Oct 31 15:25:00.386462: | newref logger@0x559d3fa78bb8(0->1) (in main() at plutomain.c:1591) Oct 31 15:25:00.386543: | delref logger@0x559d3fa78bb8(1->0) (in main() at plutomain.c:1592) Oct 31 15:25:00.386552: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:00.386555: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:00.386560: NSS DB directory: sql:/var/lib/ipsec/nss Oct 31 15:25:00.387235: Initializing NSS Oct 31 15:25:00.387245: Opening NSS database "sql:/var/lib/ipsec/nss" read-only Oct 31 15:25:00.494310: FIPS Mode: NO Oct 31 15:25:00.494326: NSS crypto library initialized Oct 31 15:25:00.494362: FIPS mode disabled for pluto daemon Oct 31 15:25:00.494367: FIPS HMAC integrity support [disabled] Oct 31 15:25:00.494447: libcap-ng support [enabled] Oct 31 15:25:00.494459: Linux audit support [enabled] Oct 31 15:25:00.494484: Linux audit activated Oct 31 15:25:00.494493: Starting Pluto (Libreswan Version v4.1-88-gf1d1933837ef-main IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2157007 Oct 31 15:25:00.494495: core dump dir: /tmp Oct 31 15:25:00.494498: secrets file: /etc/ipsec.secrets Oct 31 15:25:00.494500: leak-detective enabled Oct 31 15:25:00.494502: NSS crypto [enabled] Oct 31 15:25:00.494504: XAUTH PAM support [enabled] Oct 31 15:25:00.494569: | libevent is using pluto's memory allocator Oct 31 15:25:00.494577: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Oct 31 15:25:00.494591: | libevent_malloc: newref ptr-libevent@0x559d3fafe4b8 size 40 Oct 31 15:25:00.494594: | libevent_malloc: newref ptr-libevent@0x559d3fa8e8f8 size 40 Oct 31 15:25:00.494597: | libevent_malloc: newref ptr-libevent@0x559d3fafe9b8 size 40 Oct 31 15:25:00.494600: | creating event base Oct 31 15:25:00.494602: | libevent_malloc: newref ptr-libevent@0x559d3fafe518 size 56 Oct 31 15:25:00.494605: | libevent_malloc: newref ptr-libevent@0x559d3faf51c8 size 664 Oct 31 15:25:00.494617: | libevent_malloc: newref ptr-libevent@0x559d3fb2bc08 size 24 Oct 31 15:25:00.494620: | libevent_malloc: newref ptr-libevent@0x559d3fb2bc58 size 384 Oct 31 15:25:00.494634: | libevent_malloc: newref ptr-libevent@0x559d3fb2be08 size 16 Oct 31 15:25:00.494638: | libevent_malloc: newref ptr-libevent@0x559d3fafe1f8 size 40 Oct 31 15:25:00.494640: | libevent_malloc: newref ptr-libevent@0x559d3fafe178 size 48 Oct 31 15:25:00.494645: | libevent_realloc: newref ptr-libevent@0x559d3fb223d8 size 256 Oct 31 15:25:00.494648: | libevent_malloc: newref ptr-libevent@0x559d3fb2be48 size 16 Oct 31 15:25:00.494653: | libevent_free: delref ptr-libevent@0x559d3fafe518 Oct 31 15:25:00.494656: | libevent initialized Oct 31 15:25:00.494661: | libevent_realloc: newref ptr-libevent@0x559d3fafe518 size 64 Oct 31 15:25:00.494665: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Oct 31 15:25:00.494672: | init_nat_traversal() initialized with keep_alive=0s Oct 31 15:25:00.494674: NAT-Traversal support [enabled] Oct 31 15:25:00.494677: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Oct 31 15:25:00.494682: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Oct 31 15:25:00.494685: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Oct 31 15:25:00.494700: | checking IKEv1 state table Oct 31 15:25:00.494711: | MAIN_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494714: | -> MAIN_R1 EVENT_SO_DISCARD (main_inI1_outR1) Oct 31 15:25:00.494718: | MAIN_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494721: | -> MAIN_I2 EVENT_RETRANSMIT (main_inR1_outI2) Oct 31 15:25:00.494723: | MAIN_R1: category: open IKE SA; flags: 0: Oct 31 15:25:00.494725: | -> MAIN_R2 EVENT_RETRANSMIT (main_inI2_outR2) Oct 31 15:25:00.494728: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:00.494730: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:00.494732: | MAIN_I2: category: open IKE SA; flags: 0: Oct 31 15:25:00.494741: | -> MAIN_I3 EVENT_RETRANSMIT (main_inR2_outI3) Oct 31 15:25:00.494744: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:00.494746: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:00.494749: | MAIN_R2: category: open IKE SA; flags: 0: Oct 31 15:25:00.494751: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:25:00.494753: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:25:00.494755: | -> MAIN_R2 EVENT_SA_REPLACE (unexpected) Oct 31 15:25:00.494758: | MAIN_I3: category: open IKE SA; flags: 0: Oct 31 15:25:00.494760: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:25:00.494762: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:25:00.494764: | -> MAIN_I3 EVENT_SA_REPLACE (unexpected) Oct 31 15:25:00.494767: | MAIN_R3: category: established IKE SA; flags: 0: Oct 31 15:25:00.494769: | -> MAIN_R3 EVENT_NULL (unexpected) Oct 31 15:25:00.494772: | MAIN_I4: category: established IKE SA; flags: 0: Oct 31 15:25:00.494774: | -> MAIN_I4 EVENT_NULL (unexpected) Oct 31 15:25:00.494777: | AGGR_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494779: | -> AGGR_R1 EVENT_SO_DISCARD (aggr_inI1_outR1) Oct 31 15:25:00.494782: | AGGR_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494784: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:25:00.494786: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:25:00.494789: | AGGR_R1: category: open IKE SA; flags: 0: Oct 31 15:25:00.494791: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:25:00.494793: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:25:00.494796: | AGGR_I2: category: established IKE SA; flags: 0: Oct 31 15:25:00.494798: | -> AGGR_I2 EVENT_NULL (unexpected) Oct 31 15:25:00.494800: | AGGR_R2: category: established IKE SA; flags: 0: Oct 31 15:25:00.494803: | -> AGGR_R2 EVENT_NULL (unexpected) Oct 31 15:25:00.494805: | QUICK_R0: category: established CHILD SA; flags: 0: Oct 31 15:25:00.494807: | -> QUICK_R1 EVENT_RETRANSMIT (quick_inI1_outR1) Oct 31 15:25:00.494810: | QUICK_I1: category: established CHILD SA; flags: 0: Oct 31 15:25:00.494812: | -> QUICK_I2 EVENT_SA_REPLACE (quick_inR1_outI2) Oct 31 15:25:00.494815: | QUICK_R1: category: established CHILD SA; flags: 0: Oct 31 15:25:00.494817: | -> QUICK_R2 EVENT_SA_REPLACE (quick_inI2) Oct 31 15:25:00.494820: | QUICK_I2: category: established CHILD SA; flags: 0: Oct 31 15:25:00.494822: | -> QUICK_I2 EVENT_NULL (unexpected) Oct 31 15:25:00.494825: | QUICK_R2: category: established CHILD SA; flags: 0: Oct 31 