oct 31 15:24:53.877828: | -> MAIN_R2 EVENT_RETRANSMIT (main_inI2_outR2) Oct 31 15:24:53.877830: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:53.877831: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:53.877833: | MAIN_I2: category: open IKE SA; flags: 0: Oct 31 15:24:53.877843: | -> MAIN_I3 EVENT_RETRANSMIT (main_inR2_outI3) Oct 31 15:24:53.877847: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:53.877849: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:24:53.877853: | MAIN_R2: category: open IKE SA; flags: 0: Oct 31 15:24:53.877855: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:24:53.877858: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:24:53.877860: | -> MAIN_R2 EVENT_SA_REPLACE (unexpected) Oct 31 15:24:53.877863: | MAIN_I3: category: open IKE SA; flags: 0: Oct 31 15:24:53.877865: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:24:53.877867: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:24:53.877870: | -> MAIN_I3 EVENT_SA_REPLACE (unexpected) Oct 31 15:24:53.877873: | MAIN_R3: category: established IKE SA; flags: 0: Oct 31 15:24:53.877875: | -> MAIN_R3 EVENT_NULL (unexpected) Oct 31 15:24:53.877878: | MAIN_I4: category: established IKE SA; flags: 0: Oct 31 15:24:53.877881: | -> MAIN_I4 EVENT_NULL (unexpected) Oct 31 15:24:53.877884: | AGGR_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.877887: | -> AGGR_R1 EVENT_SO_DISCARD (aggr_inI1_outR1) Oct 31 15:24:53.877890: | AGGR_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.877892: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:24:53.877895: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:24:53.877897: | AGGR_R1: category: open IKE SA; flags: 0: Oct 31 15:24:53.877898: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:24:53.877904: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:24:53.877906: | AGGR_I2: category: established IKE SA; flags: 0: Oct 31 15:24:53.877907: | -> AGGR_I2 EVENT_NULL (unexpected) Oct 31 15:24:53.877909: | AGGR_R2: category: established IKE SA; flags: 0: Oct 31 15:24:53.877910: | -> AGGR_R2 EVENT_NULL (unexpected) Oct 31 15:24:53.877912: | QUICK_R0: category: established CHILD SA; flags: 0: Oct 31 15:24:53.877913: | -> QUICK_R1 EVENT_RETRANSMIT (quick_inI1_outR1) Oct 31 15:24:53.877915: | QUICK_I1: category: established CHILD SA; flags: 0: Oct 31 15:24:53.877916: | -> QUICK_I2 EVENT_SA_REPLACE (quick_inR1_outI2) Oct 31 15:24:53.877918: | QUICK_R1: category: established CHILD SA; flags: 0: Oct 31 15:24:53.877919: | -> QUICK_R2 EVENT_SA_REPLACE (quick_inI2) Oct 31 15:24:53.877921: | QUICK_I2: category: established CHILD SA; flags: 0: Oct 31 15:24:53.877922: | -> QUICK_I2 EVENT_NULL (unexpected) Oct 31 15:24:53.877924: | QUICK_R2: category: established CHILD SA; flags: 0: Oct 31 15:24:53.877925: | -> QUICK_R2 EVENT_NULL (unexpected) Oct 31 15:24:53.877926: | INFO: category: informational; flags: 0: Oct 31 15:24:53.877928: | -> INFO EVENT_NULL (informational) Oct 31 15:24:53.877929: | INFO_PROTECTED: category: informational; flags: 0: Oct 31 15:24:53.877931: | -> INFO_PROTECTED EVENT_NULL (informational) Oct 31 15:24:53.877932: | XAUTH_R0: category: established IKE SA; flags: 0: Oct 31 15:24:53.877934: | -> XAUTH_R1 EVENT_NULL (xauth_inR0) Oct 31 15:24:53.877935: | XAUTH_R1: category: established IKE SA; flags: 0: Oct 31 15:24:53.877937: | -> MAIN_R3 EVENT_SA_REPLACE (xauth_inR1) Oct 31 15:24:53.877938: | MODE_CFG_R0: category: informational; flags: 0: Oct 31 15:24:53.877940: | -> MODE_CFG_R1 EVENT_SA_REPLACE (modecfg_inR0) Oct 31 15:24:53.877941: | MODE_CFG_R1: category: established IKE SA; flags: 0: Oct 31 15:24:53.877943: | -> MODE_CFG_R2 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:24:53.877944: | MODE_CFG_R2: category: established IKE SA; flags: 0: Oct 31 15:24:53.877946: | -> MODE_CFG_R2 EVENT_NULL (unexpected) Oct 31 15:24:53.877947: | MODE_CFG_I1: category: established IKE SA; flags: 0: Oct 31 15:24:53.877948: | -> MAIN_I4 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:24:53.877950: | XAUTH_I0: category: established IKE SA; flags: 0: Oct 31 15:24:53.877951: | -> XAUTH_I1 EVENT_RETRANSMIT (xauth_inI0) Oct 31 15:24:53.877955: | XAUTH_I1: category: established IKE SA; flags: 0: Oct 31 15:24:53.877957: | -> MAIN_I4 EVENT_RETRANSMIT (xauth_inI1) Oct 31 15:24:53.877961: | checking IKEv2 state table Oct 31 15:24:53.877968: | V2_REKEY_IKE_I0: category: established IKE SA; flags: 0: Oct 31 15:24:53.877969: | -> V2_REKEY_IKE_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Oct 31 15:24:53.877972: | V2_REKEY_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:24:53.877974: | -> V2_REKEY_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Oct 31 15:24:53.877975: | V2_NEW_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:24:53.877977: | -> V2_NEW_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Oct 31 15:24:53.877979: | PARENT_I0: category: ignore; flags: 0: Oct 31 15:24:53.877980: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Oct 31 15:24:53.877982: | PARENT_I1: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.877983: | -> PARENT_I0 EVENT_SO_DISCARD (received anti-DDOS COOKIE notify response; resending IKE_SA_INIT request with cookie payload added) Oct 31 15:24:53.877989: | -> PARENT_I0 EVENT_SO_DISCARD (received IKE_SA_INIT INVALID_KE_PAYLOAD notify response; resending IKE_SA_INIT with new KE payload) Oct 31 15:24:53.877990: | -> IKESA_DEL EVENT_v2_REDIRECT (received REDIRECT notify response; resending IKE_SA_INIT request to new destination) Oct 31 15:24:53.877992: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:24:53.877994: | PARENT_I2: category: open IKE SA; flags: 0: Oct 31 15:24:53.877995: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_INTERMEDIATE reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:24:53.877997: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Oct 31 15:24:53.877999: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Oct 31 15:24:53.878001: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Oct 31 15:24:53.878003: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Oct 31 15:24:53.878006: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Oct 31 15:24:53.878009: | PARENT_R0: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.878011: | -> PARENT_R1 EVENT_SO_DISCARD send-response (Respond to IKE_SA_INIT) Oct 31 15:24:53.878014: | PARENT_R1: category: half-open IKE SA; flags: 0: Oct 31 15:24:53.878016: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request (no SKEYSEED)) Oct 31 15:24:53.878018: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (no SKEYSEED)) Oct 31 15:24:53.878020: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (with SKEYSEED)) Oct 31 15:24:53.878022: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request) Oct 31 15:24:53.878024: | V2_REKEY_IKE_R0: category: established IKE SA; flags: 0: Oct 31 15:24:53.878026: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IKE Rekey) Oct 31 15:24:53.878029: | V2_REKEY_IKE_I1: category: established IKE SA; flags: 0: Oct 31 15:24:53.878031: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Oct 31 15:24:53.878033: | V2_NEW_CHILD_I1: category: established IKE SA; flags: 0: Oct 31 15:24:53.878035: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Oct 31 15:24:53.878038: | V2_REKEY_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:24:53.878040: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA rekey CHILD SA request) Oct 31 15:24:53.878043: | V2_NEW_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:24:53.878047: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IPsec SA Request) Oct 31 15:24:53.878049: | ESTABLISHED_IKE_SA: category: established IKE SA; flags: 0: Oct 31 15:24:53.878051: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request (liveness probe)) Oct 31 15:24:53.878054: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response (liveness probe)) Oct 31 15:24:53.878056: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request) Oct 31 15:24:53.878058: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response) Oct 31 15:24:53.878060: | IKESA_DEL: category: established IKE SA; flags: 0: Oct 31 15:24:53.878062: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:24:53.878065: | CHILDSA_DEL: category: informational; flags: 0: Oct 31 15:24:53.878067: | -> CHILDSA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:24:53.878071: | global one-shot timer EVENT_REVIVE_CONNS initialized Oct 31 15:24:53.878075: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Oct 31 15:24:53.878077: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Oct 31 15:24:53.878240: Encryption algorithms: Oct 31 15:24:53.878257: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Oct 31 15:24:53.878263: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Oct 31 15:24:53.878268: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Oct 31 15:24:53.878272: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Oct 31 15:24:53.878276: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP Oct 31 15:24:53.878281: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Oct 31 15:24:53.878286: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Oct 31 15:24:53.878290: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Oct 31 15:24:53.878295: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Oct 31 15:24:53.878299: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Oct 31 15:24:53.878304: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Oct 31 15:24:53.878308: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Oct 31 15:24:53.878311: NULL [] IKEv1: ESP IKEv2: ESP Oct 31 15:24:53.878315: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Oct 31 15:24:53.878318: Hash algorithms: Oct 31 15:24:53.878321: MD5 IKEv1: IKE IKEv2: NSS Oct 31 15:24:53.878325: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Oct 31 15:24:53.878328: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Oct 31 15:24:53.878331: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Oct 31 15:24:53.878335: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Oct 31 15:24:53.878337: PRF algorithms: Oct 31 15:24:53.878340: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Oct 31 15:24:53.878344: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Oct 31 15:24:53.878348: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Oct 31 15:24:53.878355: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Oct 31 15:24:53.878359: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Oct 31 15:24:53.878362: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Oct 31 15:24:53.878364: Integrity algorithms: Oct 31 15:24:53.878368: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Oct 31 15:24:53.878372: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Oct 31 15:24:53.878376: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Oct 31 15:24:53.878380: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Oct 31 15:24:53.878385: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Oct 31 15:24:53.878388: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Oct 31 15:24:53.878392: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Oct 31 15:24:53.878396: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Oct 31 15:24:53.878400: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Oct 31 15:24:53.878402: DH algorithms: Oct 31 15:24:53.878406: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Oct 31 15:24:53.878409: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Oct 31 15:24:53.878413: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Oct 31 15:24:53.878415: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Oct 31 15:24:53.878419: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Oct 31 15:24:53.878422: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Oct 31 15:24:53.878427: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Oct 31 15:24:53.878430: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Oct 31 15:24:53.878434: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Oct 31 15:24:53.878437: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Oct 31 15:24:53.878441: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Oct 31 15:24:53.878443: testing CAMELLIA_CBC: Oct 31 15:24:53.878446: Camellia: 16 bytes with 128-bit key Oct 31 15:24:53.878529: Camellia: 16 bytes with 128-bit key Oct 31 15:24:53.878568: Camellia: 16 bytes with 256-bit key Oct 31 15:24:53.878604: Camellia: 16 bytes with 256-bit key Oct 31 15:24:53.878640: testing AES_GCM_16: Oct 31 15:24:53.878644: empty string Oct 31 15:24:53.878678: one block Oct 31 15:24:53.878710: two blocks Oct 31 15:24:53.878744: two blocks with associated data Oct 31 15:24:53.878776: testing AES_CTR: Oct 31 15:24:53.878780: Encrypting 16 octets using AES-CTR with 128-bit key Oct 31 15:24:53.878814: Encrypting 32 octets using AES-CTR with 128-bit key Oct 31 15:24:53.878849: Encrypting 36 octets using AES-CTR with 128-bit key Oct 31 15:24:53.878886: Encrypting 16 octets using AES-CTR with 192-bit key Oct 31 15:24:53.878922: Encrypting 32 octets using AES-CTR with 192-bit key Oct 31 15:24:53.878957: Encrypting 36 octets using AES-CTR with 192-bit key Oct 31 15:24:53.878993: Encrypting 16 octets using AES-CTR with 256-bit key Oct 31 15:24:53.879026: Encrypting 32 octets using AES-CTR with 256-bit key Oct 31 15:24:53.879060: Encrypting 36 octets using AES-CTR with 256-bit key Oct 31 15:24:53.879095: testing AES_CBC: Oct 31 15:24:53.879098: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Oct 31 15:24:53.879129: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Oct 31 15:24:53.879164: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Oct 31 15:24:53.879205: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Oct 31 15:24:53.879252: testing AES_XCBC: Oct 31 15:24:53.879257: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Oct 31 15:24:53.879366: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Oct 31 15:24:53.879446: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Oct 31 15:24:53.879555: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Oct 31 15:24:53.879690: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Oct 31 15:24:53.879817: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Oct 31 15:24:53.879901: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Oct 31 15:24:53.880118: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Oct 31 15:24:53.880273: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Oct 31 15:24:53.880363: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Oct 31 15:24:53.880499: testing HMAC_MD5: Oct 31 15:24:53.880502: RFC 2104: MD5_HMAC test 1 Oct 31 15:24:53.880607: RFC 2104: MD5_HMAC test 2 Oct 31 15:24:53.880729: RFC 2104: MD5_HMAC test 3 Oct 31 15:24:53.880841: 8 CPU cores online Oct 31 15:24:53.880844: starting up 7 helper threads Oct 31 15:24:53.880878: started thread for helper 0 Oct 31 15:24:53.880885: | starting helper thread 1 Oct 31 15:24:53.880892: seccomp security disabled for crypto helper 1 Oct 31 15:24:53.880898: | status value returned by setting the priority of this helper thread 1: 22 Oct 31 15:24:53.880901: | helper thread 1 has nothing to do Oct 31 15:24:53.880905: started thread for helper 1 Oct 31 15:24:53.880912: | starting helper thread 2 Oct 31 15:24:53.880917: seccomp security disabled for crypto helper 2 Oct 31 15:24:53.880921: | status value returned by setting the priority of this helper thread 2: 22 Oct 31 15:24:53.880923: | helper thread 2 has nothing to do Oct 31 15:24:53.880934: started thread for helper 2 Oct 31 15:24:53.880939: | starting helper thread 3 Oct 31 15:24:53.880941: seccomp security disabled for crypto helper 3 Oct 31 15:24:53.880946: | status value returned by setting the priority of this helper thread 3: 22 Oct 31 15:24:53.880950: | helper thread 3 has nothing to do Oct 31 15:24:53.880959: started thread for helper 3 Oct 31 15:24:53.880964: | starting helper thread 4 Oct 31 15:24:53.880968: seccomp security disabled for crypto helper 4 Oct 31 15:24:53.880971: | status value returned by setting the priority of this helper thread 4: 22 Oct 31 15:24:53.880973: | helper thread 4 has nothing to do Oct 31 15:24:53.880984: started thread for helper 4 Oct 31 15:24:53.880989: | starting helper thread 5 Oct 31 15:24:53.880992: seccomp security disabled for crypto helper 5 Oct 31 15:24:53.880996: | status value returned by setting the priority of this helper thread 5: 22 Oct 31 15:24:53.880998: | helper thread 5 has nothing to do Oct 31 15:24:53.881008: started thread for helper 5 Oct 31 15:24:53.881015: | starting helper thread 6 Oct 31 15:24:53.881023: seccomp security disabled for crypto helper 6 Oct 31 15:24:53.881026: | status value returned by setting the priority of this helper thread 6: 22 Oct 31 15:24:53.881045: | helper thread 6 has nothing to do Oct 31 15:24:53.881036: | starting helper thread 7 Oct 31 15:24:53.881054: seccomp security disabled for crypto helper 7 Oct 31 15:24:53.881062: | status value returned by setting the priority of this helper thread 7: 22 Oct 31 15:24:53.881065: | helper thread 7 has nothing to do Oct 31 15:24:53.881030: started thread for helper 6 Oct 31 15:24:53.881089: Using Linux XFRM/NETKEY IPsec kernel support code on 5.8.15-201.fc32.x86_64 Oct 31 15:24:53.881142: | Hard-wiring algorithms Oct 31 15:24:53.881146: | adding AES_CCM_16 to kernel algorithm db Oct 31 15:24:53.881152: | adding AES_CCM_12 to kernel algorithm db Oct 31 15:24:53.881154: | adding AES_CCM_8 to kernel algorithm db Oct 31 15:24:53.881155: | adding 3DES_CBC to kernel algorithm db Oct 31 15:24:53.881157: | adding CAMELLIA_CBC to kernel algorithm db Oct 31 15:24:53.881159: | adding AES_GCM_16 to kernel algorithm db Oct 31 15:24:53.881160: | adding AES_GCM_12 to kernel algorithm db Oct 31 15:24:53.881162: | adding AES_GCM_8 to kernel algorithm db Oct 31 15:24:53.881163: | adding AES_CTR to kernel algorithm db Oct 31 15:24:53.881164: | adding AES_CBC to kernel algorithm db Oct 31 15:24:53.881166: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Oct 31 15:24:53.881168: | adding NULL to kernel algorithm db Oct 31 15:24:53.881169: | adding CHACHA20_POLY1305 to kernel algorithm db Oct 31 15:24:53.881171: | adding HMAC_MD5_96 to kernel algorithm db Oct 31 15:24:53.881172: | adding HMAC_SHA1_96 to kernel algorithm db Oct 31 15:24:53.881174: | adding HMAC_SHA2_512_256 to kernel algorithm db Oct 31 15:24:53.881176: | adding HMAC_SHA2_384_192 to kernel algorithm db Oct 31 15:24:53.881177: | adding HMAC_SHA2_256_128 to kernel algorithm db Oct 31 15:24:53.881179: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Oct 31 15:24:53.881180: | adding AES_XCBC_96 to kernel algorithm db Oct 31 15:24:53.881182: | adding AES_CMAC_96 to kernel algorithm db Oct 31 15:24:53.881184: | adding NONE to kernel algorithm db Oct 31 15:24:53.881234: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Oct 31 15:24:53.881247: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Oct 31 15:24:53.881250: | setup kernel fd callback Oct 31 15:24:53.881254: | add_fd_read_event_handler: newref KERNEL_XRM_FD-pe@0x56001d275ff8 Oct 31 15:24:53.881257: | libevent_malloc: newref ptr-libevent@0x56001d23cf78 size 128 Oct 31 15:24:53.881261: | libevent_malloc: newref ptr-libevent@0x56001d270608 size 16 Oct 31 15:24:53.881268: | add_fd_read_event_handler: newref KERNEL_ROUTE_FD-pe@0x56001d279a08 Oct 31 15:24:53.881272: | libevent_malloc: newref ptr-libevent@0x56001d23d028 size 128 Oct 31 15:24:53.881274: | libevent_malloc: newref ptr-libevent@0x56001d26ffc8 size 16 Oct 31 15:24:53.881484: | global one-shot timer EVENT_CHECK_CRLS initialized Oct 31 15:24:53.881514: SELinux support is enabled in PERMISSIVE mode. Oct 31 15:24:53.881688: | unbound context created - setting debug level to 5 Oct 31 15:24:53.881729: | /etc/hosts lookups activated Oct 31 15:24:53.881744: | /etc/resolv.conf usage activated Oct 31 15:24:53.881784: | outgoing-port-avoid set 0-65535 Oct 31 15:24:53.881814: | outgoing-port-permit set 32768-60999 Oct 31 15:24:53.881818: | loading dnssec root key from:/var/lib/unbound/root.key Oct 31 15:24:53.881822: | no additional dnssec trust anchors defined via dnssec-trusted= option Oct 31 15:24:53.881825: | Setting up events, loop start Oct 31 15:24:53.881828: | add_fd_read_event_handler: newref PLUTO_CTL_FD-pe@0x56001d27cf68 Oct 31 15:24:53.881832: | libevent_malloc: newref ptr-libevent@0x56001d279b28 size 128 Oct 31 15:24:53.881835: | libevent_malloc: newref ptr-libevent@0x56001d2709e8 size 16 Oct 31 15:24:53.881842: | libevent_realloc: newref ptr-libevent@0x56001d27cfd8 size 256 Oct 31 15:24:53.881845: | libevent_malloc: newref ptr-libevent@0x56001d270648 size 8 Oct 31 15:24:53.881848: | libevent_realloc: newref ptr-libevent@0x56001d271048 size 144 Oct 31 15:24:53.881851: | libevent_malloc: newref ptr-libevent@0x56001d2333d8 size 152 Oct 31 15:24:53.881854: | libevent_malloc: newref ptr-libevent@0x56001d2707f8 size 16 Oct 31 15:24:53.881859: | signal event handler PLUTO_SIGCHLD installed Oct 31 