15:25:00.494827: | -> QUICK_R2 EVENT_NULL (unexpected) Oct 31 15:25:00.494829: | INFO: category: informational; flags: 0: Oct 31 15:25:00.494832: | -> INFO EVENT_NULL (informational) Oct 31 15:25:00.494834: | INFO_PROTECTED: category: informational; flags: 0: Oct 31 15:25:00.494836: | -> INFO_PROTECTED EVENT_NULL (informational) Oct 31 15:25:00.494839: | XAUTH_R0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494841: | -> XAUTH_R1 EVENT_NULL (xauth_inR0) Oct 31 15:25:00.494844: | XAUTH_R1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494846: | -> MAIN_R3 EVENT_SA_REPLACE (xauth_inR1) Oct 31 15:25:00.494849: | MODE_CFG_R0: category: informational; flags: 0: Oct 31 15:25:00.494851: | -> MODE_CFG_R1 EVENT_SA_REPLACE (modecfg_inR0) Oct 31 15:25:00.494853: | MODE_CFG_R1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494856: | -> MODE_CFG_R2 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:25:00.494859: | MODE_CFG_R2: category: established IKE SA; flags: 0: Oct 31 15:25:00.494861: | -> MODE_CFG_R2 EVENT_NULL (unexpected) Oct 31 15:25:00.494863: | MODE_CFG_I1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494866: | -> MAIN_I4 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:25:00.494868: | XAUTH_I0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494871: | -> XAUTH_I1 EVENT_RETRANSMIT (xauth_inI0) Oct 31 15:25:00.494878: | XAUTH_I1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494880: | -> MAIN_I4 EVENT_RETRANSMIT (xauth_inI1) Oct 31 15:25:00.494886: | checking IKEv2 state table Oct 31 15:25:00.494890: | V2_REKEY_IKE_I0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494893: | -> V2_REKEY_IKE_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Oct 31 15:25:00.494898: | V2_REKEY_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494900: | -> V2_REKEY_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Oct 31 15:25:00.494903: | V2_NEW_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494905: | -> V2_NEW_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Oct 31 15:25:00.494908: | PARENT_I0: category: ignore; flags: 0: Oct 31 15:25:00.494910: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Oct 31 15:25:00.494913: | PARENT_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494915: | -> PARENT_I0 EVENT_SO_DISCARD (received anti-DDOS COOKIE notify response; resending IKE_SA_INIT request with cookie payload added) Oct 31 15:25:00.494918: | -> PARENT_I0 EVENT_SO_DISCARD (received IKE_SA_INIT INVALID_KE_PAYLOAD notify response; resending IKE_SA_INIT with new KE payload) Oct 31 15:25:00.494921: | -> IKESA_DEL EVENT_v2_REDIRECT (received REDIRECT notify response; resending IKE_SA_INIT request to new destination) Oct 31 15:25:00.494923: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:25:00.494926: | PARENT_I2: category: open IKE SA; flags: 0: Oct 31 15:25:00.494928: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_INTERMEDIATE reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:25:00.494931: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Oct 31 15:25:00.494934: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Oct 31 15:25:00.494936: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Oct 31 15:25:00.494938: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Oct 31 15:25:00.494941: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Oct 31 15:25:00.494944: | PARENT_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494946: | -> PARENT_R1 EVENT_SO_DISCARD send-response (Respond to IKE_SA_INIT) Oct 31 15:25:00.494949: | PARENT_R1: category: half-open IKE SA; flags: 0: Oct 31 15:25:00.494951: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request (no SKEYSEED)) Oct 31 15:25:00.494953: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (no SKEYSEED)) Oct 31 15:25:00.494956: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (with SKEYSEED)) Oct 31 15:25:00.494958: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request) Oct 31 15:25:00.494961: | V2_REKEY_IKE_R0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494963: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IKE Rekey) Oct 31 15:25:00.494966: | V2_REKEY_IKE_I1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494968: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Oct 31 15:25:00.494971: | V2_NEW_CHILD_I1: category: established IKE SA; flags: 0: Oct 31 15:25:00.494973: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Oct 31 15:25:00.494976: | V2_REKEY_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494978: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA rekey CHILD SA request) Oct 31 15:25:00.494981: | V2_NEW_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:25:00.494986: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IPsec SA Request) Oct 31 15:25:00.494989: | ESTABLISHED_IKE_SA: category: established IKE SA; flags: 0: Oct 31 15:25:00.494991: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request (liveness probe)) Oct 31 15:25:00.494994: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response (liveness probe)) Oct 31 15:25:00.494996: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request) Oct 31 15:25:00.494998: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response) Oct 31 15:25:00.495001: | IKESA_DEL: category: established IKE SA; flags: 0: Oct 31 15:25:00.495003: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:25:00.495006: | CHILDSA_DEL: category: informational; flags: 0: Oct 31 15:25:00.495008: | -> CHILDSA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:25:00.495012: | global one-shot timer EVENT_REVIVE_CONNS initialized Oct 31 15:25:00.495015: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Oct 31 15:25:00.495018: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Oct 31 15:25:00.495149: Encryption algorithms: Oct 31 15:25:00.495158: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Oct 31 15:25:00.495163: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Oct 31 15:25:00.495168: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Oct 31 15:25:00.495173: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Oct 31 15:25:00.495177: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP Oct 31 15:25:00.495183: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Oct 31 