15:24:53.881865: | libevent_malloc: newref ptr-libevent@0x56001d27d108 size 8 Oct 31 15:24:53.881869: | libevent_malloc: newref ptr-libevent@0x56001d1cfa38 size 152 Oct 31 15:24:53.881872: | signal event handler PLUTO_SIGTERM installed Oct 31 15:24:53.881874: | libevent_malloc: newref ptr-libevent@0x56001d27d148 size 8 Oct 31 15:24:53.881877: | libevent_malloc: newref ptr-libevent@0x56001d1cf798 size 152 Oct 31 15:24:53.881880: | signal event handler PLUTO_SIGHUP installed Oct 31 15:24:53.881883: | libevent_malloc: newref ptr-libevent@0x56001d27d188 size 8 Oct 31 15:24:53.881886: | libevent_realloc: delref ptr-libevent@0x56001d271048 Oct 31 15:24:53.881888: | libevent_realloc: newref ptr-libevent@0x56001d27d1c8 size 256 Oct 31 15:24:53.881891: | libevent_malloc: newref ptr-libevent@0x56001d27d2f8 size 152 Oct 31 15:24:53.881894: | signal event handler PLUTO_SIGSYS installed Oct 31 15:24:53.882261: | created addconn helper (pid:2152668) using fork+execve Oct 31 15:24:53.882283: | forked child 2152668 Oct 31 15:24:53.882295: seccomp security disabled Oct 31 15:24:53.886764: | newref struct fd@0x56001d27d458(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.886776: | fd_accept: new fd-fd@0x56001d27d458 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.886787: | whack: listen Oct 31 15:24:53.886790: listening for IKE messages Oct 31 15:24:53.887078: | Inspecting interface lo Oct 31 15:24:53.887085: | found lo with address 127.0.0.1 Oct 31 15:24:53.887088: | Inspecting interface eth0 Oct 31 15:24:53.887091: | found eth0 with address 192.0.2.254 Oct 31 15:24:53.887093: | Inspecting interface eth1 Oct 31 15:24:53.887096: | found eth1 with address 192.1.2.23 Oct 31 15:24:53.887104: | newref struct iface_dev@0x56001d27d978(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:53.887121: Kernel supports NIC esp-hw-offload Oct 31 15:24:53.887128: | iface: marking eth1 add Oct 31 15:24:53.887131: | newref struct iface_dev@0x56001d27daa8(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:53.887133: | iface: marking eth0 add Oct 31 15:24:53.887135: | newref struct iface_dev@0x56001d27db78(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:24:53.887138: | iface: marking lo add Oct 31 15:24:53.887216: | no interfaces to sort Oct 31 15:24:53.887235: | MSG_ERRQUEUE enabled on fd 18 Oct 31 15:24:53.887247: | addref ifd@0x56001d27d978(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887252: adding UDP interface eth1 192.1.2.23:500 Oct 31 15:24:53.887265: | MSG_ERRQUEUE enabled on fd 19 Oct 31 15:24:53.887290: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:53.887293: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:53.887295: | addref ifd@0x56001d27d978(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887298: adding UDP interface eth1 192.1.2.23:4500 Oct 31 15:24:53.887310: | MSG_ERRQUEUE enabled on fd 20 Oct 31 15:24:53.887316: | addref ifd@0x56001d27daa8(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887319: adding UDP interface eth0 192.0.2.254:500 Oct 31 15:24:53.887329: | MSG_ERRQUEUE enabled on fd 21 Oct 31 15:24:53.887334: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:53.887337: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:53.887339: | addref ifd@0x56001d27daa8(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887341: adding UDP interface eth0 192.0.2.254:4500 Oct 31 15:24:53.887351: | MSG_ERRQUEUE enabled on fd 22 Oct 31 15:24:53.887357: | addref ifd@0x56001d27db78(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887359: adding UDP interface lo 127.0.0.1:500 Oct 31 15:24:53.887378: | MSG_ERRQUEUE enabled on fd 23 Oct 31 15:24:53.887388: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:24:53.887392: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:24:53.887396: | addref ifd@0x56001d27db78(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:24:53.887400: adding UDP interface lo 127.0.0.1:4500 Oct 31 15:24:53.887411: | updating interfaces - listing interfaces that are going down Oct 31 15:24:53.887413: | updating interfaces - checking orientation Oct 31 15:24:53.887415: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:24:53.887431: | libevent_malloc: newref ptr-libevent@0x56001d279a78 size 128 Oct 31 15:24:53.887434: | libevent_malloc: newref ptr-libevent@0x56001d27deb8 size 16 Oct 31 15:24:53.887440: | setup callback for interface lo 127.0.0.1:4500 fd 23 on UDP Oct 31 15:24:53.887443: | libevent_malloc: newref ptr-libevent@0x56001d23d128 size 128 Oct 31 15:24:53.887444: | libevent_malloc: newref ptr-libevent@0x56001d27e558 size 16 Oct 31 15:24:53.887447: | setup callback for interface lo 127.0.0.1:500 fd 22 on UDP Oct 31 15:24:53.887449: | libevent_malloc: newref ptr-libevent@0x56001d2323e8 size 128 Oct 31 15:24:53.887451: | libevent_malloc: newref ptr-libevent@0x56001d27e598 size 16 Oct 31 15:24:53.887454: | setup callback for interface eth0 192.0.2.254:4500 fd 21 on UDP Oct 31 15:24:53.887455: | libevent_malloc: newref ptr-libevent@0x56001d23d228 size 128 Oct 31 15:24:53.887457: | libevent_malloc: newref ptr-libevent@0x56001d27e5d8 size 16 Oct 31 15:24:53.887460: | setup callback for interface eth0 192.0.2.254:500 fd 20 on UDP Oct 31 15:24:53.887462: | libevent_malloc: newref ptr-libevent@0x56001d239c48 size 128 Oct 31 15:24:53.887464: | libevent_malloc: newref ptr-libevent@0x56001d27e618 size 16 Oct 31 15:24:53.887467: | setup callback for interface eth1 192.1.2.23:4500 fd 19 on UDP Oct 31 15:24:53.887468: | libevent_malloc: newref ptr-libevent@0x56001d239b98 size 128 Oct 31 15:24:53.887470: | libevent_malloc: newref ptr-libevent@0x56001d27e658 size 16 Oct 31 15:24:53.887473: | setup callback for interface eth1 192.1.2.23:500 fd 18 on UDP Oct 31 15:24:53.889105: | no stale xfrmi interface 'ipsec1' found Oct 31 15:24:53.889116: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:24:53.889118: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:24:53.889139: loading secrets from "/etc/ipsec.secrets" Oct 31 15:24:53.889153: | processing PSK at line 1: passed Oct 31 15:24:53.889155: | certs and keys locked by 'process_secret' Oct 31 15:24:53.889157: | certs and keys unlocked by 'process_secret' Oct 31 15:24:53.889161: | old food groups: Oct 31 15:24:53.889163: | new food groups: Oct 31 15:24:53.889166: | delref fd@0x56001d27d458(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.889172: | freeref fd-fd@0x56001d27d458 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.889178: | spent 0.83 (2.42) milliseconds in whack Oct 31 15:24:53.889415: | processing signal PLUTO_SIGCHLD Oct 31 15:24:53.889428: | waitpid returned pid 2152668 (exited with status 0) Oct 31 15:24:53.889431: | reaped addconn helper child (status 0) Oct 31 15:24:53.889435: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:53.889438: | spent 0.0138 (0.0136) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:53.904643: | newref struct fd@0x56001d27da48(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.904655: | fd_accept: new fd-fd@0x56001d27da48 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:53.904665: | whack: options (impair|debug) Oct 31 15:24:53.904669: | old debugging base+cpu-usage + none Oct 31 15:24:53.904671: | new debugging = base+cpu-usage Oct 31 15:24:53.904675: | delref fd@0x56001d27da48(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.904681: | freeref fd-fd@0x56001d27da48 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:53.904686: | spent 0.0539 (0.0534) milliseconds in whack Oct 31 15:24:54.023994: | newref struct fd@0x56001d27d498(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:54.024050: | fd_accept: new fd-fd@0x56001d27d498 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:54.024105: | whack: delete 'eastnet-any' Oct 31 15:24:54.024122: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:54.024134: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:54.024163: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:54.024175: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:24:54.024188: | whack: connection 'eastnet-any' Oct 31 15:24:54.024264: | addref fd@0x56001d27d498(1->2) (in string_logger() at log.c:838) Oct 31 15:24:54.024293: | newref string logger@0x56001d270da8(0->1) (in add_connection() at connections.c:1998) Oct 31 15:24:54.024310: | Connection DB: adding connection "eastnet-any" $1 Oct 31 15:24:54.024334: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:24:54.024377: | added new connection eastnet-any with policy PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:24:54.024739: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Oct 31 15:24:54.024758: | from whack: got --esp= Oct 31 15:24:54.024980: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Oct 31 15:24:54.025001: | counting wild cards for (none) is 15 Oct 31 15:24:54.025021: | counting wild cards for @east is 0 Oct 31 15:24:54.025037: | left.host_addr's is %any; skipping default_end() Oct 31 15:24:54.025049: | updating connection from right.host_addr Oct 31 15:24:54.025068: | left host_nexthop 192.1.2.23 Oct 31 15:24:54.025079: | right host_port 500 Oct 31 15:24:54.025100: | based upon policy, the connection is a template. Oct 31 15:24:54.025112: | orienting eastnet-any Oct 31 15:24:54.025134: | eastnet-any doesn't match 127.0.0.1:4500 at all Oct 31 15:24:54.025153: | eastnet-any doesn't match 127.0.0.1:500 at all Oct 31 15:24:54.025171: | eastnet-any doesn't match 192.0.2.254:4500 at all Oct 31 15:24:54.025188: | eastnet-any doesn't match 192.0.2.254:500 at all Oct 31 15:24:54.025224: | eastnet-any doesn't match 192.1.2.23:4500 at all Oct 31 15:24:54.025246: | oriented eastnet-any's this Oct 31 15:24:54.025273: | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:0 -> hp@(nil): none Oct 31 15:24:54.025303: | newref hp@0x56001d280798(0->1) (in connect_to_host_pair() at hostpair.c:290) Oct 31 15:24:54.025318: added IKEv2 connection "eastnet-any" Oct 31 15:24:54.025366: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:24:54.025409: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...%any===192.0.1.0/24 Oct 31 15:24:54.025467: | delref logger@0x56001d270da8(1->0) (in add_connection() at connections.c:2026) Oct 31 15:24:54.025482: | delref fd@0x56001d27d498(2->1) (in free_logger() at log.c:853) Oct 31 15:24:54.025494: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:54.025515: | delref fd@0x56001d27d498(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:54.025553: | freeref fd-fd@0x56001d27d498 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:54.025580: | spent 1.51 (1.62) milliseconds in whack Oct 31 15:24:55.140858: | spent 0.00274 (0.00277) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.140888: | newref struct msg_digest@0x56001d280848(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.140894: | newref alloc logger@0x56001d27d5c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.140901: | *received 828 bytes from 192.1.2.45:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:24:55.140904: | 56 da 3a 10 de 51 40 20 00 00 00 00 00 00 00 00 Oct 31 15:24:55.140906: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Oct 31 15:24:55.140909: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Oct 31 15:24:55.140911: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Oct 31 15:24:55.140919: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Oct 31 15:24:55.140922: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Oct 31 15:24:55.140924: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Oct 31 15:24:55.140926: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Oct 31 15:24:55.140928: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Oct 31 15:24:55.140930: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Oct 31 15:24:55.140932: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Oct 31 15:24:55.140934: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Oct 31 15:24:55.140936: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Oct 31 15:24:55.140938: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Oct 31 15:24:55.140940: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Oct 31 15:24:55.140942: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Oct 31 15:24:55.140944: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:24:55.140947: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Oct 31 15:24:55.140949: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Oct 31 15:24:55.140951: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Oct 31 15:24:55.140953: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Oct 31 15:24:55.140955: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Oct 31 15:24:55.140957: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Oct 31 15:24:55.140959: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Oct 31 15:24:55.140962: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Oct 31 15:24:55.140964: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Oct 31 15:24:55.140966: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Oct 31 15:24:55.140968: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Oct 31 15:24:55.140970: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Oct 31 15:24:55.140972: | 28 00 01 08 00 0e 00 00 e2 05 ec b9 58 8e ee 2c Oct 31 15:24:55.140975: | 9e cb 5d cf 1a 17 d7 d6 67 86 6a a7 18 ea 29 5a Oct 31 15:24:55.140977: | 18 c1 26 87 7e eb b8 13 aa 8e d1 d4 51 6d a6 27 Oct 31 15:24:55.140979: | ad c8 b9 88 18 97 7f 7c 33 82 f9 6a b3 74 26 a0 Oct 31 15:24:55.140981: | 91 3d 25 d2 3b 12 45 bd 61 93 89 71 0e c8 8e 3b Oct 31 15:24:55.140983: | 9e 43 41 50 d4 10 f4 95 17 a2 45 1b 63 8b d1 0d Oct 31 15:24:55.140985: | 12 fa a6 bc e4 bd 20 30 01 b4 f5 dd 89 53 9f 38 Oct 31 15:24:55.140987: | fc ff a6 78 d1 b7 d0 4d dc 47 20 29 2d 5d de e7 Oct 31 15:24:55.140990: | 5c d8 ca 11 d0 2c 28 97 54 f8 10 4d 2f df 4c 79 Oct 31 15:24:55.140992: | 49 c5 2c d4 ca fe 79 c9 a2 8e f7 46 ef 2a 4b d1 Oct 31 15:24:55.140994: | 28 32 7b c1 87 8c 8c 11 a3 67 02 f8 e5 d2 e4 69 Oct 31 15:24:55.140996: | 75 10 43 6b 3d b9 97 00 86 c9 0e 79 b9 eb 46 b6 Oct 31 15:24:55.140998: | d6 7a 4d 88 16 83 95 b7 bc af 8c ea 11 f2 01 2d Oct 31 15:24:55.141000: | 7b 8c 34 b3 32 b1 be cf bb f2 c1 12 8a 0e f3 5e Oct 31 15:24:55.141002: | 23 ea 4d 60 f2 3e 12 d2 b0 a2 7b ab 6e cd ca 3d Oct 31 15:24:55.141005: | 3a 67 8b eb 8c 80 c2 e5 ca 85 86 02 8f b7 a4 1d Oct 31 15:24:55.141007: | 2d 1c 1b 35 1a 1c 9e 20 29 00 00 24 4e 9d 52 84 Oct 31 15:24:55.141009: | c2 72 4a 7e bb de 99 31 40 fa 9f 29 88 d5 6e 39 Oct 31 15:24:55.141011: | fd 3e 65 fe 6e b0 d6 2c 3a da 1a ab 29 00 00 08 Oct 31 15:24:55.141013: | 00 00 40 2e 29 00 00 1c 00 00 40 04 17 40 ae 5c Oct 31 15:24:55.141015: | 51 8b 1d ab d8 e5 9b a8 4d 93 26 2b 6c ca ae eb Oct 31 15:24:55.141017: | 00 00 00 1c 00 00 40 05 58 15 51 3c 60 0d 89 77 Oct 31 15:24:55.141019: | ca cd 16 09 a1 3a a2 ba 81 b1 20 be Oct 31 15:24:55.141026: | **parse ISAKMP Message: Oct 31 15:24:55.141030: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.141036: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:24:55.141041: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:55.141044: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.141050: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:55.141054: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:55.141058: | Message ID: 0 (00 00 00 00) Oct 31 15:24:55.141062: | length: 828 (00 00 03 3c) Oct 31 15:24:55.141065: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:24:55.141069: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Oct 31 15:24:55.141073: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Oct 31 15:24:55.141076: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:55.141080: | ***parse IKEv2 Security Association Payload: Oct 31 15:24:55.141083: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:24:55.141085: | flags: none (0x0) Oct 31 15:24:55.141088: | length: 436 (01 b4) Oct 31 15:24:55.141091: | processing payload: ISAKMP_NEXT_v2SA (len=432) Oct 31 15:24:55.141092: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:24:55.141094: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:24:55.141096: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:24:55.141097: | flags: none (0x0) Oct 31 15:24:55.141099: | length: 264 (01 08) Oct 31 15:24:55.141101: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.141102: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:24:55.141103: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:24:55.141105: | ***parse IKEv2 Nonce Payload: Oct 31 15:24:55.141107: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:55.141108: | flags: none (0x0) Oct 31 15:24:55.141110: | length: 36 (00 24) Oct 31 15:24:55.141112: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:24:55.141113: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:55.141115: | ***parse IKEv2 Notify Payload: Oct 31 15:24:55.141116: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:55.141117: | flags: none (0x0) Oct 31 15:24:55.141119: | length: 8 (00 08) Oct 31 15:24:55.141121: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.141123: | SPI size: 0 (00) Oct 31 15:24:55.141124: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:55.141126: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:24:55.141128: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:55.141129: | ***parse IKEv2 Notify Payload: Oct 31 15:24:55.141131: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:24:55.141132: | flags: none (0x0) Oct 31 15:24:55.141134: | length: 28 (00 1c) Oct 31 15:24:55.141135: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.141137: | SPI size: 0 (00) Oct 31 15:24:55.141138: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:55.141140: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:55.141141: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:24:55.141143: | ***parse IKEv2 Notify Payload: Oct 31 15:24:55.141144: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.141146: | flags: none (0x0) Oct 31 15:24:55.141147: | length: 28 (00 1c) Oct 31 15:24:55.141149: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.141150: | SPI size: 0 (00) Oct 31 15:24:55.141152: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:55.141153: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:24:55.141155: | DDOS disabled and no cookie sent, continuing Oct 31 15:24:55.141160: | looking for message matching transition from STATE_PARENT_R0 Oct 31 15:24:55.141162: | trying Respond to IKE_SA_INIT Oct 31 15:24:55.141164: | matched unencrypted message Oct 31 15:24:55.141168: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141170: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:24:55.141172: | find_next_host_connection returns Oct 31 15:24:55.141174: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141180: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Oct 31 15:24:55.141182: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:24:55.141184: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Oct 31 15:24:55.141185: | find_next_host_connection returns Oct 31 15:24:55.141188: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Oct 31 15:24:55.141191: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141193: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:24:55.141194: | find_next_host_connection returns Oct 31 15:24:55.141196: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141204: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Oct 31 15:24:55.141208: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:24:55.141210: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Oct 31 15:24:55.141211: | find_next_host_connection returns Oct 31 15:24:55.141214: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Oct 31 15:24:55.141217: | find_host_connection local=192.1.2.23:500 remote=192.1.2.45:500 policy=PSK+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141218: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:24:55.141220: | find_next_host_connection returns Oct 31 15:24:55.141222: | find_host_connection local=192.1.2.23:500 remote= policy=PSK+IKEV2_ALLOW but ignoring ports Oct 31 15:24:55.141225: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Oct 31 15:24:55.141226: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:24:55.141228: | found policy = PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (eastnet-any) Oct 31 15:24:55.141230: | find_next_host_connection returns "eastnet-any" Oct 31 15:24:55.141231: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:24:55.141232: | find_next_host_connection returns Oct 31 15:24:55.141234: | rw_instantiate Oct 31 15:24:55.141237: | Connection DB: adding connection "eastnet-any" $2 Oct 31 15:24:55.141242: | addref vip@NULL (in unshare_connection_end() at connections.c:676) Oct 31 15:24:55.141244: | addref vip@NULL (in unshare_connection_end() at connections.c:676) Oct 31 15:24:55.141246: | updating connection from left.host_addr Oct 31 15:24:55.141248: | right host_nexthop 192.1.2.45 Oct 31 15:24:55.141250: | left host_port 500 Oct 31 15:24:55.141251: | updating connection from right.host_addr Oct 31 15:24:55.141253: | right host_port 500 Oct 31 15:24:55.141256: | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp@(nil): none Oct 31 15:24:55.141259: | newref hp@0x56001d2827e8(0->1) (in connect_to_host_pair() at hostpair.c:290) Oct 31 15:24:55.141262: | rw_instantiate() instantiated "eastnet-any"[1] 192.1.2.45 for 192.1.2.45 Oct 31 15:24:55.141264: | found connection: "eastnet-any"[1] 192.1.2.45 with policy PSK+IKEV2_ALLOW Oct 31 15:24:55.141267: | find_host_pair: comparing 192.1.2.23:500 to 0.0.0.0:500 but ignoring ports Oct 31 15:24:55.141289: | newref alloc logger@0x56001d270a28(0->1) (in new_state() at state.c:576) Oct 31 15:24:55.141291: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:55.141293: | creating state object #1 at 0x56001d2829f8 Oct 31 15:24:55.141295: | State DB: adding IKEv2 state #1 in UNDEFINED Oct 31 15:24:55.141302: | pstats #1 ikev2.ike started Oct 31 15:24:55.141304: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Oct 31 15:24:55.141307: | #1.st_v2_transition NULL -> PARENT_R0->PARENT_R1 (in new_v2_ike_state() at state.c:620) Oct 31 15:24:55.141314: | Message ID: IKE #1 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744569.574107 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744569.574107 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:24:55.141318: | orienting eastnet-any Oct 31 15:24:55.141321: | eastnet-any doesn't match 127.0.0.1:4500 at all Oct 31 15:24:55.141324: | eastnet-any doesn't match 127.0.0.1:500 at all Oct 31 15:24:55.141326: | eastnet-any doesn't match 192.0.2.254:4500 at all Oct 31 15:24:55.141328: | eastnet-any doesn't match 192.0.2.254:500 at all Oct 31 15:24:55.141330: | eastnet-any doesn't match 192.1.2.23:4500 at all Oct 31 15:24:55.141332: | oriented eastnet-any's this Oct 31 15:24:55.141337: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1758) Oct 31 15:24:55.141341: | Message ID: IKE #1 responder starting message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744569.574107 ike.wip.initiator=-1 ike.wip.responder=-1->0 Oct 31 15:24:55.141343: | calling processor Respond to IKE_SA_INIT Oct 31 15:24:55.141347: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:24:55.141349: | constructing local IKE proposals for eastnet-any (IKE SA responder matching remote proposals) Oct 31 15:24:55.141356: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:24:55.141365: | ... ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141367: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:24:55.141371: | ... ikev2_proposal: 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141374: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:24:55.141377: | ... ikev2_proposal: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141380: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:24:55.141383: | ... ikev2_proposal: 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141386: "eastnet-any"[1] 192.1.2.45: local IKE proposals (IKE SA responder matching remote proposals): Oct 31 15:24:55.141390: "eastnet-any"[1] 192.1.2.45: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141394: "eastnet-any"[1] 192.1.2.45: 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141398: "eastnet-any"[1] 192.1.2.45: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141401: "eastnet-any"[1] 192.1.2.45: 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:24:55.141404: | comparing remote proposals against IKE responder 4 local proposals Oct 31 15:24:55.141410: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:55.141414: | local proposal 1 type PRF has 2 transforms Oct 31 15:24:55.141416: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:55.141421: | local proposal 1 type DH has 8 transforms Oct 31 15:24:55.141424: | local proposal 1 type ESN has 0 transforms Oct 31 15:24:55.141429: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:24:55.141432: | local proposal 2 type ENCR has 1 transforms Oct 31 15:24:55.141435: | local proposal 2 type PRF has 2 transforms Oct 31 15:24:55.141438: | local proposal 2 type INTEG has 1 transforms Oct 31 15:24:55.141441: | local proposal 2 type DH has 8 transforms Oct 31 15:24:55.141443: | local proposal 2 type ESN has 0 transforms Oct 31 15:24:55.141447: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:24:55.141450: | local proposal 3 type ENCR has 1 transforms Oct 31 15:24:55.141453: | local proposal 3 type PRF has 2 transforms Oct 31 15:24:55.141457: | local proposal 3 type INTEG has 2 transforms Oct 31 15:24:55.141459: | local proposal 3 type DH has 8 transforms Oct 31 15:24:55.141461: | local proposal 3 type ESN has 0 transforms Oct 31 15:24:55.141464: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:24:55.141466: | local proposal 4 type ENCR has 1 transforms Oct 31 15:24:55.141468: | local proposal 4 type PRF has 2 transforms Oct 31 15:24:55.141470: | local proposal 4 type INTEG has 2 transforms Oct 31 15:24:55.141473: | local proposal 4 type DH has 8 transforms Oct 31 15:24:55.141475: | local proposal 4 type ESN has 0 transforms Oct 31 15:24:55.141479: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:24:55.141482: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.141485: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.141488: | length: 100 (00 64) Oct 31 15:24:55.141491: | prop #: 1 (01) Oct 31 15:24:55.141493: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.141496: | spi size: 0 (00) Oct 31 15:24:55.141499: | # transforms: 11 (0b) Oct 31 15:24:55.141502: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:24:55.141505: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141508: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141511: | length: 12 (00 0c) Oct 31 15:24:55.141513: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.141516: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.141519: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.141521: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.141524: | length/value: 256 (01 00) Oct 31 15:24:55.141529: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:55.141532: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141535: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141538: | length: 8 (00 08) Oct 31 15:24:55.141540: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141543: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:24:55.141546: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Oct 31 15:24:55.141549: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Oct 31 15:24:55.141553: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Oct 31 15:24:55.141556: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Oct 31 15:24:55.141558: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141561: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141564: | length: 8 (00 08) Oct 31 15:24:55.141566: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141569: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:55.141572: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141574: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141580: | length: 8 (00 08) Oct 31 15:24:55.141582: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141584: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.141587: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:24:55.141590: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Oct 31 15:24:55.141592: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Oct 31 15:24:55.141595: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Oct 31 15:24:55.141597: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141599: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141602: | length: 8 (00 08) Oct 31 15:24:55.141604: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141606: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:55.141609: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141611: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141613: | length: 8 (00 08) Oct 31 15:24:55.141616: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141618: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:24:55.141621: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141623: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141626: | length: 8 (00 08) Oct 31 15:24:55.141628: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141631: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:24:55.141633: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141636: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141639: | length: 8 (00 08) Oct 31 15:24:55.141641: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141643: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:24:55.141646: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141648: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141651: | length: 8 (00 08) Oct 31 15:24:55.141653: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141656: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:24:55.141658: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141660: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141664: | length: 8 (00 08) Oct 31 15:24:55.141666: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141668: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:24:55.141671: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141674: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.141676: | length: 8 (00 08) Oct 31 15:24:55.141678: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141680: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:24:55.141684: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Oct 31 15:24:55.141689: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Oct 31 15:24:55.141691: | remote proposal 1 matches local proposal 1 Oct 31 15:24:55.141694: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.141696: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.141698: | length: 100 (00 64) Oct 31 15:24:55.141700: | prop #: 2 (02) Oct 31 15:24:55.141702: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.141705: | spi size: 0 (00) Oct 31 15:24:55.141707: | # transforms: 11 (0b) Oct 31 15:24:55.141710: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.141712: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141714: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141720: | length: 12 (00 0c) Oct 31 15:24:55.141722: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.141724: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.141726: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.141728: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.141730: | length/value: 128 (00 80) Oct 31 15:24:55.141733: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141735: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141738: | length: 8 (00 08) Oct 31 15:24:55.141740: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141742: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:24:55.141745: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141747: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141750: | length: 8 (00 08) Oct 31 15:24:55.141752: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141754: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:55.141756: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141758: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141761: | length: 8 (00 08) Oct 31 15:24:55.141763: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141765: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.141768: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141770: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141772: | length: 8 (00 08) Oct 31 15:24:55.141774: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141776: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:55.141779: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141781: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141784: | length: 8 (00 08) Oct 31 15:24:55.141786: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141788: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:24:55.141791: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141794: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141797: | length: 8 (00 08) Oct 31 15:24:55.141799: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141801: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:24:55.141805: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141807: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141809: | length: 8 (00 08) Oct 31 15:24:55.141811: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141813: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:24:55.141815: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141816: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141818: | length: 8 (00 08) Oct 31 15:24:55.141819: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141821: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:24:55.141822: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141824: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141825: | length: 8 (00 08) Oct 31 15:24:55.141827: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141828: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:24:55.141830: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141831: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.141833: | length: 8 (00 08) Oct 31 15:24:55.141835: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141836: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:24:55.141839: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Oct 31 15:24:55.141840: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Oct 31 15:24:55.141842: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.141845: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.141847: | length: 116 (00 74) Oct 31 15:24:55.141848: | prop #: 3 (03) Oct 31 15:24:55.141850: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.141851: | spi size: 0 (00) Oct 31 15:24:55.141853: | # transforms: 13 (0d) Oct 31 15:24:55.141855: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.141857: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141858: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141860: | length: 12 (00 0c) Oct 31 15:24:55.141861: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.141863: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.141864: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.141866: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.141868: | length/value: 256 (01 00) Oct 31 15:24:55.141870: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141871: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141873: | length: 8 (00 08) Oct 31 15:24:55.141874: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141876: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:24:55.141877: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141879: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141880: | length: 8 (00 08) Oct 31 15:24:55.141882: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.141883: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:55.141885: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141886: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141888: | length: 8 (00 08) Oct 31 15:24:55.141889: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.141891: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:55.141893: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141894: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141896: | length: 8 (00 08) Oct 31 15:24:55.141897: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.141899: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:55.141900: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141902: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141903: | length: 8 (00 08) Oct 31 15:24:55.141905: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141906: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.141908: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141909: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141911: | length: 8 (00 08) Oct 31 15:24:55.141912: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141914: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:55.141915: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141917: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141918: | length: 8 (00 08) Oct 31 15:24:55.141920: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141921: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:24:55.141923: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141924: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141926: | length: 8 (00 08) Oct 31 15:24:55.141928: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141929: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:24:55.141931: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141932: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141934: | length: 8 (00 08) Oct 31 15:24:55.141935: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141936: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:24:55.141939: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141941: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141942: | length: 8 (00 08) Oct 31 15:24:55.141944: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141945: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:24:55.141947: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141948: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.141950: | length: 8 (00 08) Oct 31 15:24:55.141952: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141953: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:24:55.141955: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141956: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.141958: | length: 8 (00 08) Oct 31 15:24:55.141961: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.141963: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:24:55.141966: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:24:55.141969: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:24:55.141972: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.141975: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.141978: | length: 116 (00 74) Oct 31 15:24:55.141981: | prop #: 4 (04) Oct 31 15:24:55.141983: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.141986: | spi size: 0 (00) Oct 31 15:24:55.141989: | # transforms: 13 (0d) Oct 31 15:24:55.141992: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.141995: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.141997: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142000: | length: 12 (00 0c) Oct 31 15:24:55.142003: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.142005: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.142007: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.142010: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.142013: | length/value: 128 (00 80) Oct 31 15:24:55.142016: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142019: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142022: | length: 8 (00 08) Oct 31 15:24:55.142025: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.142027: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:24:55.142030: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142033: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142036: | length: 8 (00 08) Oct 31 15:24:55.142038: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.142041: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:24:55.142043: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142046: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142049: | length: 8 (00 08) Oct 31 15:24:55.142051: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.142054: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:55.142063: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142065: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142068: | length: 8 (00 08) Oct 31 15:24:55.142070: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.142073: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:55.142076: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142078: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142081: | length: 8 (00 08) Oct 31 15:24:55.142083: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142085: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.142088: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142091: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142093: | length: 8 (00 08) Oct 31 15:24:55.142094: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142096: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:24:55.142098: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142099: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142101: | length: 8 (00 08) Oct 31 