15:25:00.495188: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Oct 31 15:25:00.495193: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Oct 31 15:25:00.495197: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Oct 31 15:25:00.495210: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Oct 31 15:25:00.495214: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Oct 31 15:25:00.495220: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Oct 31 15:25:00.495224: NULL [] IKEv1: ESP IKEv2: ESP Oct 31 15:25:00.495228: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Oct 31 15:25:00.495231: Hash algorithms: Oct 31 15:25:00.495234: MD5 IKEv1: IKE IKEv2: NSS Oct 31 15:25:00.495238: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Oct 31 15:25:00.495242: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Oct 31 15:25:00.495245: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Oct 31 15:25:00.495249: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Oct 31 15:25:00.495251: PRF algorithms: Oct 31 15:25:00.495255: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Oct 31 15:25:00.495259: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Oct 31 15:25:00.495264: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Oct 31 15:25:00.495271: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Oct 31 15:25:00.495275: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Oct 31 15:25:00.495278: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Oct 31 15:25:00.495281: Integrity algorithms: Oct 31 15:25:00.495285: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Oct 31 15:25:00.495290: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Oct 31 15:25:00.495295: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Oct 31 15:25:00.495300: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Oct 31 15:25:00.495305: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Oct 31 15:25:00.495308: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Oct 31 15:25:00.495313: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Oct 31 15:25:00.495317: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Oct 31 15:25:00.495320: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Oct 31 15:25:00.495323: DH algorithms: Oct 31 15:25:00.495327: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Oct 31 15:25:00.495331: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Oct 31 15:25:00.495335: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Oct 31 15:25:00.495338: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Oct 31 15:25:00.495341: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Oct 31 15:25:00.495345: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Oct 31 15:25:00.495348: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Oct 31 15:25:00.495352: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Oct 31 15:25:00.495356: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Oct 31 15:25:00.495360: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Oct 31 15:25:00.495363: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Oct 31 15:25:00.495366: testing CAMELLIA_CBC: Oct 31 15:25:00.495369: Camellia: 16 bytes with 128-bit key Oct 31 15:25:00.495444: Camellia: 16 bytes with 128-bit key Oct 31 15:25:00.495481: Camellia: 16 bytes with 256-bit key Oct 31 15:25:00.495518: Camellia: 16 bytes with 256-bit key Oct 31 15:25:00.495557: testing AES_GCM_16: Oct 31 15:25:00.495562: empty string Oct 31 15:25:00.495594: one block Oct 31 15:25:00.495625: two blocks Oct 31 15:25:00.495658: two blocks with associated data Oct 31 15:25:00.495692: testing AES_CTR: Oct 31 15:25:00.495696: Encrypting 16 octets using AES-CTR with 128-bit key Oct 31 15:25:00.495728: Encrypting 32 octets using AES-CTR with 128-bit key Oct 31 15:25:00.495765: Encrypting 36 octets using AES-CTR with 128-bit key Oct 31 15:25:00.495801: Encrypting 16 octets using AES-CTR with 192-bit key Oct 31 15:25:00.495838: Encrypting 32 octets using AES-CTR with 192-bit key Oct 31 15:25:00.495873: Encrypting 36 octets using AES-CTR with 192-bit key Oct 31 15:25:00.495910: Encrypting 16 octets using AES-CTR with 256-bit key Oct 31 15:25:00.495944: Encrypting 32 octets using AES-CTR with 256-bit key Oct 31 15:25:00.495980: Encrypting 36 octets using AES-CTR with 256-bit key Oct 31 15:25:00.496018: testing AES_CBC: Oct 31 15:25:00.496022: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Oct 31 15:25:00.496054: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Oct 31 15:25:00.496092: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Oct 31 15:25:00.496129: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Oct 31 15:25:00.496174: testing AES_XCBC: Oct 31 15:25:00.496178: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Oct 31 15:25:00.496314: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Oct 31 15:25:00.496460: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Oct 31 15:25:00.496597: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Oct 31 15:25:00.496736: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Oct 31 15:25:00.496874: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Oct 31 15:25:00.497017: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Oct 31 15:25:00.497316: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Oct 31 15:25:00.497459: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Oct 31 15:25:00.497611: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Oct 31 15:25:00.497862: testing HMAC_MD5: Oct 31 15:25:00.497867: RFC 2104: MD5_HMAC test 1 Oct 31 15:25:00.498048: RFC 2104: MD5_HMAC test 2 Oct 31 15:25:00.517333: RFC 2104: MD5_HMAC test 3 Oct 31 15:25:00.517555: 8 CPU cores online Oct 31 15:25:00.517561: starting up 7 helper threads Oct 31 15:25:00.517601: started thread for helper 0 Oct 31 15:25:00.517628: started thread for helper 1 Oct 31 15:25:00.517654: started thread for helper 2 Oct 31 15:25:00.517677: started thread for helper 3 Oct 31 15:25:00.517701: started thread for helper 4 Oct 31 15:25:00.517723: started thread for helper 5 Oct 31 15:25:00.517747: started thread for helper 6 Oct 31 15:25:00.517766: Using Linux XFRM/NETKEY IPsec kernel support code on 5.8.15-201.fc32.x86_64 Oct 31 15:25:00.517828: | Hard-wiring algorithms Oct 31 15:25:00.517833: | adding AES_CCM_16 to kernel algorithm db Oct 31 15:25:00.517840: | adding AES_CCM_12 to kernel algorithm db Oct 31 15:25:00.517843: | adding AES_CCM_8 to kernel algorithm db Oct 31 15:25:00.517845: | adding 3DES_CBC to kernel algorithm db Oct 31 15:25:00.517848: | adding CAMELLIA_CBC to kernel algorithm db Oct 31 15:25:00.517850: | adding AES_GCM_16 to kernel algorithm db Oct 31 15:25:00.517853: | adding AES_GCM_12 to kernel algorithm db Oct 31 15:25:00.517855: | adding AES_GCM_8 to kernel algorithm db Oct 31 15:25:00.517857: | adding AES_CTR to kernel algorithm db Oct 31 15:25:00.517860: | adding AES_CBC to kernel algorithm db Oct 31 15:25:00.517862: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Oct 31 15:25:00.517865: | adding NULL to kernel algorithm db Oct 31 15:25:00.517868: | adding CHACHA20_POLY1305 to kernel algorithm db Oct 31 15:25:00.517870: | adding HMAC_MD5_96 to kernel algorithm db Oct 31 15:25:00.517872: | adding HMAC_SHA1_96 to kernel algorithm db Oct 31 15:25:00.517875: | adding HMAC_SHA2_512_256 to kernel algorithm db Oct 31 15:25:00.517878: | adding HMAC_SHA2_384_192 to kernel algorithm db Oct 31 15:25:00.517880: | adding HMAC_SHA2_256_128 to kernel algorithm db Oct 31 15:25:00.517882: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Oct 31 15:25:00.517885: | adding AES_XCBC_96 to kernel algorithm db Oct 31 15:25:00.517887: | adding AES_CMAC_96 to kernel algorithm db Oct 31 15:25:00.517889: | adding NONE to kernel algorithm db Oct 31 15:25:00.517913: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Oct 31 15:25:00.517926: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Oct 31 15:25:00.517929: | setup kernel fd callback Oct 31 15:25:00.517932: | add_fd_read_event_handler: newref KERNEL_XRM_FD-pe@0x559d3fb36e98 Oct 31 15:25:00.517936: | libevent_malloc: newref ptr-libevent@0x559d3fafc4c8 size 128 Oct 31 15:25:00.517939: | libevent_malloc: newref ptr-libevent@0x559d3fb2fba8 size 16 Oct 31 15:25:00.517946: | add_fd_read_event_handler: newref KERNEL_ROUTE_FD-pe@0x559d3fb38eb8 Oct 31 15:25:00.517950: | libevent_malloc: newref ptr-libevent@0x559d3fafc728 size 128 Oct 31 15:25:00.517952: | libevent_malloc: newref ptr-libevent@0x559d3fb2f568 size 16 Oct 31 15:25:00.518194: | global one-shot timer EVENT_CHECK_CRLS initialized Oct 31 15:25:00.518224: SELinux support is enabled in PERMISSIVE mode. Oct 31 15:25:00.518416: | unbound context created - setting debug level to 5 Oct 31 15:25:00.518451: | /etc/hosts lookups activated Oct 31 15:25:00.518468: | /etc/resolv.conf usage activated Oct 31 15:25:00.518522: | outgoing-port-avoid set 0-65535 Oct 31 15:25:00.518548: | outgoing-port-permit set 32768-60999 Oct 31 15:25:00.518552: | loading dnssec root key from:/var/lib/unbound/root.key Oct 31 15:25:00.518555: | no additional dnssec trust anchors defined via dnssec-trusted= option Oct 31 15:25:00.518558: | Setting up events, loop start Oct 31 15:25:00.518561: | add_fd_read_event_handler: newref PLUTO_CTL_FD-pe@0x559d3fb3c498 Oct 31 15:25:00.518565: | libevent_malloc: newref ptr-libevent@0x559d3fb38fd8 size 128 Oct 31 15:25:00.518567: | libevent_malloc: newref ptr-libevent@0x559d3fb2ff88 size 16 Oct 31 15:25:00.518573: | libevent_realloc: newref ptr-libevent@0x559d3fb3c508 size 256 Oct 31 15:25:00.518576: | libevent_malloc: newref ptr-libevent@0x559d3fb2fbe8 size 8 Oct 31 15:25:00.518579: | libevent_realloc: newref ptr-libevent@0x559d3fb2f228 size 144 Oct 31 15:25:00.518582: | libevent_malloc: newref ptr-libevent@0x559d3fa83f18 size 152 Oct 31 15:25:00.518586: | libevent_malloc: newref ptr-libevent@0x559d3fb2fd98 size 16 Oct 31 15:25:00.518590: | signal event handler PLUTO_SIGCHLD installed Oct 31 15:25:00.518593: | libevent_malloc: newref ptr-libevent@0x559d3fb3c638 size 8 Oct 31 15:25:00.518595: | libevent_malloc: newref ptr-libevent@0x559d3fa8e958 size 152 Oct 31 15:25:00.518598: | signal event handler PLUTO_SIGTERM installed Oct 31 15:25:00.518601: | libevent_malloc: newref ptr-libevent@0x559d3fb3c678 size 8 Oct 31 15:25:00.518604: | libevent_malloc: newref ptr-libevent@0x559d3fb3c6b8 size 152 Oct 31 15:25:00.518607: | signal event handler PLUTO_SIGHUP installed Oct 31 15:25:00.518609: | libevent_malloc: newref ptr-libevent@0x559d3fb3c788 size 8 Oct 31 15:25:00.518612: | libevent_realloc: delref ptr-libevent@0x559d3fb2f228 Oct 31 15:25:00.518615: | libevent_realloc: newref ptr-libevent@0x559d3fb3c7c8 size 256 Oct 31 15:25:00.518617: | libevent_malloc: newref ptr-libevent@0x559d3fb3c8f8 size 152 Oct 31 15:25:00.518620: | signal event handler PLUTO_SIGSYS installed Oct 31 15:25:00.518980: | created addconn helper (pid:2157103) using fork+execve Oct 31 15:25:00.518997: | forked child 2157103 Oct 31 15:25:00.519011: seccomp security disabled Oct 31 15:25:00.519045: | newref struct fd@0x559d3fb3ca58(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.519049: | fd_accept: new fd-fd@0x559d3fb3ca58 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.519068: | whack: options (impair|debug) Oct 31 15:25:00.519076: | old debugging base+cpu-usage + none Oct 31 15:25:00.519079: | new debugging = base+cpu-usage Oct 31 15:25:00.519085: | delref fd@0x559d3fb3ca58(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.519093: | freeref fd-fd@0x559d3fb3ca58 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.519101: | spent 0.0616 (0.0615) milliseconds in whack Oct 31 15:25:00.519569: | starting helper thread 1 Oct 31 15:25:00.519581: seccomp security disabled for crypto helper 1 Oct 31 15:25:00.519589: | status value returned by setting the priority of this helper thread 1: 22 Oct 31 15:25:00.519600: | helper thread 1 has nothing to do Oct 31 15:25:00.543784: | starting helper thread 2 Oct 31 15:25:00.543801: seccomp security disabled for crypto helper 2 Oct 31 15:25:00.543807: | status value returned by setting the priority of this helper thread 2: 22 Oct 31 15:25:00.543810: | helper thread 2 has nothing to do Oct 31 15:25:00.545284: | starting helper thread 3 Oct 31 15:25:00.545295: seccomp security disabled for crypto helper 3 Oct 31 15:25:00.545300: | status value returned by setting the priority of this helper thread 3: 22 Oct 31 15:25:00.545303: | helper thread 3 has nothing to do Oct 31 15:25:00.552543: | starting helper thread 5 Oct 31 15:25:00.552555: seccomp security disabled for crypto helper 5 Oct 31 15:25:00.552560: | status value