15:24:55.142102: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142104: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:24:55.142105: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142107: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142108: | length: 8 (00 08) Oct 31 15:24:55.142110: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142111: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:24:55.142113: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142114: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142116: | length: 8 (00 08) Oct 31 15:24:55.142117: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142119: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:24:55.142120: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142122: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142124: | length: 8 (00 08) Oct 31 15:24:55.142125: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142126: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:24:55.142128: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142129: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.142131: | length: 8 (00 08) Oct 31 15:24:55.142133: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142135: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:24:55.142138: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.142140: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.142143: | length: 8 (00 08) Oct 31 15:24:55.142145: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.142148: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:24:55.142152: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:24:55.142156: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:24:55.142165: "eastnet-any"[1] 192.1.2.45 #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Oct 31 15:24:55.142171: | accepted IKE proposal ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 Oct 31 15:24:55.142174: | converting proposal to internal trans attrs Oct 31 15:24:55.142180: | nat: IKE.SPIr is zero Oct 31 15:24:55.142208: | natd_hash: hasher=0x56001cac3f80(20) Oct 31 15:24:55.142215: | natd_hash: icookie= Oct 31 15:24:55.142218: | 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.142220: | natd_hash: rcookie= Oct 31 15:24:55.142221: | 00 00 00 00 00 00 00 00 Oct 31 15:24:55.142223: | natd_hash: ip= Oct 31 15:24:55.142225: | c0 01 02 17 Oct 31 15:24:55.142228: | natd_hash: port= Oct 31 15:24:55.142230: | 01 f4 Oct 31 15:24:55.142235: | natd_hash: hash= Oct 31 15:24:55.142239: | 58 15 51 3c 60 0d 89 77 ca cd 16 09 a1 3a a2 ba Oct 31 15:24:55.142241: | 81 b1 20 be Oct 31 15:24:55.142243: | nat: IKE.SPIr is zero Oct 31 15:24:55.142252: | natd_hash: hasher=0x56001cac3f80(20) Oct 31 15:24:55.142255: | natd_hash: icookie= Oct 31 15:24:55.142257: | 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.142259: | natd_hash: rcookie= Oct 31 15:24:55.142261: | 00 00 00 00 00 00 00 00 Oct 31 15:24:55.142262: | natd_hash: ip= Oct 31 15:24:55.142263: | c0 01 02 2d Oct 31 15:24:55.142265: | natd_hash: port= Oct 31 15:24:55.142266: | 01 f4 Oct 31 15:24:55.142267: | natd_hash: hash= Oct 31 15:24:55.142269: | 17 40 ae 5c 51 8b 1d ab d8 e5 9b a8 4d 93 26 2b Oct 31 15:24:55.142270: | 6c ca ae eb Oct 31 15:24:55.142272: | NAT_TRAVERSAL encaps using auto-detect Oct 31 15:24:55.142273: | NAT_TRAVERSAL this end is NOT behind NAT Oct 31 15:24:55.142275: | NAT_TRAVERSAL that end is NOT behind NAT Oct 31 15:24:55.142277: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.45 Oct 31 15:24:55.142281: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:55.142283: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:55.142285: | newref clone logger@0x56001d270d38(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:55.142287: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): adding job to queue Oct 31 15:24:55.142289: | state #1 has no .st_event to delete Oct 31 15:24:55.142291: | #1 STATE_PARENT_R0: retransmits: cleared Oct 31 15:24:55.142293: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x56001d285ec8 Oct 31 15:24:55.142295: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:24:55.142297: | libevent_malloc: newref ptr-libevent@0x56001d2851d8 size 128 Oct 31 15:24:55.142310: | #1 spent 0.95 (0.962) milliseconds in processing: Respond to IKE_SA_INIT in v2_dispatch() Oct 31 15:24:55.142315: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.142318: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Oct 31 15:24:55.142320: | suspending state #1 and saving MD 0x56001d280848 Oct 31 15:24:55.142322: | addref md@0x56001d280848(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:55.142320: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper 1 starting job Oct 31 15:24:55.142324: | #1 is busy; has suspended MD 0x56001d280848 Oct 31 15:24:55.142342: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1760) Oct 31 15:24:55.142347: | #1 spent 1.48 (1.5) milliseconds in ikev2_process_packet() Oct 31 15:24:55.142349: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.142350: | delref mdp@0x56001d280848(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.142353: | spent 1.49 (1.51) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.143820: | "eastnet-any"[1] 192.1.2.45 #1: spent 1.47 (1.5) milliseconds in helper 1 processing job 1 for state #1: ikev2_inI1outR1 KE (pcr) Oct 31 15:24:55.143830: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper thread 1 sending result back to state Oct 31 15:24:55.143833: | scheduling resume sending helper answer back to state for #1 Oct 31 15:24:55.143836: | libevent_malloc: newref ptr-libevent@0x7f4264006108 size 128 Oct 31 15:24:55.143843: | helper thread 1 has nothing to do Oct 31 15:24:55.143856: | processing resume sending helper answer back to state for #1 Oct 31 15:24:55.143870: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:641) Oct 31 15:24:55.143876: | unsuspending #1 MD 0x56001d280848 Oct 31 15:24:55.143880: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): processing response from helper 1 Oct 31 15:24:55.143882: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): calling continuation function 0x56001c9d1fe7 Oct 31 15:24:55.143886: | ikev2_parent_inI1outR1_continue() for #1 STATE_PARENT_R0: calculated ke+nonce, sending R1 Oct 31 15:24:55.143913: | opening output PBS reply packet Oct 31 15:24:55.143916: | **emit ISAKMP Message: Oct 31 15:24:55.143919: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.143921: | responder SPI: 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.143923: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.143925: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.143927: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:24:55.143929: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:55.143931: | Message ID: 0 (00 00 00 00) Oct 31 15:24:55.143933: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.143935: | emitting ikev2_proposal ... Oct 31 15:24:55.143937: | ***emit IKEv2 Security Association Payload: Oct 31 15:24:55.143939: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.143940: | flags: none (0x0) Oct 31 15:24:55.143942: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:55.143944: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.143947: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.143953: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.143955: | prop #: 1 (01) Oct 31 15:24:55.143957: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:55.143958: | spi size: 0 (00) Oct 31 15:24:55.143960: | # transforms: 3 (03) Oct 31 15:24:55.143962: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:55.143964: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.143965: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.143967: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.143968: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.143970: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.143972: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.143974: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.143975: | length/value: 256 (01 00) Oct 31 15:24:55.143977: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:55.143979: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.143980: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.143982: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:24:55.143983: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:24:55.143985: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.143987: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.143988: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.143990: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.143991: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.143993: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:24:55.143994: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.143996: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.143997: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.143999: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.144001: | emitting length of IKEv2 Proposal Substructure Payload: 36 Oct 31 15:24:55.144003: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:55.144004: | emitting length of IKEv2 Security Association Payload: 40 Oct 31 15:24:55.144006: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:55.144009: | DH secret MODP2048@0x7f4264006ba8: transferring ownership from helper KE to state #1 Oct 31 15:24:55.144011: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:24:55.144012: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.144014: | flags: none (0x0) Oct 31 15:24:55.144015: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:24:55.144017: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:24:55.144018: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.144021: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:24:55.144022: | ikev2 g^x: Oct 31 15:24:55.144024: | 12 7c 16 6c 7b c8 97 3f e9 f0 36 85 69 75 77 2a Oct 31 15:24:55.144025: | cb d8 b4 f7 ce 1a 22 c5 a5 11 bf 35 eb 0b 96 66 Oct 31 15:24:55.144027: | 9a 6f d2 57 af af bb 41 6a ed a6 63 c8 2d 0f a0 Oct 31 15:24:55.144028: | ec a3 1e 1d ac 5e 98 3c 5e 8d 7e ed 3b be 1a 7b Oct 31 15:24:55.144029: | 1a ab 9b 49 42 b2 7d 59 f0 92 ee e6 d0 71 1f 9d Oct 31 15:24:55.144031: | be ed 6c 31 58 14 7c c8 ed 86 b3 f9 5f 0a e6 48 Oct 31 15:24:55.144032: | 27 af 00 e3 0f 90 32 c7 b2 fc ce 20 dd 3d 15 de Oct 31 15:24:55.144033: | cd c8 a9 00 6b 0c ef 59 d1 06 e9 66 79 69 a2 6b Oct 31 15:24:55.144035: | 6a 87 6a 40 6d 43 c7 6c d5 dc d6 b7 cd 8a 53 da Oct 31 15:24:55.144036: | d5 ed 14 7a a7 fa c5 43 70 ea 3b 39 e0 8e b1 a0 Oct 31 15:24:55.144037: | 8c 3e 21 fe 6a 43 9c 47 40 ba d0 b8 37 33 45 c5 Oct 31 15:24:55.144039: | d5 18 d6 8f ea ad a7 a4 8f 17 37 26 00 fc a8 d3 Oct 31 15:24:55.144040: | 83 b7 73 12 8f a9 1e b4 c4 65 c8 53 44 5a e4 64 Oct 31 15:24:55.144041: | 1f e9 25 5d 76 36 0e f8 fa 18 35 a1 5e 81 1b b6 Oct 31 15:24:55.144043: | d5 85 85 e0 fe e0 23 48 c4 76 a0 2e 12 60 11 2c Oct 31 15:24:55.144044: | 3f 1b 94 32 5f 7e 7c 4d 86 4a 87 70 ee 45 78 29 Oct 31 15:24:55.144045: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:24:55.144047: | ***emit IKEv2 Nonce Payload: Oct 31 15:24:55.144048: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.144050: | flags: none (0x0) Oct 31 15:24:55.144052: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:24:55.144053: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.144055: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:24:55.144056: | IKEv2 nonce: Oct 31 15:24:55.144058: | aa f4 9c f6 53 1a 68 0e 1d 71 c3 d8 37 52 a8 30 Oct 31 15:24:55.144059: | 83 b1 d5 7b bb 2e bf 63 c9 b1 f7 3d 2b 1e 2d 95 Oct 31 15:24:55.144061: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:24:55.144062: | adding a v2N Payload Oct 31 15:24:55.144064: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.144065: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.144067: | flags: none (0x0) Oct 31 15:24:55.144068: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.144070: | SPI size: 0 (00) Oct 31 15:24:55.144072: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:24:55.144073: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.144075: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.144077: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:24:55.144079: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:24:55.144088: | natd_hash: hasher=0x56001cac3f80(20) Oct 31 15:24:55.144090: | natd_hash: icookie= Oct 31 15:24:55.144092: | 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.144093: | natd_hash: rcookie= Oct 31 15:24:55.144094: | 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.144096: | natd_hash: ip= Oct 31 15:24:55.144097: | c0 01 02 17 Oct 31 15:24:55.144098: | natd_hash: port= Oct 31 15:24:55.144100: | 01 f4 Oct 31 15:24:55.144101: | natd_hash: hash= Oct 31 15:24:55.144103: | 73 f6 0c bb ec 78 f8 ee 7a 28 9a 90 05 54 67 03 Oct 31 15:24:55.144104: | 9a 5a 9b 23 Oct 31 15:24:55.144105: | adding a v2N Payload Oct 31 15:24:55.144107: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.144108: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.144110: | flags: none (0x0) Oct 31 15:24:55.144111: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.144113: | SPI size: 0 (00) Oct 31 15:24:55.144114: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:24:55.144116: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.144118: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.144119: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:55.144121: | Notify data: Oct 31 15:24:55.144122: | 73 f6 0c bb ec 78 f8 ee 7a 28 9a 90 05 54 67 03 Oct 31 15:24:55.144124: | 9a 5a 9b 23 Oct 31 15:24:55.144125: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:55.144130: | natd_hash: hasher=0x56001cac3f80(20) Oct 31 15:24:55.144132: | natd_hash: icookie= Oct 31 15:24:55.144134: | 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.144135: | natd_hash: rcookie= Oct 31 15:24:55.144136: | 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.144137: | natd_hash: ip= Oct 31 15:24:55.144139: | c0 01 02 2d Oct 31 15:24:55.144140: | natd_hash: port= Oct 31 15:24:55.144141: | 01 f4 Oct 31 15:24:55.144143: | natd_hash: hash= Oct 31 15:24:55.144144: | 76 3c 7c 13 e9 ec 97 14 e8 94 f1 cb 5b 44 4c 85 Oct 31 15:24:55.144145: | 16 ee f7 99 Oct 31 15:24:55.144147: | adding a v2N Payload Oct 31 15:24:55.144148: | ***emit IKEv2 Notify Payload: Oct 31 15:24:55.144150: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.144151: | flags: none (0x0) Oct 31 15:24:55.144153: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:24:55.144154: | SPI size: 0 (00) Oct 31 15:24:55.144156: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:24:55.144157: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:24:55.144159: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.144160: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:24:55.144162: | Notify data: Oct 31 15:24:55.144163: | 76 3c 7c 13 e9 ec 97 14 e8 94 f1 cb 5b 44 4c 85 Oct 31 15:24:55.144165: | 16 ee f7 99 Oct 31 15:24:55.144166: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:24:55.144167: | emitting length of ISAKMP Message: 432 Oct 31 15:24:55.144173: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.144175: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Oct 31 15:24:55.144177: | transitioning from state STATE_PARENT_R0 to state STATE_PARENT_R1 Oct 31 15:24:55.144179: | Message ID: updating counters for #1 Oct 31 15:24:55.144188: | Message ID: IKE #1 updating responder received message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=-1 ike.responder.recv=-1->0 ike.responder.last_contact=744569.574107->744569.57698 ike.wip.initiator=-1 ike.wip.responder=0->-1 Oct 31 15:24:55.144193: | Message ID: IKE #1 updating responder sent message response 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=-1->0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.144197: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.144216: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Oct 31 15:24:55.144218: | announcing the state transition Oct 31 15:24:55.144223: "eastnet-any"[1] 192.1.2.45 #1: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Oct 31 15:24:55.144231: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 using UDP (for #1) Oct 31 15:24:55.144233: | 56 da 3a 10 de 51 40 20 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.144234: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Oct 31 15:24:55.144235: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Oct 31 15:24:55.144237: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Oct 31 15:24:55.144238: | 04 00 00 0e 28 00 01 08 00 0e 00 00 12 7c 16 6c Oct 31 15:24:55.144239: | 7b c8 97 3f e9 f0 36 85 69 75 77 2a cb d8 b4 f7 Oct 31 15:24:55.144241: | ce 1a 22 c5 a5 11 bf 35 eb 0b 96 66 9a 6f d2 57 Oct 31 15:24:55.144242: | af af bb 41 6a ed a6 63 c8 2d 0f a0 ec a3 1e 1d Oct 31 15:24:55.144243: | ac 5e 98 3c 5e 8d 7e ed 3b be 1a 7b 1a ab 9b 49 Oct 31 15:24:55.144245: | 42 b2 7d 59 f0 92 ee e6 d0 71 1f 9d be ed 6c 31 Oct 31 15:24:55.144246: | 58 14 7c c8 ed 86 b3 f9 5f 0a e6 48 27 af 00 e3 Oct 31 15:24:55.144248: | 0f 90 32 c7 b2 fc ce 20 dd 3d 15 de cd c8 a9 00 Oct 31 15:24:55.144249: | 6b 0c ef 59 d1 06 e9 66 79 69 a2 6b 6a 87 6a 40 Oct 31 15:24:55.144250: | 6d 43 c7 6c d5 dc d6 b7 cd 8a 53 da d5 ed 14 7a Oct 31 15:24:55.144252: | a7 fa c5 43 70 ea 3b 39 e0 8e b1 a0 8c 3e 21 fe Oct 31 15:24:55.144253: | 6a 43 9c 47 40 ba d0 b8 37 33 45 c5 d5 18 d6 8f Oct 31 15:24:55.144254: | ea ad a7 a4 8f 17 37 26 00 fc a8 d3 83 b7 73 12 Oct 31 15:24:55.144256: | 8f a9 1e b4 c4 65 c8 53 44 5a e4 64 1f e9 25 5d Oct 31 15:24:55.144257: | 76 36 0e f8 fa 18 35 a1 5e 81 1b b6 d5 85 85 e0 Oct 31 15:24:55.144258: | fe e0 23 48 c4 76 a0 2e 12 60 11 2c 3f 1b 94 32 Oct 31 15:24:55.144260: | 5f 7e 7c 4d 86 4a 87 70 ee 45 78 29 29 00 00 24 Oct 31 15:24:55.144261: | aa f4 9c f6 53 1a 68 0e 1d 71 c3 d8 37 52 a8 30 Oct 31 15:24:55.144262: | 83 b1 d5 7b bb 2e bf 63 c9 b1 f7 3d 2b 1e 2d 95 Oct 31 15:24:55.144264: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Oct 31 15:24:55.144265: | 73 f6 0c bb ec 78 f8 ee 7a 28 9a 90 05 54 67 03 Oct 31 15:24:55.144266: | 9a 5a 9b 23 00 00 00 1c 00 00 40 05 76 3c 7c 13 Oct 31 15:24:55.144268: | e9 ec 97 14 e8 94 f1 cb 5b 44 4c 85 16 ee f7 99 Oct 31 15:24:55.144304: | sent 1 messages Oct 31 15:24:55.144307: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:55.144310: | libevent_free: delref ptr-libevent@0x56001d2851d8 Oct 31 15:24:55.144312: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x56001d285ec8 Oct 31 15:24:55.144315: | event_schedule: newref EVENT_SO_DISCARD-pe@0x56001d2851d8 Oct 31 15:24:55.144317: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Oct 31 15:24:55.144318: | libevent_malloc: newref ptr-libevent@0x56001d2863a8 size 128 Oct 31 15:24:55.144322: | delref logger@0x56001d270d38(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:55.144324: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.144326: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.144328: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:24:55.144331: | delref mdp@0x56001d280848(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:55.144332: | delref logger@0x56001d27d5c8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:55.144334: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.144335: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.144340: | #1 spent 0.429 (0.463) milliseconds in resume sending helper answer back to state Oct 31 15:24:55.144344: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:745) Oct 31 15:24:55.144346: | libevent_free: delref ptr-libevent@0x7f4264006108 Oct 31 15:24:55.146889: | spent 0.00261 (0.00255) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:24:55.146915: | newref struct msg_digest@0x56001d280848(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.146922: | newref alloc logger@0x56001d27d5c8(0->1) (in read_message() at demux.c:103) Oct 31 15:24:55.146935: | *received 365 bytes from 192.1.2.45:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:24:55.146938: | 56 da 3a 10 de 51 40 20 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.146941: | 2e 20 23 08 00 00 00 01 00 00 01 6d 23 00 01 51 Oct 31 15:24:55.146944: | f1 7e 1e 85 de d2 13 41 44 49 97 ab 1d 70 52 c2 Oct 31 15:24:55.146946: | d0 90 ed ca 45 07 89 1e af e7 2f 60 bf c4 13 69 Oct 31 15:24:55.146948: | 57 df a4 24 4c 67 0e 33 4a 7f a7 ac d5 09 ad b2 Oct 31 15:24:55.146951: | 8e e8 a3 88 7b ec 10 ee 36 27 85 c6 de f8 bf b3 Oct 31 15:24:55.146953: | 5a 22 eb 2e e7 49 a3 1d 78 5c 6b 55 b9 f9 df b3 Oct 31 15:24:55.146958: | c1 e4 6c 50 ef 93 b4 f9 d7 46 60 ff 25 66 d2 ea Oct 31 15:24:55.146962: | bf 56 34 7a 92 36 ec 28 8e 66 3b 18 26 73 94 0d Oct 31 15:24:55.146964: | 26 a8 42 46 99 0d 16 cf b4 a2 fe 91 57 a5 10 27 Oct 31 15:24:55.146966: | 7a f7 c4 94 b7 b6 a5 57 c7 6d 57 66 b1 49 2b c5 Oct 31 15:24:55.146969: | 5f b0 a5 00 02 5a 3a 5d d6 7d e3 20 53 9a dc f5 Oct 31 15:24:55.146971: | a5 90 d1 48 d1 c9 9d a7 bd 97 61 c6 41 9d cd 36 Oct 31 15:24:55.146973: | 84 31 92 5f 30 5b b2 e3 e0 9b bd 63 cc f7 f5 e6 Oct 31 15:24:55.146976: | d0 9f ea b4 4d 1a 20 44 c4 e2 44 0a f1 6f 16 b1 Oct 31 15:24:55.146978: | 87 43 8f 42 1f 79 56 18 2c db d1 2b 91 45 48 76 Oct 31 15:24:55.146981: | fd db 2a 9a 5e ce 55 54 6a 0c fc 67 d4 9e b4 df Oct 31 15:24:55.146983: | e7 ad a4 d6 64 35 ee 44 a4 b6 6f 3c 23 d3 2f 66 Oct 31 15:24:55.146985: | c1 9b b6 74 a3 77 0e 83 b2 1a 63 70 3b ef 71 71 Oct 31 15:24:55.146988: | 20 18 16 20 d5 14 aa c7 00 ce c4 75 15 b0 36 d5 Oct 31 15:24:55.146990: | d4 27 a9 14 98 de 5c ce 9a 40 3d 4e 68 6b 8e 25 Oct 31 15:24:55.146992: | 01 bd 88 4d fd 93 7b d9 be 00 f3 13 48 60 72 a8 Oct 31 15:24:55.146995: | 63 e7 5a ca a0 1d df 39 60 55 14 4c 34 Oct 31 15:24:55.146999: | **parse ISAKMP Message: Oct 31 15:24:55.147004: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.147009: | responder SPI: 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.147012: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:24:55.147015: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.147017: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:55.147020: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:24:55.147024: | Message ID: 1 (00 00 00 01) Oct 31 15:24:55.147028: | length: 365 (00 00 01 6d) Oct 31 15:24:55.147031: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Oct 31 15:24:55.147034: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Oct 31 15:24:55.147039: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Oct 31 15:24:55.147048: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:24:55.147055: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Oct 31 15:24:55.147059: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:24:55.147061: | #1 is idle Oct 31 15:24:55.147070: | Message ID: IKE #1 not a duplicate - message request 1 is new: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.147077: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:24:55.147080: | unpacking clear payload Oct 31 15:24:55.147082: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:24:55.147086: | ***parse IKEv2 Encryption Payload: Oct 31 15:24:55.147089: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Oct 31 15:24:55.147092: | flags: none (0x0) Oct 31 15:24:55.147096: | length: 337 (01 51) Oct 31 15:24:55.147098: | processing payload: ISAKMP_NEXT_v2SK (len=333) Oct 31 15:24:55.147101: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:24:55.147105: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:24:55.147108: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:24:55.147112: | ikev2 parent ikev2_ike_sa_process_auth_request_no_skeyid(): calculating g^{xy} in order to decrypt I2 Oct 31 15:24:55.147117: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Oct 31 15:24:55.147121: | DH secret MODP2048@0x7f4264006ba8: transferring ownership from state #1 to helper IKEv2 DH Oct 31 15:24:55.147128: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:55.147131: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:55.147134: | newref clone logger@0x56001d270d38(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:55.147137: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): adding job to queue Oct 31 15:24:55.147139: | state #1 deleting .st_event EVENT_SO_DISCARD Oct 31 15:24:55.147143: | libevent_free: delref ptr-libevent@0x56001d2863a8 Oct 31 15:24:55.147146: | free_event_entry: delref EVENT_SO_DISCARD-pe@0x56001d2851d8 Oct 31 15:24:55.147150: | #1 STATE_PARENT_R1: retransmits: cleared Oct 31 15:24:55.147153: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x56001d2863a8 Oct 31 15:24:55.147155: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:24:55.147158: | libevent_malloc: newref ptr-libevent@0x7f4264006108 size 128 Oct 31 15:24:55.147171: | #1 spent 0.0571 (0.057) milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in v2_dispatch() Oct 31 15:24:55.147178: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.147179: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper 2 starting job Oct 31 15:24:55.147182: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND; .st_v2_transition=PARENT_R0->PARENT_R1 Oct 31 15:24:55.147192: | suspending state #1 and saving MD 0x56001d280848 Oct 31 15:24:55.147196: | addref md@0x56001d280848(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:24:55.147211: | #1 is busy; has suspended MD 0x56001d280848 Oct 31 15:24:55.147220: | stop processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:24:55.147230: | #1 spent 0.328 (0.349) milliseconds in ikev2_process_packet() Oct 31 15:24:55.147233: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:24:55.147236: | delref mdp@0x56001d280848(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:24:55.147240: | spent 0.339 (0.36) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:24:55.147715: | calculating skeyseed using prf=HMAC_SHA2_512 integ=NONE cipherkey-size=32 salt-size=4 Oct 31 15:24:55.147822: | "eastnet-any"[1] 192.1.2.45 #1: spent 0.64 (0.643) milliseconds in helper 2 processing job 2 for state #1: ikev2_inI2outR2 KE (pcr) Oct 31 15:24:55.147825: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper thread 2 sending result back to state Oct 31 15:24:55.147828: | scheduling resume sending helper answer back to state for #1 Oct 31 15:24:55.147830: | libevent_malloc: newref ptr-libevent@0x7f425c00b578 size 128 Oct 31 15:24:55.147837: | helper thread 2 has nothing to do Oct 31 15:24:55.147847: | processing resume sending helper answer back to state for #1 Oct 31 15:24:55.147857: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:641) Oct 31 15:24:55.147861: | unsuspending #1 MD 0x56001d280848 Oct 31 15:24:55.147868: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): processing response from helper 2 Oct 31 15:24:55.147870: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): calling continuation function 0x56001c9d1fe7 Oct 31 15:24:55.147872: | ikev2_ike_sa_process_auth_request_no_skeyid_continue() for #1 STATE_PARENT_R1: calculating g^{xy}, sending R2 Oct 31 15:24:55.147874: | DH secret MODP2048@0x7f4264006ba8: transferring ownership from helper IKEv2 DH to state #1 Oct 31 15:24:55.147876: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:24:55.147887: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Oct 31 15:24:55.147889: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Oct 31 15:24:55.147891: | **parse IKEv2 Identification - Initiator - Payload: Oct 31 15:24:55.147893: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Oct 31 15:24:55.147895: | flags: none (0x0) Oct 31 15:24:55.147898: | length: 12 (00 0c) Oct 31 15:24:55.147899: | ID type: ID_IPV4_ADDR (0x1) Oct 31 15:24:55.147901: | reserved: 00 00 00 Oct 31 15:24:55.147903: | processing payload: ISAKMP_NEXT_v2IDi (len=4) Oct 31 15:24:55.147904: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Oct 31 15:24:55.147906: | **parse IKEv2 Identification - Responder - Payload: Oct 31 15:24:55.147907: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Oct 31 15:24:55.147909: | flags: none (0x0) Oct 31 15:24:55.147911: | length: 12 (00 0c) Oct 31 15:24:55.147912: | ID type: ID_FQDN (0x2) Oct 31 15:24:55.147914: | reserved: 00 00 00 Oct 31 15:24:55.147915: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Oct 31 15:24:55.147921: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Oct 31 15:24:55.147922: | **parse IKEv2 Authentication Payload: Oct 31 15:24:55.147924: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:24:55.147925: | flags: none (0x0) Oct 31 15:24:55.147927: | length: 72 (00 48) Oct 31 15:24:55.147929: | auth method: IKEv2_AUTH_SHARED (0x2) Oct 31 15:24:55.147930: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Oct 31 15:24:55.147931: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:24:55.147933: | **parse IKEv2 Security Association Payload: Oct 31 15:24:55.147934: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:24:55.147936: | flags: none (0x0) Oct 31 15:24:55.147938: | length: 164 (00 a4) Oct 31 15:24:55.147939: | processing payload: ISAKMP_NEXT_v2SA (len=160) Oct 31 15:24:55.147941: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:24:55.147942: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:55.147944: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:24:55.147945: | flags: none (0x0) Oct 31 15:24:55.147947: | length: 24 (00 18) Oct 31 15:24:55.147948: | number of TS: 1 (01) Oct 31 15:24:55.147950: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:24:55.147951: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:24:55.147953: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:55.147954: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.147956: | flags: none (0x0) Oct 31 15:24:55.147957: | length: 24 (00 18) Oct 31 15:24:55.147959: | number of TS: 1 (01) Oct 31 15:24:55.147963: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:24:55.147964: | selected state microcode Responder: process IKE_AUTH request Oct 31 15:24:55.147969: | Message ID: IKE #1 responder starting message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 ike.wip.initiator=-1 ike.wip.responder=-1->1 Oct 31 15:24:55.147971: | calling processor Responder: process IKE_AUTH request Oct 31 15:24:55.147977: "eastnet-any"[1] 192.1.2.45 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Oct 31 15:24:55.147978: | no certs to decode Oct 31 15:24:55.147982: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:24:55.147985: | parsing 4 raw bytes of IKEv2 Identification - Initiator - Payload into peer ID Oct 31 15:24:55.147986: | peer ID Oct 31 15:24:55.147988: | c0 01 02 2d Oct 31 15:24:55.147989: | received IDr payload - extracting our alleged ID Oct 31 15:24:55.147993: | refine_host_connection for IKEv2: starting with "eastnet-any"[1] 192.1.2.45 Oct 31 15:24:55.147996: | match_id a=192.1.2.45 Oct 31 15:24:55.147998: | b=192.1.2.45 Oct 31 15:24:55.147999: | results matched Oct 31 15:24:55.148003: | refine_host_connection: checking "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Oct 31 15:24:55.148004: | warning: not switching back to template of current instance Oct 31 15:24:55.148006: | peer expects us to be @east (ID_FQDN) according to its IDr payload Oct 31 15:24:55.148008: | this connection's local id is @east (ID_FQDN) Oct 31 15:24:55.148011: | refine_host_connection: checked "eastnet-any"[1] 192.1.2.45 against "eastnet-any"[1] 192.1.2.45, now for see if best Oct 31 15:24:55.148014: | lsw_get_secret() using IDs for @east->192.1.2.45 of kind PKK_PSK Oct 31 15:24:55.148016: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:24:55.148019: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148021: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148023: | line 1: match=002 Oct 31 15:24:55.148024: | match 002 beats previous best_match 000 match=0x56001d27ff68 (line=1) Oct 31 15:24:55.148026: | concluding with best_match=002 best=0x56001d27ff68 (lineno=1) Oct 31 15:24:55.148027: | returning because exact peer id match Oct 31 15:24:55.148029: | offered CA: '%none' Oct 31 15:24:55.148032: "eastnet-any"[1] 192.1.2.45 #1: IKEv2 mode peer ID is ID_IPV4_ADDR: '192.1.2.45' Oct 31 15:24:55.148051: | verifying AUTH payload Oct 31 15:24:55.148054: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Oct 31 15:24:55.148060: | lsw_get_secret() using IDs for @east->192.1.2.45 of kind PKK_PSK Oct 31 15:24:55.148062: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:24:55.148065: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148067: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148068: | line 1: match=002 Oct 31 15:24:55.148070: | match 002 beats previous best_match 000 match=0x56001d27ff68 (line=1) Oct 31 15:24:55.148071: | concluding with best_match=002 best=0x56001d27ff68 (lineno=1) Oct 31 15:24:55.148106: "eastnet-any"[1] 192.1.2.45 #1: authenticated using authby=secret Oct 31 15:24:55.148118: | parent state #1: PARENT_R1(half-open IKE SA) => ESTABLISHED_IKE_SA(established IKE SA) Oct 31 15:24:55.148121: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:24:55.148123: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:24:55.148125: | libevent_free: delref ptr-libevent@0x7f4264006108 Oct 31 15:24:55.148126: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x56001d2863a8 Oct 31 15:24:55.148128: | event_schedule: newref EVENT_SA_REKEY-pe@0x56001d286898 Oct 31 15:24:55.148130: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Oct 31 15:24:55.148133: | libevent_malloc: newref ptr-libevent@0x56001d2866a8 size 128 Oct 31 15:24:55.148220: | pstats #1 ikev2.ike established Oct 31 15:24:55.148232: | opening output PBS reply packet Oct 31 15:24:55.148237: | **emit ISAKMP Message: Oct 31 15:24:55.148242: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:55.148245: | responder SPI: 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.148248: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:55.148250: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:55.148253: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:24:55.148255: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:24:55.148258: | Message ID: 1 (00 00 00 01) Oct 31 15:24:55.148262: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:55.148265: | IKEv2 CERT: send a certificate? Oct 31 15:24:55.148268: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Oct 31 15:24:55.148270: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:55.148272: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.148274: | flags: none (0x0) Oct 31 15:24:55.148277: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:55.148280: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.148284: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:55.148293: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:24:55.148296: | ****emit IKEv2 Identification - Responder - Payload: Oct 31 15:24:55.148299: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.148301: | flags: none (0x0) Oct 31 15:24:55.148303: | ID type: ID_FQDN (0x2) Oct 31 15:24:55.148306: | reserved: 00 00 00 Oct 31 15:24:55.148309: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Oct 31 15:24:55.148311: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.148314: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Oct 31 15:24:55.148317: | my identity: 65 61 73 74 Oct 31 15:24:55.148319: | emitting length of IKEv2 Identification - Responder - Payload: 12 Oct 31 15:24:55.148322: | added IDr payload to packet Oct 31 15:24:55.148324: | CHILD SA proposals received Oct 31 15:24:55.148326: | going to assemble AUTH payload Oct 31 15:24:55.148329: | ****emit IKEv2 Authentication Payload: Oct 31 15:24:55.148331: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.148333: | flags: none (0x0) Oct 31 15:24:55.148335: | auth method: IKEv2_AUTH_SHARED (0x2) Oct 31 15:24:55.148337: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Oct 31 15:24:55.148339: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.148342: | ikev2_calculate_psk_sighash() called from STATE_V2_ESTABLISHED_IKE_SA to create PSK with authby=secret Oct 31 15:24:55.148347: | lsw_get_secret() using IDs for @east->192.1.2.45 of kind PKK_PSK Oct 31 15:24:55.148350: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:24:55.148353: | 1: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148357: | 2: compared key (none) to @east / 192.1.2.45 -> 002 Oct 31 15:24:55.148358: | line 1: match=002 Oct 31 15:24:55.148360: | match 002 beats previous best_match 000 match=0x56001d27ff68 (line=1) Oct 31 15:24:55.148362: | concluding with best_match=002 best=0x56001d27ff68 (lineno=1) Oct 31 15:24:55.148400: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Oct 31 15:24:55.148405: | PSK auth: Oct 31 15:24:55.148407: | fb 24 47 55 aa 93 98 9b 24 07 06 a5 5d 65 bc c0 Oct 31 15:24:55.148408: | 6e 9a 22 34 35 ce f0 c7 9e c0 4c 39 c5 53 04 47 Oct 31 15:24:55.148410: | d5 f7 3b 86 8f 7c c4 27 dd 39 08 d0 ae 65 b6 d1 Oct 31 15:24:55.148411: | f0 9d e0 fc 7c 2a 5a f2 c3 44 23 ad cf a9 b6 7e Oct 31 15:24:55.148413: | emitting length of IKEv2 Authentication Payload: 72 Oct 31 15:24:55.148418: | newref alloc logger@0x56001d2863a8(0->1) (in new_state() at state.c:576) Oct 31 15:24:55.148420: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:24:55.148421: | creating state object #2 at 0x56001d286c38 Oct 31 15:24:55.148423: | State DB: adding IKEv2 state #2 in UNDEFINED Oct 31 15:24:55.148428: | pstats #2 ikev2.child started Oct 31 15:24:55.148431: | duplicating state object #1 "eastnet-any"[1] 192.1.2.45 as #2 for IPSEC SA Oct 31 15:24:55.148434: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:24:55.148439: | Message ID: CHILD #1.#2 initializing (CHILD SA): ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:24:55.148442: | child state #2: UNDEFINED(ignore) => V2_IKE_AUTH_CHILD_R0(ignore) Oct 31 15:24:55.148444: | #2.st_v2_transition NULL -> NULL (in new_v2_child_state() at state.c:1666) Oct 31 15:24:55.148448: | Message ID: IKE #1 switching from IKE SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 ike.wip.initiator=-1 ike.wip.responder=1->-1 Oct 31 15:24:55.148452: | Message ID: CHILD #1.#2 switching to CHILD SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744569.57698 child.wip.initiator=-1 child.wip.responder=-1->1 Oct 31 15:24:55.148455: | switching IKEv2 MD.ST from IKE #1 ESTABLISHED_IKE_SA to CHILD #2 V2_IKE_AUTH_CHILD_R0 (in ike_auth_child_responder() at ikev2_parent.c:3282) Oct 31 15:24:55.148456: | Child SA TS Request has child->sa == md->st; so using child connection Oct 31 15:24:55.148458: | TSi: parsing 1 traffic selectors Oct 31 15:24:55.148460: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:55.148462: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:55.148464: | IP Protocol ID: ALL (0x0) Oct 31 15:24:55.148470: | length: 16 (00 10) Oct 31 15:24:55.148472: | start port: 0 (00 00) Oct 31 15:24:55.148474: | end port: 65535 (ff ff) Oct 31 15:24:55.148476: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:55.148477: | TS low Oct 31 15:24:55.148479: | c0 00 01 00 Oct 31 15:24:55.148480: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:55.148482: | TS high Oct 31 15:24:55.148483: | c0 00 01 ff Oct 31 15:24:55.148485: | TSi: parsed 1 traffic selectors Oct 31 15:24:55.148486: | TSr: parsing 1 traffic selectors Oct 31 15:24:55.148488: | ***parse IKEv2 Traffic Selector: Oct 31 15:24:55.148489: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:55.148491: | IP Protocol ID: ALL (0x0) Oct 31 15:24:55.148492: | length: 16 (00 10) Oct 31 15:24:55.148494: | start port: 0 (00 00) Oct 31 15:24:55.148496: | end port: 65535 (ff ff) Oct 31 15:24:55.148497: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:24:55.148499: | TS low Oct 31 15:24:55.148500: | c0 00 02 00 Oct 31 15:24:55.148501: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:24:55.148503: | TS high Oct 31 15:24:55.148504: | c0 00 02 ff Oct 31 15:24:55.148505: | TSr: parsed 1 traffic selectors Oct 31 15:24:55.148507: | looking for best SPD in current connection Oct 31 15:24:55.148512: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:24:55.148516: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:55.148521: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Oct 31 15:24:55.148523: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:55.148525: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:55.148527: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:55.148528: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:55.148531: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:55.148535: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:24:55.148537: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:55.148538: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:55.148540: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:55.148541: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:55.148543: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:55.148544: | found better spd route for TSi[0],TSr[0] Oct 31 15:24:55.148546: | looking for better host pair Oct 31 15:24:55.148549: | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 but ignoring ports Oct 31 15:24:55.148552: | checking hostpair 192.0.2.0/24:0 -> 192.0.1.0/24:0 is found Oct 31 15:24:55.148554: | investigating connection "eastnet-any" as a better match Oct 31 15:24:55.148556: | match_id a=192.1.2.45 Oct 31 15:24:55.148558: | b=192.1.2.45 Oct 31 15:24:55.148559: | results matched Oct 31 15:24:55.148563: | evaluating our conn="eastnet-any"[1] 192.1.2.45 I=192.0.1.