returned by setting the priority of this helper thread 5: 22 Oct 31 15:25:00.552563: | helper thread 5 has nothing to do Oct 31 15:25:00.552578: | starting helper thread 6 Oct 31 15:25:00.552582: seccomp security disabled for crypto helper 6 Oct 31 15:25:00.552585: | status value returned by setting the priority of this helper thread 6: 22 Oct 31 15:25:00.552587: | helper thread 6 has nothing to do Oct 31 15:25:00.565540: | starting helper thread 4 Oct 31 15:25:00.565556: seccomp security disabled for crypto helper 4 Oct 31 15:25:00.565561: | status value returned by setting the priority of this helper thread 4: 22 Oct 31 15:25:00.565564: | helper thread 4 has nothing to do Oct 31 15:25:00.565575: | starting helper thread 7 Oct 31 15:25:00.565578: seccomp security disabled for crypto helper 7 Oct 31 15:25:00.565581: | status value returned by setting the priority of this helper thread 7: 22 Oct 31 15:25:00.565583: | helper thread 7 has nothing to do Oct 31 15:25:00.580151: | newref struct fd@0x559d3fb3ca98(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.580268: | fd_accept: new fd-fd@0x559d3fb3ca98 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.580485: | whack: delete 'north-east' Oct 31 15:25:00.580737: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:00.580744: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:00.580747: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:00.580749: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:00.580752: | whack: connection 'north-east' Oct 31 15:25:00.580756: | addref fd@0x559d3fb3ca98(1->2) (in string_logger() at log.c:838) Oct 31 15:25:00.580762: | newref string logger@0x559d3fb30348(0->1) (in add_connection() at connections.c:1998) Oct 31 15:25:00.580766: | Connection DB: adding connection "north-east" $1 Oct 31 15:25:00.580772: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:00.580784: | added new connection north-east with policy RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:25:00.580866: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Oct 31 15:25:00.580870: | from whack: got --esp= Oct 31 15:25:00.580920: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Oct 31 15:25:00.580969: | computed rsa CKAID Oct 31 15:25:00.580972: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:25:00.580975: | 88 aa 7c 5d Oct 31 15:25:00.580980: | keyid: *AQPl33O2P Oct 31 15:25:00.580982: | size: 274 Oct 31 15:25:00.580985: | n Oct 31 15:25:00.580986: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:25:00.580989: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:25:00.580991: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:25:00.580993: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:25:00.581000: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:25:00.581003: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:25:00.581005: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:25:00.581007: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:25:00.581010: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:25:00.581011: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:25:00.581014: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:25:00.581016: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:25:00.581018: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:25:00.581020: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:25:00.581022: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:25:00.581024: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:25:00.581026: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:25:00.581028: | a5 99 Oct 31 15:25:00.581030: | e Oct 31 15:25:00.581032: | 03 Oct 31 15:25:00.581034: | CKAID Oct 31 15:25:00.581037: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:25:00.581039: | 88 aa 7c 5d Oct 31 15:25:00.581046: | saving left CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d extracted from raw RSA public key Oct 31 15:25:00.581509: | spent 0.108 (0.298) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:25:00.581777: | no private key matching left CKAID 905dfca10868747c6f20d31b2d204b8f88aa7c5d: can't find the private key matching the NSS CKAID Oct 31 15:25:00.581783: | counting wild cards for @north is 0 Oct 31 15:25:00.581806: | computed rsa CKAID Oct 31 15:25:00.581810: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:25:00.581812: | 8a 82 25 f1 Oct 31 15:25:00.581818: | keyid: *AQO9bJbr3 Oct 31 15:25:00.581820: | size: 274 Oct 31 15:25:00.581822: | n Oct 31 15:25:00.581824: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:25:00.581827: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:25:00.581829: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:25:00.581831: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:25:00.581833: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:25:00.581835: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:25:00.581837: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:25:00.581839: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:25:00.581841: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:25:00.581844: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:25:00.581846: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:25:00.581848: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:25:00.581850: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:25:00.581852: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:25:00.581855: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:25:00.581857: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:25:00.581859: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:25:00.581861: | 48 ef Oct 31 15:25:00.581863: | e Oct 31 15:25:00.581865: | 03 Oct 31 15:25:00.581867: | CKAID Oct 31 15:25:00.581869: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:25:00.581872: | 8a 82 25 f1 Oct 31 15:25:00.581878: | saving right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 extracted from raw RSA public key Oct 31 15:25:00.581983: | loaded private key matching CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 Oct 31 15:25:00.582963: | copying key using reference slot Oct 31 15:25:00.588118: | certs and keys locked by 'lsw_add_rsa_secret' Oct 31 15:25:00.588132: | certs and keys unlocked by 'lsw_add_rsa_secret' Oct 31 15:25:00.588147: | spent 3.21 (6.26) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:25:00.588155: connection "north-east": loaded private key matching right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 Oct 31 15:25:00.588159: | counting wild cards for @east is 0 Oct 31 15:25:00.588165: | updating connection from left.host_addr Oct 31 15:25:00.588170: | right host_nexthop 192.1.3.33 Oct 31 15:25:00.588172: | left host_port 500 Oct 31 15:25:00.588174: | updating connection from right.host_addr Oct 31 15:25:00.588178: | left host_nexthop 192.1.2.23 Oct 31 15:25:00.588181: | right host_port 500 Oct 31 15:25:00.588187: | based upon policy narrowing=yes, the connection is a template. Oct 31 15:25:00.588190: | orienting north-east Oct 31 15:25:00.588195: added IKEv2 connection "north-east" Oct 31 15:25:00.593552: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 Oct 31 15:25:00.593576: | 192.0.3.254/32===192.1.3.33<192.1.3.33>[@north]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24 Oct 31 15:25:00.593582: | delref logger@0x559d3fb30348(1->0) (in add_connection() at connections.c:2026) Oct 31 15:25:00.593586: | delref fd@0x559d3fb3ca98(2->1) (in free_logger() at log.c:853) Oct 31 15:25:00.593589: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:00.593596: | delref fd@0x559d3fb3ca98(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.593603: | freeref fd-fd@0x559d3fb3ca98 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.593612: | spent 4.07 (13.5) milliseconds in whack Oct 31 15:25:00.593692: | newref struct fd@0x559d3fb41598(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.593698: | fd_accept: new fd-fd@0x559d3fb41598 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.593715: | whack: key Oct 31 15:25:00.593720: add keyid @north Oct 31 15:25:00.593724: | 01 03 e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab Oct 31 15:25:00.593726: | 7f ec 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 Oct 31 15:25:00.593728: | 93 9e 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 Oct 31 15:25:00.593730: | 01 03 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 Oct 31 15:25:00.593732: | 10 84 b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 Oct 31 15:25:00.593734: | f4 6b 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f Oct 31 15:25:00.593737: | 25 b4 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e Oct 31 15:25:00.593739: | c8 16 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 Oct 31 15:25:00.593741: | cc 92 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 Oct 31 15:25:00.593743: | 13 0f 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 Oct 31 15:25:00.593745: | 39 f9 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d Oct 31 15:25:00.593748: | 9e ca 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 Oct 31 15:25:00.593750: | ba 64 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 Oct 31 15:25:00.593752: | 9c 85 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 Oct 31 15:25:00.593754: | 61 eb 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 Oct 31 15:25:00.593756: | 83 c2 d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca Oct 31 15:25:00.593758: | f5 38 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 Oct 31 15:25:00.593760: | c7 5e a5 99 Oct 31 15:25:00.593782: | computed rsa CKAID Oct 31 15:25:00.593786: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:25:00.593841: | 88 aa 7c 5d Oct 31 15:25:00.593850: | keyid: *AQPl33O2P Oct 31 15:25:00.593904: | size: 274 Oct 31 15:25:00.593907: | n Oct 31 15:25:00.593910: | e5 df 73 b6 3e d5 36 a8 f1 3d 0d d3 02 ab 7f ec Oct 31 15:25:00.593913: | 4c 9e 8b 0e 0e d2 cf 0f 59 bf 6d 88 21 86 93 9e Oct 31 15:25:00.593967: | 10 34 af 2d cf b3 7e eb e5 b2 24 b2 a5 b0 01 03 Oct 31 15:25:00.593971: | 7d b5 96 ad 66 ee 48 c2 28 d9 9a 76 36 a9 10 84 Oct 31 15:25:00.593974: | b5 09 8f 17 4f 65 ce d8 2f 8e 78 80 8a 87 f4 6b Oct 31 15:25:00.593976: | 98 d9 91 94 6b 52 15 5b 9c 47 12 be d8 6f 25 b4 Oct 31 15:25:00.594035: | 65 38 7e e4 8d c7 f0 58 d3 9f 69 14 cc 3e c8 16 Oct 31 15:25:00.594040: | 1f af bb 5d 93 2b 33 39 0e 94 55 81 f4 b3 cc 92 Oct 31 15:25:00.594042: | 58 6e 4a 5a 4e c3 76 ab 04 2e 11 08 06 55 13 0f Oct 31 15:25:00.594098: | 02 6c dd d1 bc c0 b8 8d 65 f5 97 ed fc 18 39 f9 Oct 31 15:25:00.594101: | 55 ab fa 0d c5 49 99 7f 1b cf c3 de 99 7d 9e ca Oct 31 15:25:00.594104: | 6f 9e 14 d6 5a ff de d6 4f 57 6a 83 ab 51 ba 64 Oct 31 15:25:00.594155: | 74 e0 22 e9 9a c5 10 71 bb d4 eb a4 99 28 9c 85 Oct 31 15:25:00.594161: | 0e 31 ea cc ab ef 98 84 3f 59 c1 75 aa b3 61 eb Oct 31 15:25:00.594164: | 61 8c 58 a5 92 25 84 ad c7 79 f3 87 d0 c7 83 c2 Oct 31 15:25:00.594166: | d6 8a fe 26 9d 2a ff b1 dd 9b 89 21 7c ca f5 38 Oct 31 15:25:00.594168: | 2d 3f 64 0c 41 9c 34 e9 b2 55 0f 82 1a b3 c7 5e Oct 31 15:25:00.594171: | a5 99 Oct 31 15:25:00.594233: | e Oct 31 15:25:00.594236: | 03 Oct 31 15:25:00.594294: | CKAID Oct 31 15:25:00.594299: | 90 5d fc a1 08 68 74 7c 6f 20 d3 1b 2d 20 4b 8f Oct 31 15:25:00.594357: | 88 aa 7c 5d Oct 31 15:25:00.594364: | newref struct pubkey@0x559d3fb43f68(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:25:00.594368: | addref pk@0x559d3fb43f68(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:25:00.594424: | delref pkp@0x559d3fb43f68(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:25:00.594431: | trying secret PKK_RSA:AQO9bJbr3 Oct 31 15:25:00.594619: | spent 0.102 (0.186) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:25:00.594625: | no private key: can't find the private key matching the NSS CKAID Oct 31 15:25:00.594630: | delref fd@0x559d3fb41598(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.594637: | freeref fd-fd@0x559d3fb41598 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.594643: | spent 0.423 (0.957) milliseconds in whack Oct 31 15:25:00.594698: | newref struct fd@0x559d3fb39dd8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.594703: | fd_accept: new fd-fd@0x559d3fb39dd8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.594719: | whack: key Oct 31 15:25:00.594724: add keyid @east Oct 31 15:25:00.594727: | 01 03 bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b Oct 31 15:25:00.594729: | e5 16 c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 Oct 31 15:25:00.594732: | 85 7a e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c Oct 31 15:25:00.594734: | 78 ca 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 Oct 31 15:25:00.594736: | 21 c9 f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d Oct 31 15:25:00.594738: | d2 67 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 Oct 31 15:25:00.594740: | 62 cd 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce Oct 31 15:25:00.594743: | 62 b5 af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e Oct 31 15:25:00.594745: | bb 23 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d Oct 31 15:25:00.594747: | ac 47 f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce Oct 31 15:25:00.594749: | e0 98 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a Oct 31 15:25:00.594752: | 92 b8 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 Oct 31 15:25:00.594754: | 4d 58 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 Oct 31 15:25:00.594756: | 5f 56 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 Oct 31 15:25:00.594759: | d5 f1 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c Oct 31 15:25:00.594761: | 47 cc 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 Oct 31 15:25:00.594763: | 07 8f 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 Oct 31 15:25:00.594766: | 51 51 48 ef Oct 31 15:25:00.594778: | computed rsa CKAID Oct 31 15:25:00.594782: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:25:00.594784: | 8a 82 25 f1 Oct 31 15:25:00.594789: | keyid: *AQO9bJbr3 Oct 31 15:25:00.594792: | size: 274 Oct 31 15:25:00.594794: | n Oct 31 15:25:00.594796: | bd 6c 96 eb df 78 89 b3 ed 77 0d a1 7f 7b e5 16 Oct 31 15:25:00.594799: | c2 c9 e4 7d 92 0a 90 9d 55 43 b4 62 13 03 85 7a Oct 31 15:25:00.594804: | e0 26 7b 54 1f ca 09 93 cf ff 25 c9 02 4c 78 ca Oct 31 15:25:00.594807: | 94 e5 3e ac d1 f9 a8 e5 bb 7f cc 20 84 e0 21 c9 Oct 31 15:25:00.594809: | f0 0d c5 44 ba f3 48 64 61 58 f6 0f 63 0d d2 67 Oct 31 15:25:00.594811: | 1e 59 8b ec f3 50 39 71 fb 39 da 11 64 b6 62 cd Oct 31 15:25:00.594813: | 5f d3 8d 2e c1 50 ed 9c 6e 22 0c 39 a7 ce 62 b5 Oct 31 15:25:00.594865: | af 8a 80 0f 2e 4c 05 5c 82 c7 8d 29 02 2e bb 23 Oct 31 15:25:00.594869: | 5f db f2 9e b5 7d e2 20 70 1a 63 f3 8e 5d ac 47 Oct 31 15:25:00.594871: | f0 5c 26 4e b1 d0 42 60 52 4a b0 77 25 ce e0 98 Oct 31 15:25:00.594874: | 2b 43 f4 c7 59 1a 64 01 83 ea 4e e3 1a 2a 92 b8 Oct 31 15:25:00.594876: | 55 ab 63 dd 4b 70 47 29 dc e9 b4 60 bf 43 4d 58 Oct 31 15:25:00.594930: | 8f 64 73 95 70 ac 35 89 b2 c2 9c d4 62 c0 5f 56 Oct 31 15:25:00.594933: | 5f ad 1b e5 dd 49 93 6a f5 23 82 ed d4 e7 d5 f1 Oct 31 15:25:00.594936: | 55 f2 2d a2 26 a6 36 53 2f 94 fb 99 22 5c 47 cc Oct 31 15:25:00.594938: | 6d 80 30 88 96 38 0c f5 f2 ed 37 d0 09 d5 07 8f Oct 31 15:25:00.594992: | 69 ef a9 99 ce 4d 1a 77 9e 39 c4 38 f3 c5 51 51 Oct 31 15:25:00.594996: | 48 ef Oct 31 15:25:00.594998: | e Oct 31 15:25:00.595000: | 03 Oct 31 15:25:00.595002: | CKAID Oct 31 15:25:00.595004: | 61 55 99 73 d3 ac ef 7d 3a 37 0e 3e 82 ad 92 c1 Oct 31 15:25:00.595057: | 8a 82 25 f1 Oct 31 15:25:00.595064: | newref struct pubkey@0x559d3fb43008(0->1) (in add_public_key() at secrets.c:1716) Oct 31 15:25:00.595119: | addref pk@0x559d3fb43008(1->2) (in add_public_key() at secrets.c:1718) Oct 31 15:25:00.595126: | delref pkp@0x559d3fb43008(2->1) (in key_add_request() at rcv_whack.c:341) Oct 31 15:25:00.595179: | trying secret PKK_RSA:AQO9bJbr3 Oct 31 15:25:00.595185: | matched Oct 31 15:25:00.595188: | secrets entry for ckaid already exists Oct 31 15:25:00.595193: | spent 0.0191 (0.0611) milliseconds in preload_private_key_by_ckaid() loading private key using CKAID Oct 31 15:25:00.595251: | delref fd@0x559d3fb39dd8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.595262: | freeref fd-fd@0x559d3fb39dd8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.595319: | spent 0.274 (0.625) milliseconds in whack Oct 31 15:25:00.595575: | newref struct fd@0x559d3fb30348(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.595581: | fd_accept: new fd-fd@0x559d3fb30348 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.595599: | whack: listen Oct 31 15:25:00.595603: listening for IKE messages Oct 31 15:25:00.595709: | Inspecting interface lo Oct 31 15:25:00.595717: | found lo with address 127.0.0.1 Oct 31 15:25:00.595721: | Inspecting interface eth0 Oct 31 15:25:00.595726: | found eth0 with address 192.0.2.254 Oct 31 15:25:00.595729: | Inspecting interface eth1 Oct 31 15:25:00.595734: | found eth1 with address 192.1.2.23 Oct 31 15:25:00.595744: | newref struct iface_dev@0x559d3fb44208(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:00.595763: Kernel supports NIC esp-hw-offload Oct 31 15:25:00.595773: | iface: marking eth1 add Oct 31 15:25:00.595778: | newref struct iface_dev@0x559d3fb431b8(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:00.595782: | iface: marking eth0 add Oct 31 15:25:00.595786: | newref struct iface_dev@0x559d3fb43248(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:00.595790: | iface: marking lo add Oct 31 15:25:00.595956: | no interfaces to sort Oct 31 15:25:00.596027: | MSG_ERRQUEUE enabled on fd 18 Oct 31 15:25:00.596092: | addref ifd@0x559d3fb44208(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596151: adding UDP interface eth1 192.1.2.23:500 Oct 31 15:25:00.596222: | MSG_ERRQUEUE enabled on fd 19 Oct 31 15:25:00.596416: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:00.596472: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:00.596481: | addref ifd@0x559d3fb44208(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596535: adding UDP interface eth1 192.1.2.23:4500 Oct 31 15:25:00.596610: | MSG_ERRQUEUE enabled on fd 20 Oct 31 15:25:00.596625: | addref ifd@0x559d3fb431b8(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596631: adding UDP interface eth0 192.0.2.254:500 Oct 31 15:25:00.596648: | MSG_ERRQUEUE enabled on fd 21 Oct 31 15:25:00.596657: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:00.596661: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:00.596665: | addref ifd@0x559d3fb431b8(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596669: adding UDP interface eth0 192.0.2.254:4500 Oct 31 15:25:00.596685: | MSG_ERRQUEUE enabled on fd 22 Oct 31 15:25:00.596695: | addref