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:24:55.148566: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:55.148570: | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 Oct 31 15:24:55.148571: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:24:55.148573: | TSi[0] port match: YES fitness 65536 Oct 31 15:24:55.148574: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:24:55.148576: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:55.148578: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:24:55.148587: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:24:55.148589: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:24:55.148590: | TSr[0] port match: YES fitness 65536 Oct 31 15:24:55.148592: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:24:55.148593: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:24:55.148595: | best fit so far: TSi[0] TSr[0] Oct 31 15:24:55.148596: | did not find a better connection using host pair Oct 31 15:24:55.148598: | printing contents struct traffic_selector Oct 31 15:24:55.148599: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:55.148601: | ipprotoid: 0 Oct 31 15:24:55.148602: | port range: 0-65535 Oct 31 15:24:55.148604: | ip range: 192.0.2.0-192.0.2.255 Oct 31 15:24:55.148606: | printing contents struct traffic_selector Oct 31 15:24:55.148607: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:24:55.148608: | ipprotoid: 0 Oct 31 15:24:55.148610: | port range: 0-65535 Oct 31 15:24:55.148612: | ip range: 192.0.1.0-192.0.1.255 Oct 31 15:24:55.148615: | constructing ESP/AH proposals with all DH removed for eastnet-any (IKE_AUTH responder matching remote ESP/AH proposals) Oct 31 15:24:55.148622: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Oct 31 15:24:55.148627: | ... ikev2_proposal: 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:24:55.148629: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Oct 31 15:24:55.148632: | ... ikev2_proposal: 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:24:55.148637: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:24:55.148640: | ... ikev2_proposal: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:24:55.148641: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:24:55.148644: | ... ikev2_proposal: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:24:55.148646: "eastnet-any"[1] 192.1.2.45: local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals): Oct 31 15:24:55.148650: "eastnet-any"[1] 192.1.2.45: 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:24:55.148653: "eastnet-any"[1] 192.1.2.45: 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:24:55.148656: "eastnet-any"[1] 192.1.2.45: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:24:55.148659: "eastnet-any"[1] 192.1.2.45: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:24:55.148661: | comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Oct 31 15:24:55.148663: | local proposal 1 type ENCR has 1 transforms Oct 31 15:24:55.148665: | local proposal 1 type PRF has 0 transforms Oct 31 15:24:55.148666: | local proposal 1 type INTEG has 1 transforms Oct 31 15:24:55.148668: | local proposal 1 type DH has 1 transforms Oct 31 15:24:55.148670: | local proposal 1 type ESN has 1 transforms Oct 31 15:24:55.148674: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:24:55.148675: | local proposal 2 type ENCR has 1 transforms Oct 31 15:24:55.148678: | local proposal 2 type PRF has 0 transforms Oct 31 15:24:55.148680: | local proposal 2 type INTEG has 1 transforms Oct 31 15:24:55.148682: | local proposal 2 type DH has 1 transforms Oct 31 15:24:55.148683: | local proposal 2 type ESN has 1 transforms Oct 31 15:24:55.148686: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:24:55.148688: | local proposal 3 type ENCR has 1 transforms Oct 31 15:24:55.148690: | local proposal 3 type PRF has 0 transforms Oct 31 15:24:55.148692: | local proposal 3 type INTEG has 2 transforms Oct 31 15:24:55.148694: | local proposal 3 type DH has 1 transforms Oct 31 15:24:55.148696: | local proposal 3 type ESN has 1 transforms Oct 31 15:24:55.148699: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:24:55.148701: | local proposal 4 type ENCR has 1 transforms Oct 31 15:24:55.148704: | local proposal 4 type PRF has 0 transforms Oct 31 15:24:55.148706: | local proposal 4 type INTEG has 2 transforms Oct 31 15:24:55.148708: | local proposal 4 type DH has 1 transforms Oct 31 15:24:55.148711: | local proposal 4 type ESN has 1 transforms Oct 31 15:24:55.148714: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:24:55.148717: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.148720: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.148723: | length: 32 (00 20) Oct 31 15:24:55.148726: | prop #: 1 (01) Oct 31 15:24:55.148728: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.148731: | spi size: 4 (04) Oct 31 15:24:55.148734: | # transforms: 2 (02) Oct 31 15:24:55.148737: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:55.148740: | remote SPI Oct 31 15:24:55.148742: | 0c 5d 3c 63 Oct 31 15:24:55.148745: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:24:55.148748: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148751: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.148754: | length: 12 (00 0c) Oct 31 15:24:55.148756: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.148759: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.148761: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.148764: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.148770: | length/value: 256 (01 00) Oct 31 15:24:55.148775: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:24:55.148778: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148781: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.148784: | length: 8 (00 08) Oct 31 15:24:55.148787: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.148789: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.148793: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:24:55.148796: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Oct 31 15:24:55.148799: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Oct 31 15:24:55.148802: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Oct 31 15:24:55.148806: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Oct 31 15:24:55.148811: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Oct 31 15:24:55.148814: | remote proposal 1 matches local proposal 1 Oct 31 15:24:55.148817: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.148820: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.148823: | length: 32 (00 20) Oct 31 15:24:55.148826: | prop #: 2 (02) Oct 31 15:24:55.148828: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.148831: | spi size: 4 (04) Oct 31 15:24:55.148834: | # transforms: 2 (02) Oct 31 15:24:55.148837: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:55.148839: | remote SPI Oct 31 15:24:55.148842: | 0c 5d 3c 63 Oct 31 15:24:55.148844: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.148847: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148850: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.148853: | length: 12 (00 0c) Oct 31 15:24:55.148855: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.148858: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.148860: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.148862: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.148865: | length/value: 128 (00 80) Oct 31 15:24:55.148867: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148869: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.148872: | length: 8 (00 08) Oct 31 15:24:55.148874: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.148876: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.148879: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Oct 31 15:24:55.148881: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Oct 31 15:24:55.148883: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.148886: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:24:55.148888: | length: 48 (00 30) Oct 31 15:24:55.148890: | prop #: 3 (03) Oct 31 15:24:55.148892: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.148894: | spi size: 4 (04) Oct 31 15:24:55.148897: | # transforms: 4 (04) Oct 31 15:24:55.148899: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:55.148901: | remote SPI Oct 31 15:24:55.148904: | 0c 5d 3c 63 Oct 31 15:24:55.148906: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.148909: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148911: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.148914: | length: 12 (00 0c) Oct 31 15:24:55.148916: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.148920: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.148923: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.148925: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.148927: | length/value: 256 (01 00) Oct 31 15:24:55.148932: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148937: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.148940: | length: 8 (00 08) Oct 31 15:24:55.148943: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.148945: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:55.148948: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148951: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.148954: | length: 8 (00 08) Oct 31 15:24:55.148956: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.148959: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:55.148962: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.148965: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.148968: | length: 8 (00 08) Oct 31 15:24:55.148971: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.148973: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.148978: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:24:55.148981: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:24:55.148984: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.148987: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.148989: | length: 48 (00 30) Oct 31 15:24:55.148991: | prop #: 4 (04) Oct 31 15:24:55.148993: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.148994: | spi size: 4 (04) Oct 31 15:24:55.148996: | # transforms: 4 (04) Oct 31 15:24:55.148998: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:24:55.148999: | remote SPI Oct 31 15:24:55.149001: | 0c 5d 3c 63 Oct 31 15:24:55.149002: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:24:55.149004: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149005: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.149007: | length: 12 (00 0c) Oct 31 15:24:55.149009: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.149010: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:24:55.149012: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.149013: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.149015: | length/value: 128 (00 80) Oct 31 15:24:55.149017: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149018: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.149020: | length: 8 (00 08) Oct 31 15:24:55.149021: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.149023: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:24:55.149024: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149026: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.149028: | length: 8 (00 08) Oct 31 15:24:55.149029: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:24:55.149030: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:24:55.149032: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149034: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.149035: | length: 8 (00 08) Oct 31 15:24:55.149037: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.149038: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.149041: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:24:55.149042: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:24:55.149047: "eastnet-any"[1] 192.1.2.45 #2: proposal 1:ESP=AES_GCM_C_256-DISABLED SPI=0c5d3c63 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Oct 31 15:24:55.149052: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP=AES_GCM_C_256-DISABLED SPI=0c5d3c63 Oct 31 15:24:55.149054: | converting proposal to internal trans attrs Oct 31 15:24:55.149069: | netlink_get_spi: allocated 0x6f460d9e for esp.0@192.1.2.23 Oct 31 15:24:55.149071: | emitting ikev2_proposal ... Oct 31 15:24:55.149072: | ****emit IKEv2 Security Association Payload: Oct 31 15:24:55.149074: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.149076: | flags: none (0x0) Oct 31 15:24:55.149078: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:24:55.149079: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.149082: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:24:55.149084: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:24:55.149085: | prop #: 1 (01) Oct 31 15:24:55.149087: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:55.149088: | spi size: 4 (04) Oct 31 15:24:55.149090: | # transforms: 2 (02) Oct 31 15:24:55.149092: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:24:55.149094: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:24:55.149096: | our spi: 6f 46 0d 9e Oct 31 15:24:55.149098: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149099: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.149101: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:24:55.149102: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:24:55.149104: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.149106: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:24:55.149107: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:24:55.149109: | length/value: 256 (01 00) Oct 31 15:24:55.149111: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:24:55.149113: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:24:55.149114: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:24:55.149115: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:24:55.149117: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:24:55.149119: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:24:55.149120: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:24:55.149123: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:24:55.149128: | emitting length of IKEv2 Proposal Substructure Payload: 32 Oct 31 15:24:55.149131: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:24:55.149134: | emitting length of IKEv2 Security Association Payload: 36 Oct 31 15:24:55.149136: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:24:55.149139: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:24:55.149142: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.149144: | flags: none (0x0) Oct 31 15:24:55.149148: | number of TS: 1 (01) Oct 31 15:24:55.149150: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:24:55.149155: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.149158: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:55.149161: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:55.149164: | IP Protocol ID: ALL (0x0) Oct 31 15:24:55.149167: | start port: 0 (00 00) Oct 31 15:24:55.149170: | end port: 65535 (ff ff) Oct 31 15:24:55.149174: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:55.149178: | IP start: c0 00 01 00 Oct 31 15:24:55.149181: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:55.149183: | IP end: c0 00 01 ff Oct 31 15:24:55.149184: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:55.149186: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:24:55.149187: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:24:55.149189: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:55.149190: | flags: none (0x0) Oct 31 15:24:55.149192: | number of TS: 1 (01) Oct 31 15:24:55.149194: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:24:55.149195: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:24:55.149197: | *****emit IKEv2 Traffic Selector: Oct 31 15:24:55.149206: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:24:55.149210: | IP Protocol ID: ALL (0x0) Oct 31 15:24:55.149212: | start port: 0 (00 00) Oct 31 15:24:55.149213: | end port: 65535 (ff ff) Oct 31 15:24:55.149215: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:24:55.149217: | IP start: c0 00 02 00 Oct 31 15:24:55.149219: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:24:55.149221: | IP end: c0 00 02 ff Oct 31 15:24:55.149222: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:24:55.149224: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:24:55.149225: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:24:55.149227: | integ=NONE: .key_size=0 encrypt=AES_GCM_16: .key_size=32 .salt_size=4 keymat_len=36 Oct 31 15:24:55.149276: | FOR_EACH_CONNECTION_... in IKE_SA_established Oct 31 15:24:55.149279: | install_ipsec_sa() for #2: inbound and outbound Oct 31 15:24:55.149281: | could_route called for eastnet-any; kind=CK_INSTANCE that.has_client=yes oppo=no this.host_port=500 Oct 31 15:24:55.149283: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:55.149285: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:55.149287: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:55.149288: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:55.149290: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:55.149293: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Oct 31 15:24:55.149295: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:24:55.149298: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:24:55.149299: | AES_GCM_16 requires 4 salt bytes Oct 31 15:24:55.149301: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:24:55.149303: | setting IPsec SA replay-window to 32 Oct 31 15:24:55.149305: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Oct 31 15:24:55.149307: | netlink: enabling tunnel mode Oct 31 15:24:55.149309: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:55.149310: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:55.149312: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:55.149363: | netlink response for Add SA esp.c5d3c63@192.1.2.45 included non-error error Oct 31 15:24:55.149371: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1 Oct 31 15:24:55.149376: | set up outgoing SA, ref=0/0 Oct 31 15:24:55.149379: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:24:55.149382: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:24:55.149385: | AES_GCM_16 requires 4 salt bytes Oct 31 15:24:55.149387: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:24:55.149391: | setting IPsec SA replay-window to 32 Oct 31 15:24:55.149394: | NIC esp-hw-offload not for connection 'eastnet-any' not available on interface eth1 Oct 31 15:24:55.149396: | netlink: enabling tunnel mode Oct 31 15:24:55.149399: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:24:55.149401: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:24:55.149404: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:24:55.149437: | netlink response for Add SA esp.6f460d9e@192.1.2.23 included non-error error Oct 31 15:24:55.149443: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#0 mode=1 Oct 31 15:24:55.149446: | setup_half_ipsec_sa() is installing inbound eroute Oct 31 15:24:55.149448: | setup_half_ipsec_sa() before proto 50 Oct 31 15:24:55.149451: | setup_half_ipsec_sa() after proto 50 Oct 31 15:24:55.149453: | setup_half_ipsec_sa() calling raw_eroute backwards (i.e., inbound) Oct 31 15:24:55.149456: | priority calculation of connection "eastnet-any" is 2084815 (0x1fcfcf) Oct 31 15:24:55.149464: | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:24:55.149468: | IPsec SA SPD priority set to 2084815 Oct 31 15:24:55.149491: | raw_eroute result=success Oct 31 15:24:55.149495: | set up incoming SA, ref=0/0 Oct 31 15:24:55.149497: | sr for #2: unrouted Oct 31 15:24:55.149500: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:24:55.149503: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:55.149506: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:55.149509: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:55.149512: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:55.149515: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:55.149520: | route owner of "eastnet-any"[1] 192.1.2.45 unrouted: NULL; eroute owner: NULL Oct 31 15:24:55.149523: | route_and_eroute with c: eastnet-any (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Oct 31 15:24:55.149526: | priority calculation of connection "eastnet-any" is 2084815 (0x1fcfcf) Oct 31 15:24:55.149531: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:24:55.149533: | IPsec SA SPD priority set to 2084815 Oct 31 15:24:55.149545: | raw_eroute result=success Oct 31 15:24:55.149547: | running updown command "ipsec _updown" for verb up Oct 31 15:24:55.149549: | command executing up-client Oct 31 15:24:55.149553: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:55.149562: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:55.149589: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_... Oct 31 15:24:55.149594: | popen cmd is 1111 chars long Oct 31 15:24:55.149596: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_: Oct 31 15:24:55.149597: | cmd( 80):VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP: Oct 31 15:24:55.149599: | cmd( 160):='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2: Oct 31 15:24:55.149600: | cmd( 240):.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUT: Oct 31 15:24:55.149601: | cmd( 320):O_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' P: Oct 31 15:24:55.149603: | cmd( 400):LUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/2: Oct 31 15:24:55.149604: | cmd( 480):4' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUT: Oct 31 15:24:55.149605: | cmd( 560):O_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUT: Oct 31 15:24:55.149607: | cmd( 640):O_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE: Oct 31 15:24:55.149608: | cmd( 720):_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' X: Oct 31 15:24:55.149609: | cmd( 800):AUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_I: Oct 31 15:24:55.149611: | cmd( 880):NFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_C: Oct 31 15:24:55.149612: | cmd( 960):ONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no': Oct 31 15:24:55.149614: | cmd(1040): VTI_SHARED='no' SPI_IN=0xc5d3c63 SPI_OUT=0x6f460d9e ipsec _updown 2>&1: Oct 31 15:24:55.158279: | route_and_eroute: firewall_notified: true Oct 31 15:24:55.158299: | running updown command "ipsec _updown" for verb prepare Oct 31 15:24:55.158304: | command executing prepare-client Oct 31 15:24:55.158310: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:55.158323: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:55.158346: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES=... Oct 31 15:24:55.158348: | popen cmd is 1116 chars long Oct 31 15:24:55.158350: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Oct 31 15:24:55.158352: | cmd( 80):LUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEX: Oct 31 15:24:55.158353: | cmd( 160):T_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='19: Oct 31 15:24:55.158355: | cmd( 240):2.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0': Oct 31 15:24:55.158356: | cmd( 320): PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='E: Oct 31 15:24:55.158357: | cmd( 400):SP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.: Oct 31 15:24:55.158359: | cmd( 480):1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0': Oct 31 15:24:55.158363: | cmd( 560): PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm': Oct 31 15:24:55.158364: | cmd( 640): PLUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLO: Oct 31 15:24:55.158366: | cmd( 720):W+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ip: Oct 31 15:24:55.158367: | cmd( 800):v4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOM: Oct 31 15:24:55.158368: | cmd( 880):AIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO: Oct 31 15:24:55.158370: | cmd( 960):_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING: Oct 31 15:24:55.158371: | cmd(1040):='no' VTI_SHARED='no' SPI_IN=0xc5d3c63 SPI_OUT=0x6f460d9e ipsec _updown 2>&1: Oct 31 15:24:55.166514: | running updown command "ipsec _updown" for verb route Oct 31 15:24:55.166529: | command executing route-client Oct 31 15:24:55.166535: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:55.166550: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:55.166575: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' ... Oct 31 15:24:55.166578: | popen cmd is 1114 chars long Oct 31 15:24:55.166580: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLU: Oct 31 15:24:55.166581: | cmd( 80):TO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_: Oct 31 15:24:55.166583: | cmd( 160):HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.: Oct 31 15:24:55.166585: | cmd( 240):0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' P: Oct 31 15:24:55.166586: | cmd( 320):LUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP: Oct 31 15:24:55.166588: | cmd( 400):' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.: Oct 31 15:24:55.166589: | cmd( 480):0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' P: Oct 31 15:24:55.166591: | cmd( 560):LUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' P: Oct 31 15:24:55.166592: | cmd( 640):LUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+: Oct 31 15:24:55.166594: | cmd( 720):IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4: Oct 31 15:24:55.166595: | cmd( 800):' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAI: Oct 31 15:24:55.166596: | cmd( 880):N_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_N: Oct 31 15:24:55.166598: | cmd( 960):M_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING=': Oct 31 15:24:55.166599: | cmd(1040):no' VTI_SHARED='no' SPI_IN=0xc5d3c63 SPI_OUT=0x6f460d9e ipsec _updown 2>&1: Oct 31 15:24:55.176192: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176212: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176218: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176221: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176237: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176242: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176255: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176260: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176656: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176667: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176673: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176677: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176688: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176697: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176706: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176716: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176735: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.176745: "eastnet-any"[1] 192.1.2.45 #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:24:55.180242: | route_and_eroute: instance "eastnet-any"[1] 192.1.2.45, setting eroute_owner {spd=0x56001d2821c8,sr=0x56001d2821c8} to #2 (was #0) (newest_ipsec_sa=#0) Oct 31 15:24:55.180319: | ISAKMP_v2_IKE_AUTH: instance eastnet-any[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Oct 31 15:24:55.180326: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:24:55.180330: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:55.180333: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:55.180336: | emitting length of IKEv2 Encryption Payload: 197 Oct 31 15:24:55.180339: | emitting length of ISAKMP Message: 225 Oct 31 15:24:55.180359: | recording outgoing fragment failed Oct 31 15:24:55.180365: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Oct 31 15:24:55.180377: | #1 spent 2.32 (32.4) milliseconds in processing: Responder: process IKE_AUTH request in v2_dispatch() Oct 31 15:24:55.180379: | XXX: processor 'Responder: process IKE_AUTH request' for #1 switched state to #2 Oct 31 15:24:55.180387: | suspend processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.180393: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:24:55.180398: | #2 complete_v2_state_transition() in state V2_IKE_AUTH_CHILD_R0 PARENT_R1->ESTABLISHED_CHILD_SA with status STF_OK; .st_v2_transition=NULL Oct 31 15:24:55.180401: | transitioning from state STATE_PARENT_R1 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:55.180404: | Message ID: updating counters for #2 Oct 31 15:24:55.180414: | Message ID: CHILD #1.#2 updating responder received message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0 ike.responder.recv=0->1 ike.responder.last_contact=744569.57698->744569.613203 child.wip.initiator=-1 child.wip.responder=1->-1 Oct 31 15:24:55.180421: | Message ID: CHILD #1.#2 updating responder sent message response 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=0->1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:24:55.180429: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:24:55.180433: | child state #2: V2_IKE_AUTH_CHILD_R0(ignore) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:24:55.180436: | pstats #2 ikev2.child established Oct 31 15:24:55.180439: | announcing the state transition Oct 31 15:24:55.180449: "eastnet-any"[1] 192.1.2.45 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] Oct 31 15:24:55.180455: | NAT-T: encaps is 'auto' Oct 31 15:24:55.180461: "eastnet-any"[1] 192.1.2.45 #2: IPsec SA established tunnel mode {ESP=>0x0c5d3c63 <0x6f460d9e xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Oct 31 15:24:55.180469: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.2.45:500 using UDP (for #1) Oct 31 15:24:55.180471: | 56 da 3a 10 de 51 40 20 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:55.180474: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Oct 31 15:24:55.180476: | bf a6 44 3f bd 11 5c 53 c5 3b 1c 90 5a ed f3 1e Oct 31 15:24:55.180478: | d8 38 2b 0c 88 4f 7b b9 ae 0e 72 f0 30 e3 3c d9 Oct 31 15:24:55.180480: | f2 92 71 02 d3 52 21 64 c2 b5 38 f5 d8 3a 0b fb Oct 31 15:24:55.180482: | 30 fd c9 2d ec 4c 4c 6e ff 73 b9 f7 3d 7c c1 c0 Oct 31 15:24:55.180484: | 23 d4 1c 4c 24 54 2c f8 ff fd 97 b0 80 f7 36 20 Oct 31 15:24:55.180487: | 42 81 30 94 44 3a ed 5f 43 cb a2 e5 29 66 07 fd Oct 31 15:24:55.180489: | c7 50 1b 5a 80 bf e4 04 4d ab a6 70 d9 a2 6e ae Oct 31 15:24:55.180491: | e2 fc 89 3c 3f 60 14 3a 99 0f 9a 6a 90 c5 f7 53 Oct 31 15:24:55.180493: | a2 c9 79 ae d9 e3 d4 c0 ff ed 17 08 9a b2 46 23 Oct 31 15:24:55.180495: | 5b 7e 14 e1 4c 6c dc 22 a2 54 4e 59 14 be 2e 56 Oct 31 15:24:55.180497: | d9 f1 02 e0 f7 fb eb fa 74 9c bb 13 79 c0 03 b2 Oct 31 15:24:55.180499: | f6 b5 3c f5 15 70 a4 91 2b 20 d1 e5 4a fe f1 af Oct 31 15:24:55.180502: | ce Oct 31 15:24:55.180533: | sent 1 messages Oct 31 15:24:55.180537: | releasing #2's fd-fd@(nil) because IKEv2 transitions finished Oct 31 15:24:55.180540: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:55.180542: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:24:55.180545: | unpending #2's IKE SA #1 Oct 31 15:24:55.180549: | unpending state #1 connection "eastnet-any"[1] 192.1.2.45 Oct 31 15:24:55.180552: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:24:55.180554: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:55.180556: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:24:55.180559: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:24:55.180562: | state #2 has no .st_event to delete Oct 31 15:24:55.180566: | event_schedule: newref EVENT_SA_REKEY-pe@0x56001d28a768 Oct 31 15:24:55.180569: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Oct 31 15:24:55.180572: | libevent_malloc: newref ptr-libevent@0x56001d286b88 size 128 Oct 31 15:24:55.180579: | delref logger@0x56001d270d38(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:24:55.180582: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.180584: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.180588: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition(); MD.ST was switched Oct 31 15:24:55.180592: | delref mdp@0x56001d280848(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:55.180597: | delref logger@0x56001d27d5c8(1->0) (in resume_handler() at server.c:743) Oct 31 15:24:55.180599: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:55.180601: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:55.180608: | #1 spent 2.65 (32.7) milliseconds in resume sending helper answer back to state Oct 31 15:24:55.180614: | stop processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in resume_handler() at server.c:745) Oct 31 15:24:55.180618: | libevent_free: delref ptr-libevent@0x7f425c00b578 Oct 31 15:24:55.180630: | processing signal PLUTO_SIGCHLD Oct 31 15:24:55.180634: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:55.180639: | spent 0.00423 (0.00413) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:55.180642: | processing signal PLUTO_SIGCHLD Oct 31 15:24:55.180645: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:55.180649: | spent 0.00335 (0.00335) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:55.180651: | processing signal PLUTO_SIGCHLD Oct 31 15:24:55.180654: | waitpid returned ECHILD (no child processes left) Oct 31 15:24:55.180658: | spent 0.00323 (0.00323) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:24:56.557529: | newref struct fd@0x56001d285248(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.557550: | fd_accept: new fd-fd@0x56001d285248 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.557573: | whack: traffic_status Oct 31 15:24:56.557580: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Oct 31 15:24:56.557586: | FOR_EACH_STATE_... in sort_states Oct 31 15:24:56.557677: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:56.557701: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:56.557724: | delref fd@0x56001d285248(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:56.557734: | freeref fd-fd@0x56001d285248 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:56.557744: | spent 0.171 (0.233) milliseconds in whack Oct 31 15:24:56.675369: | newref struct fd@0x56001d270d38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.675390: | fd_accept: new fd-fd@0x56001d270d38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:56.675413: | whack: status Oct 31 15:24:56.675905: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:24:56.675915: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:24:56.676093: | FOR_EACH_STATE_... in show_states (sort_states) Oct 31 15:24:56.676103: | FOR_EACH_STATE_... in sort_states Oct 31 15:24:56.676136: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:56.676166: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:56.676197: | delref fd@0x56001d270d38(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:56.676218: | freeref fd-fd@0x56001d270d38 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:24:56.676229: | spent 0.805 (0.879) milliseconds in whack Oct 31 15:24:57.726207: | newref struct fd@0x56001d270d38(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:57.726226: | fd_accept: new fd-fd@0x56001d270d38 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:24:57.726247: shutting down Oct 31 15:24:57.726257: | leaking fd-fd@0x56001d270d38's FD; will be closed when pluto exits (in whack_handle_cb() at rcv_whack.c:889) Oct 31 15:24:57.726262: | delref fd@0x56001d270d38(1->0) (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:24:57.726265: | freeref fd-fd@0x56001d270d38 (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:24:57.726283: | shutting down helper thread 3 Oct 31 15:24:57.726320: | helper thread 3 exited Oct 31 15:24:57.726339: | shutting down helper thread 4 Oct 31 15:24:57.726712: | helper thread 4 exited Oct 31 15:24:57.726729: | shutting down helper thread 5 Oct 31 15:24:57.726752: | helper thread 5 exited Oct 31 15:24:57.726766: | shutting down helper thread 6 Oct 31 15:24:57.726786: | helper thread 6 exited Oct 31 15:24:57.726799: | shutting down helper thread 7 Oct 31 15:24:57.726817: | helper thread 7 exited Oct 31 15:24:57.726832: | shutting down helper thread 1 Oct 31 15:24:57.726988: | helper thread 1 exited Oct 31 15:24:57.727054: | shutting down helper thread 2 Oct 31 15:24:57.727085: | helper thread 2 exited Oct 31 15:24:57.727090: 7 helper threads shutdown Oct 31 15:24:57.727094: | delref root_certs@NULL (in free_root_certs() at root_certs.c:127) Oct 31 15:24:57.727097: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:24:57.727100: forgetting secrets Oct 31 15:24:57.727104: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:24:57.727112: "eastnet-any"[1] 192.1.2.45: deleting connection instance with peer 192.1.2.45 {isakmp=#1/ipsec=#2} Oct 31 15:24:57.727116: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:24:57.727119: | pass 0 Oct 31 15:24:57.727121: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:57.727124: | state #2 Oct 31 15:24:57.727132: | start processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:24:57.727139: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:24:57.727142: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:24:57.727144: | pstats #2 ikev2.child deleted completed Oct 31 15:24:57.727150: | #2 main thread spent 0 (0) milliseconds helper thread spent 0 (0) milliseconds in total Oct 31 15:24:57.727158: | [RE]START processing: state #2 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:935) Oct 31 15:24:57.727162: | should_send_delete: yes Oct 31 15:24:57.727168: "eastnet-any"[1] 192.1.2.45 #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 2.578747s and sending notification Oct 31 15:24:57.727172: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:24:57.727177: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:57.727194: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:57.727209: "eastnet-any"[1] 192.1.2.45 #2: ESP traffic information: in=168B out=168B Oct 31 15:24:57.727217: | unsuspending #2 MD (nil) Oct 31 15:24:57.727220: | should_send_delete: yes Oct 31 15:24:57.727223: | #2 send IKEv2 delete notification for STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:24:57.727227: | opening output PBS informational exchange delete request Oct 31 15:24:57.727231: | **emit ISAKMP Message: Oct 31 15:24:57.727235: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:57.727239: | responder SPI: 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:57.727243: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:57.727245: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:57.727248: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:57.727250: | flags: none (0x0) Oct 31 15:24:57.727254: | Message ID: 0 (00 00 00 00) Oct 31 15:24:57.727257: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:57.727261: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:57.727264: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:57.727267: | flags: none (0x0) Oct 31 15:24:57.727270: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:57.727272: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:24:57.727276: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:57.727285: | ****emit IKEv2 Delete Payload: Oct 31 15:24:57.727289: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:57.727291: | flags: none (0x0) Oct 31 15:24:57.727293: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:24:57.727297: | SPI size: 4 (04) Oct 31 15:24:57.727300: | number of SPIs: 1 (00 01) Oct 31 15:24:57.727303: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:24:57.727308: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:24:57.727311: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Oct 31 15:24:57.727314: | local spis: 6f 46 0d 9e Oct 31 15:24:57.727317: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:24:57.727319: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:24:57.727322: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:57.727325: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:57.727327: | emitting length of IKEv2 Encryption Payload: 41 Oct 31 15:24:57.727330: | emitting length of ISAKMP Message: 69 Oct 31 15:24:57.727352: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 using UDP (for #1) Oct 31 15:24:57.727356: | 56 da 3a 10 de 51 40 20 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:57.727358: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Oct 31 15:24:57.727360: | 0a d5 2b 3c 35 21 23 45 a8 a9 e4 0d 5d 6c f6 33 Oct 31 15:24:57.727362: | 05 8f 04 56 10 0b 2b 14 4e d9 32 45 be 75 95 27 Oct 31 15:24:57.727364: | eb b6 81 2f 46 Oct 31 15:24:57.727393: | sent 1 messages Oct 31 15:24:57.727398: | Message ID: IKE #1 sender #2 in send_delete hacking around record 'n' send Oct 31 15:24:57.727405: | Message ID: IKE #1 scheduling EVENT_RETRANSMIT: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:24:57.727410: | event_schedule: newref EVENT_RETRANSMIT-pe@0x56001d280078 Oct 31 15:24:57.727413: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Oct 31 15:24:57.727416: | libevent_malloc: newref ptr-libevent@0x7f425c00b578 size 128 Oct 31 15:24:57.727422: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744572.160205 Oct 31 15:24:57.727429: | Message ID: IKE #1 updating initiator sent message request 0: ike.initiator.sent=-1->0 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=-1->0 ike.wip.responder=-1 Oct 31 15:24:57.727432: | state #2 deleting .st_event EVENT_SA_REKEY Oct 31 15:24:57.727436: | libevent_free: delref ptr-libevent@0x56001d286b88 Oct 31 15:24:57.727440: | free_event_entry: delref EVENT_SA_REKEY-pe@0x56001d28a768 Oct 31 15:24:57.727443: | #2 STATE_V2_ESTABLISHED_CHILD_SA: retransmits: cleared Oct 31 15:24:57.730130: | running updown command "ipsec _updown" for verb down Oct 31 15:24:57.730139: | command executing down-client Oct 31 15:24:57.730145: | get_sa_info esp.c5d3c63@192.1.2.45 Oct 31 15:24:57.730157: | get_sa_info esp.6f460d9e@192.1.2.23 Oct 31 15:24:57.730191: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='168... Oct 31 15:24:57.730202: | popen cmd is 1119 chars long Oct 31 15:24:57.730208: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUT: Oct 31 15:24:57.730210: | cmd( 80):O_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_H: Oct 31 15:24:57.730213: | cmd( 160):OP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0: Oct 31 15:24:57.730215: | cmd( 240):.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PL: Oct 31 15:24:57.730218: | cmd( 320):UTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP': Oct 31 15:24:57.730220: | cmd( 400): PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0: Oct 31 15:24:57.730222: | cmd( 480):/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PL: Oct 31 15:24:57.730224: | cmd( 560):UTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PL: Oct 31 15:24:57.730227: | cmd( 640):UTO_ADDTIME='1604157895' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+I: Oct 31 15:24:57.730229: | cmd( 720):KE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv: Oct 31 15:24:57.730231: | cmd( 800):4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMA: Oct 31 15:24:57.730233: | cmd( 880):IN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_: Oct 31 15:24:57.730236: | cmd( 960):NM_CONFIGURED='0' PLUTO_INBYTES='168' PLUTO_OUTBYTES='168' VTI_IFACE='' VTI_ROUT: Oct 31 15:24:57.730238: | cmd(1040):ING='no' VTI_SHARED='no' SPI_IN=0xc5d3c63 SPI_OUT=0x6f460d9e ipsec _updown 2>&1: Oct 31 15:24:57.761528: | shunt_eroute() called for connection 'eastnet-any' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Oct 31 15:24:57.761548: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Oct 31 15:24:57.761553: | priority calculation of connection "eastnet-any" is 2084814 (0x1fcfce) Oct 31 15:24:57.761558: | IPsec SA SPD priority set to 2084814 Oct 31 15:24:57.761820: | delete esp.c5d3c63@192.1.2.45 Oct 31 15:24:57.761827: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:57.762093: | netlink response for Del SA esp.c5d3c63@192.1.2.45 included non-error error Oct 31 15:24:57.762101: | priority calculation of connection "eastnet-any" is 2084814 (0x1fcfce) Oct 31 15:24:57.762109: | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk.10000@192.1.2.23 using reqid 0 (raw_eroute) proto=50 Oct 31 15:24:57.762508: | raw_eroute result=success Oct 31 15:24:57.762519: | delete esp.6f460d9e@192.1.2.23 Oct 31 15:24:57.762522: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:24:57.762620: | netlink response for Del SA esp.6f460d9e@192.1.2.23 included non-error error Oct 31 15:24:57.762629: | in connection_discard for connection eastnet-any Oct 31 15:24:57.762632: | State DB: deleting IKEv2 state #2 in ESTABLISHED_CHILD_SA Oct 31 15:24:57.762638: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => UNDEFINED(ignore) Oct 31 15:24:57.762642: | releasing #2's fd-fd@(nil) because deleting state Oct 31 15:24:57.762645: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:57.762647: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:57.762656: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:57.762663: | stop processing: state #2 from 192.1.2.45:500 (in delete_state() at state.c:1239) Oct 31 15:24:57.762670: | delref logger@0x56001d2863a8(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:57.762673: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:57.762676: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:57.762679: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:24:57.762682: | state #1 Oct 31 15:24:57.762684: | pass 1 Oct 31 15:24:57.762686: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:57.762691: | state #1 Oct 31 15:24:57.762698: | start processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:24:57.762701: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:24:57.762704: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:24:57.762706: | pstats #1 ikev2.ike deleted completed Oct 31 15:24:57.762714: | #1 main thread spent 4.89 (35.1) milliseconds helper thread spent 2.11 (2.14) milliseconds in total Oct 31 15:24:57.762720: | [RE]START processing: state #1 connection "eastnet-any"[1] 192.1.2.45 from 192.1.2.45:500 (in delete_state() at state.c:935) Oct 31 15:24:57.762723: | should_send_delete: yes Oct 31 15:24:57.762730: "eastnet-any"[1] 192.1.2.45 #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2.621437s and sending notification Oct 31 15:24:57.762733: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => delete Oct 31 15:24:57.762889: | unsuspending #1 MD (nil) Oct 31 15:24:57.762895: | should_send_delete: yes Oct 31 15:24:57.762899: | #1 send IKEv2 delete notification for STATE_V2_ESTABLISHED_IKE_SA Oct 31 15:24:57.762902: | opening output PBS informational exchange delete request Oct 31 15:24:57.762905: | **emit ISAKMP Message: Oct 31 15:24:57.762910: | initiator SPI: 56 da 3a 10 de 51 40 20 Oct 31 15:24:57.762914: | responder SPI: 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:57.762917: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:24:57.762920: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:24:57.762923: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:24:57.762926: | flags: none (0x0) Oct 31 15:24:57.762930: | Message ID: 1 (00 00 00 01) Oct 31 15:24:57.762933: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:24:57.762937: | ***emit IKEv2 Encryption Payload: Oct 31 15:24:57.762940: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:57.762943: | flags: none (0x0) Oct 31 15:24:57.762946: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:24:57.762948: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:24:57.762952: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:24:57.762962: | ****emit IKEv2 Delete Payload: Oct 31 15:24:57.762965: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:24:57.762968: | flags: none (0x0) Oct 31 15:24:57.762971: | protocol ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:24:57.762974: | SPI size: 0 (00) Oct 31 15:24:57.762977: | number of SPIs: 0 (00 00) Oct 31 15:24:57.762980: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:24:57.762983: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:24:57.762986: | emitting length of IKEv2 Delete Payload: 8 Oct 31 15:24:57.762989: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:24:57.762992: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:24:57.762995: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:24:57.762997: | emitting length of IKEv2 Encryption Payload: 37 Oct 31 15:24:57.763000: | emitting length of ISAKMP Message: 65 Oct 31 15:24:57.763024: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.2.45:500 using UDP (for #1) Oct 31 15:24:57.763028: | 56 da 3a 10 de 51 40 20 3c 7b ee d5 b8 ac 7d 01 Oct 31 15:24:57.763031: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Oct 31 15:24:57.763033: | 69 83 3c e2 69 f6 6c ce 1a 76 79 85 42 a4 4f 3d Oct 31 15:24:57.763038: | 7a 82 5f 84 3b ae 46 6c 95 fc 33 94 c1 fc c6 c7 Oct 31 15:24:57.763040: | 98 Oct 31 15:24:57.763067: | sent 1 messages Oct 31 15:24:57.763071: | Message ID: IKE #1 sender #1 in send_delete hacking around record 'n' send Oct 31 15:24:57.763079: | Message ID: IKE #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?): ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:24:57.763085: | Message ID: IKE #1 XXX: EVENT_RETRANSMIT already scheduled -- suspect record'n'send: ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:24:57.763092: | Message ID: IKE #1 updating initiator sent message request 1: ike.initiator.sent=0->1 ike.initiator.recv=-1 ike.initiator.last_contact=744569.574107 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744569.613203 ike.wip.initiator=0->1 ike.wip.responder=-1 Oct 31 15:24:57.763096: | state #1 deleting .st_event EVENT_SA_REKEY Oct 31 15:24:57.763101: | libevent_free: delref ptr-libevent@0x56001d2866a8 Oct 31 15:24:57.763105: | free_event_entry: delref EVENT_SA_REKEY-pe@0x56001d286898 Oct 31 15:24:57.763108: | #1 requesting EVENT_RETRANSMIT-pe@0x56001d280078 be deleted Oct 31 15:24:57.763111: | libevent_free: delref ptr-libevent@0x7f425c00b578 Oct 31 15:24:57.763114: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x56001d280078 Oct 31 15:24:57.763116: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: cleared Oct 31 15:24:57.763120: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:24:57.763123: | in connection_discard for connection eastnet-any Oct 31 15:24:57.763126: | State DB: deleting IKEv2 state #1 in ESTABLISHED_IKE_SA Oct 31 15:24:57.763129: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => UNDEFINED(ignore) Oct 31 15:24:57.763132: | releasing #1's fd-fd@(nil) because deleting state Oct 31 15:24:57.763150: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:57.763153: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:24:57.763156: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:24:57.763174: | stop processing: state #1 from 192.1.2.45:500 (in delete_state() at state.c:1239) Oct 31 15:24:57.763191: | delref logger@0x56001d270a28(1->0) (in delete_state() at state.c:1306) Oct 31 15:24:57.763195: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:57.763205: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:57.763212: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:24:57.763219: | shunt_eroute() called for connection 'eastnet-any' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.1.0/24:0 Oct 31 15:24:57.763225: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.1.0/24:0 Oct 31 15:24:57.763228: | priority calculation of connection "eastnet-any" is 2084814 (0x1fcfce) Oct 31 15:24:57.763374: | priority calculation of connection "eastnet-any" is 2084814 (0x1fcfce) Oct 31 15:24:57.763391: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:24:57.763395: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:57.763398: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:57.763401: | conn eastnet-any mark 0/00000000, 0/00000000 vs Oct 31 15:24:57.763404: | conn eastnet-any mark 0/00000000, 0/00000000 Oct 31 15:24:57.763407: | route owner of "eastnet-any" unrouted: NULL Oct 31 15:24:57.763410: | running updown command "ipsec _updown" for verb unroute Oct 31 15:24:57.763413: | command executing unroute-client Oct 31 15:24:57.763441: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROU... Oct 31 15:24:57.763450: | popen cmd is 1060 chars long Oct 31 15:24:57.763454: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='eastnet-any' P: Oct 31 15:24:57.763456: | cmd( 80):LUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEX: Oct 31 15:24:57.763459: | cmd( 160):T_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='19: Oct 31 15:24:57.763461: | cmd( 240):2.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0': Oct 31 15:24:57.763463: | cmd( 320): PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='n: Oct 31 15:24:57.763466: | cmd( 400):one' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='192.1.2.45' PLUTO_PEER_CLIENT='192.0: Oct 31 15:24:57.763468: | cmd( 480):.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0: Oct 31 15:24:57.763470: | cmd( 560):' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm: Oct 31 15:24:57.763473: | cmd( 640):' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FR: Oct 31 15:24:57.763475: | cmd( 720):AG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XA: Oct 31 15:24:57.763477: | cmd( 800):UTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_IN: Oct 31 15:24:57.763480: | cmd( 880):FO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CO: Oct 31 15:24:57.763482: | cmd( 960):NFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x: Oct 31 15:24:57.763485: | cmd(1040):0 ipsec _updown 2>&1: Oct 31 15:24:57.810003: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810103: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810178: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810264: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810338: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810414: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810488: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810619: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810698: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810774: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810849: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.810927: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812251: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812335: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812411: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812488: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812616: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812710: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812790: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812866: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.812942: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.813019: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:24:57.930467: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:57.930479: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:57.930484: | newref clone logger@0x56001d286a28(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:57.930490: | delref hp@0x56001d2827e8(1->0) (in delete_oriented_hp() at hostpair.c:360) Oct 31 15:24:57.930493: | flush revival: connection 'eastnet-any' wasn't on the list Oct 31 15:24:57.930497: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:24:57.930499: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:24:57.930505: | Connection DB: deleting connection $2 Oct 31 15:24:57.930509: | delref logger@0x56001d286a28(1->0) (in delete_connection() at connections.c:214) Oct 31 15:24:57.930512: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:57.930515: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:57.930518: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:24:57.930521: | pass 0 Oct 31 15:24:57.930523: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:57.930525: | pass 1 Oct 31 15:24:57.930528: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:24:57.930531: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:24:57.930533: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:24:57.930536: | newref clone logger@0x56001d286a28(0->1) (in clone_logger() at log.c:817) Oct 31 15:24:57.930540: | delref hp@0x56001d280798(1->0) (in delete_oriented_hp() at hostpair.c:360) Oct 31 15:24:57.930543: | flush revival: connection 'eastnet-any' wasn't on the list Oct 31 15:24:57.930545: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:24:57.930548: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:24:57.930555: | Connection DB: deleting connection $1 Oct 31 15:24:57.930559: | delref logger@0x56001d286a28(1->0) (in delete_connection() at connections.c:214) Oct 31 15:24:57.930561: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:24:57.930564: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:24:57.930567: | crl fetch request list locked by 'free_crl_fetch' Oct 31 15:24:57.930569: | crl fetch request list unlocked by 'free_crl_fetch' Oct 31 15:24:57.930578: | iface: marking eth1 dead Oct 31 15:24:57.930581: | iface: marking eth0 dead Oct 31 15:24:57.930583: | iface: marking lo dead Oct 31 15:24:57.930585: | updating interfaces - listing interfaces that are going down Oct 31 15:24:57.930591: shutting down interface lo 127.0.0.1:4500 Oct 31 15:24:57.930595: shutting down interface lo 127.0.0.1:500 Oct 31 15:24:57.930599: shutting down interface eth0 192.0.2.254:4500 Oct 31 15:24:57.930602: shutting down interface eth0 192.0.2.254:500 Oct 31 15:24:57.930606: shutting down interface eth1 192.1.2.23:4500 Oct 31 15:24:57.930609: shutting down interface eth1 192.1.2.23:500 Oct 31 15:24:57.930612: | updating interfaces - deleting the dead Oct 31 15:24:57.930617: | FOR_EACH_STATE_... in delete_states_dead_interfaces Oct 31 15:24:57.930625: | libevent_free: delref ptr-libevent@0x56001d279a78 Oct 31 15:24:57.930629: | delref id@0x56001d27db78(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930640: | libevent_free: delref ptr-libevent@0x56001d23d128 Oct 31 15:24:57.930643: | delref id@0x56001d27db78(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930650: | libevent_free: delref ptr-libevent@0x56001d2323e8 Oct 31 15:24:57.930652: | delref id@0x56001d27daa8(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930657: | libevent_free: delref ptr-libevent@0x56001d23d228 Oct 31 15:24:57.930662: | delref id@0x56001d27daa8(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930668: | libevent_free: delref ptr-libevent@0x56001d239c48 Oct 31 15:24:57.930670: | delref id@0x56001d27d978(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930675: | libevent_free: delref ptr-libevent@0x56001d239b98 Oct 31 15:24:57.930677: | delref id@0x56001d27d978(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930682: | delref id@0x56001d27d978(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930684: | delref id@0x56001d27daa8(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930686: | delref id@0x56001d27db78(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:24:57.930688: | updating interfaces - checking orientation Oct 31 15:24:57.930690: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:24:57.940565: | libevent_free: delref ptr-libevent@0x56001d279b28 Oct 31 15:24:57.940581: | free_event_entry: delref EVENT_NULL-pe@0x56001d27cf68 Oct 31 15:24:57.940588: | libevent_free: delref ptr-libevent@0x56001d23d028 Oct 31 15:24:57.940592: | free_event_entry: delref EVENT_NULL-pe@0x56001d279a08 Oct 31 15:24:57.940596: | libevent_free: delref ptr-libevent@0x56001d23cf78 Oct 31 15:24:57.940599: | free_event_entry: delref EVENT_NULL-pe@0x56001d275ff8 Oct 31 15:24:57.940603: | global timer EVENT_REINIT_SECRET uninitialized Oct 31 15:24:57.940605: | global timer EVENT_SHUNT_SCAN uninitialized Oct 31 15:24:57.940608: | global timer EVENT_PENDING_DDNS uninitialized Oct 31 15:24:57.940610: | global timer EVENT_PENDING_PHASE2 uninitialized Oct 31 15:24:57.940612: | global timer EVENT_CHECK_CRLS uninitialized Oct 31 15:24:57.940614: | global timer EVENT_REVIVE_CONNS uninitialized Oct 31 15:24:57.940616: | global timer EVENT_FREE_ROOT_CERTS uninitialized Oct 31 15:24:57.940618: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Oct 31 15:24:57.940621: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Oct 31 15:24:57.940625: | libevent_free: delref ptr-libevent@0x56001d2333d8 Oct 31 15:24:57.940628: | signal event handler PLUTO_SIGCHLD uninstalled Oct 31 15:24:57.940631: | libevent_free: delref ptr-libevent@0x56001d1cfa38 Oct 31 15:24:57.940634: | signal event handler PLUTO_SIGTERM uninstalled Oct 31 15:24:57.940637: | libevent_free: delref ptr-libevent@0x56001d1cf798 Oct 31 15:24:57.940639: | signal event handler PLUTO_SIGHUP uninstalled Oct 31 15:24:57.940642: | libevent_free: delref ptr-libevent@0x56001d27d2f8 Oct 31 15:24:57.940644: | signal event handler PLUTO_SIGSYS uninstalled Oct 31 15:24:57.940647: | releasing event base Oct 31 15:24:57.940661: | libevent_free: delref ptr-libevent@0x56001d27d1c8 Oct 31 15:24:57.940664: | libevent_free: delref ptr-libevent@0x56001d26c4e8 Oct 31 15:24:57.940669: | libevent_free: delref ptr-libevent@0x56001d26c498 Oct 31 15:24:57.940671: | libevent_free: delref ptr-libevent@0x56001d23f7e8 Oct 31 15:24:57.940674: | libevent_free: delref ptr-libevent@0x56001d26c698 Oct 31 15:24:57.940676: | libevent_free: delref ptr-libevent@0x56001d2709e8 Oct 31 15:24:57.940678: | libevent_free: delref ptr-libevent@0x56001d2707f8 Oct 31 15:24:57.940681: | libevent_free: delref ptr-libevent@0x56001d26c808 Oct 31 15:24:57.940683: | libevent_free: delref ptr-libevent@0x56001d270608 Oct 31 15:24:57.940685: | libevent_free: delref ptr-libevent@0x56001d26ffc8 Oct 31 15:24:57.940688: | libevent_free: delref ptr-libevent@0x56001d27e658 Oct 31 15:24:57.940690: | libevent_free: delref ptr-libevent@0x56001d27e618 Oct 31 15:24:57.940692: | libevent_free: delref ptr-libevent@0x56001d27e5d8 Oct 31 15:24:57.940694: | libevent_free: delref ptr-libevent@0x56001d27e598 Oct 31 15:24:57.940697: | libevent_free: delref ptr-libevent@0x56001d27e558 Oct 31 15:24:57.940699: | libevent_free: delref ptr-libevent@0x56001d27deb8 Oct 31 15:24:57.940701: | libevent_free: delref ptr-libevent@0x56001d26c6d8 Oct 31 15:24:57.940704: | libevent_free: delref ptr-libevent@0x56001d27d148 Oct 31 15:24:57.940707: | libevent_free: delref ptr-libevent@0x56001d27d108 Oct 31 15:24:57.940712: | libevent_free: delref ptr-libevent@0x56001d270648 Oct 31 15:24:57.940714: | libevent_free: delref ptr-libevent@0x56001d27d188 Oct 31 15:24:57.940716: | libevent_free: delref ptr-libevent@0x56001d27cfd8 Oct 31 15:24:57.940719: | libevent_free: delref ptr-libevent@0x56001d23f468 Oct 31 15:24:57.940721: | libevent_free: delref ptr-libevent@0x56001d23ecc8 Oct 31 15:24:57.940724: | libevent_free: delref ptr-libevent@0x56001d235c18 Oct 31 15:24:57.940726: | releasing global libevent data Oct 31 15:24:57.940729: | libevent_free: delref ptr-libevent@0x56001d23f008 Oct 31 15:24:57.940732: | libevent_free: delref ptr-libevent@0x56001d233118 Oct 31 15:24:57.940734: | libevent_free: delref ptr-libevent@0x56001d23f4e8 Oct 31 15:24:57.940787: leak detective found no leaks