ifd@0x559d3fb43248(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596700: adding UDP interface lo 127.0.0.1:500 Oct 31 15:25:00.596717: | MSG_ERRQUEUE enabled on fd 23 Oct 31 15:25:00.596725: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:00.596729: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:00.596732: | addref ifd@0x559d3fb43248(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:00.596737: adding UDP interface lo 127.0.0.1:4500 Oct 31 15:25:00.596742: | updating interfaces - listing interfaces that are going down Oct 31 15:25:00.596745: | updating interfaces - checking orientation Oct 31 15:25:00.596748: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:25:00.596750: | orienting north-east Oct 31 15:25:00.596755: | north-east doesn't match 127.0.0.1:4500 at all Oct 31 15:25:00.596759: | north-east doesn't match 127.0.0.1:500 at all Oct 31 15:25:00.596763: | north-east doesn't match 192.0.2.254:4500 at all Oct 31 15:25:00.596767: | north-east doesn't match 192.0.2.254:500 at all Oct 31 15:25:00.596771: | north-east doesn't match 192.1.2.23:4500 at all Oct 31 15:25:00.596774: | oriented north-east's that Oct 31 15:25:00.596776: | swapping ends so that that is this Oct 31 15:25:00.596782: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Oct 31 15:25:00.596791: | newref hp@0x559d3fb40778(0->1) (in connect_to_host_pair() at hostpair.c:290) Oct 31 15:25:00.596814: | libevent_malloc: newref ptr-libevent@0x559d3fb3f098 size 128 Oct 31 15:25:00.596819: | libevent_malloc: newref ptr-libevent@0x559d3fb40828 size 16 Oct 31 15:25:00.596829: | setup callback for interface lo 127.0.0.1:4500 fd 23 on UDP Oct 31 15:25:00.596832: | libevent_malloc: newref ptr-libevent@0x559d3fb38f28 size 128 Oct 31 15:25:00.596835: | libevent_malloc: newref ptr-libevent@0x559d3fb40868 size 16 Oct 31 15:25:00.596840: | setup callback for interface lo 127.0.0.1:500 fd 22 on UDP Oct 31 15:25:00.596843: | libevent_malloc: newref ptr-libevent@0x559d3faf9128 size 128 Oct 31 15:25:00.596846: | libevent_malloc: newref ptr-libevent@0x559d3fb408a8 size 16 Oct 31 15:25:00.596851: | setup callback for interface eth0 192.0.2.254:4500 fd 21 on UDP Oct 31 15:25:00.596854: | libevent_malloc: newref ptr-libevent@0x559d3faf18d8 size 128 Oct 31 15:25:00.596856: | libevent_malloc: newref ptr-libevent@0x559d3fb408e8 size 16 Oct 31 15:25:00.596862: | setup callback for interface eth0 192.0.2.254:500 fd 20 on UDP Oct 31 15:25:00.596865: | libevent_malloc: newref ptr-libevent@0x559d3faf9228 size 128 Oct 31 15:25:00.596867: | libevent_malloc: newref ptr-libevent@0x559d3fb40928 size 16 Oct 31 15:25:00.596873: | setup callback for interface eth1 192.1.2.23:4500 fd 19 on UDP Oct 31 15:25:00.596876: | libevent_malloc: newref ptr-libevent@0x559d3fafc628 size 128 Oct 31 15:25:00.596878: | libevent_malloc: newref ptr-libevent@0x559d3fb40968 size 16 Oct 31 15:25:00.596977: | setup callback for interface eth1 192.1.2.23:500 fd 18 on UDP Oct 31 15:25:00.598980: | no stale xfrmi interface 'ipsec1' found Oct 31 15:25:00.598992: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:25:00.598995: forgetting secrets Oct 31 15:25:00.599021: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:25:00.599049: loading secrets from "/etc/ipsec.secrets" Oct 31 15:25:00.599078: no secrets filename matched "/etc/ipsec.d/*.secrets" Oct 31 15:25:00.599088: | old food groups: Oct 31 15:25:00.599090: | new food groups: Oct 31 15:25:00.599096: | delref fd@0x559d3fb30348(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.599103: | freeref fd-fd@0x559d3fb30348 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.599111: | spent 0.966 (3.59) milliseconds in whack Oct 31 15:25:00.599170: | newref struct fd@0x559d3fb39dd8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.599175: | fd_accept: new fd-fd@0x559d3fb39dd8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:00.599190: | whack: route Oct 31 15:25:00.599194: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:00.599208: | could_route called for north-east; kind=CK_TEMPLATE that.has_client=yes oppo=no this.host_port=500 Oct 31 15:25:00.599213: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:00.599216: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:00.599219: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:00.599222: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Oct 31 15:25:00.599225: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:25:00.599227: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:00.599230: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:00.599232: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:00.599235: | route owner of "north-east" unrouted: NULL; eroute owner: NULL Oct 31 15:25:00.599238: | route_and_eroute with c: north-east (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #0 Oct 31 15:25:00.599245: | shunt_eroute() called for connection 'north-east' to 'add' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Oct 31 15:25:00.599251: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Oct 31 15:25:00.599254: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:00.599259: | IPsec SA SPD priority set to 2084798 Oct 31 15:25:00.599554: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:00.599561: | route_and_eroute: firewall_notified: true Oct 31 15:25:00.599564: | running updown command "ipsec _updown" for verb prepare Oct 31 15:25:00.599567: | command executing prepare-client Oct 31 15:25:00.599598: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PL... Oct 31 15:25:00.599603: | popen cmd is 1102 chars long Oct 31 15:25:00.599606: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Oct 31 15:25:00.599608: | cmd( 80):UTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT: Oct 31 15:25:00.599611: | cmd( 160):_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192: Oct 31 15:25:00.599613: | cmd( 240):.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' : Oct 31 15:25:00.599615: | cmd( 320):PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='no: Oct 31 15:25:00.599622: | cmd( 400):ne' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.25: Oct 31 15:25:00.599625: | cmd( 480):4/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.25: Oct 31 15:25:00.599627: | cmd( 560):5' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfr: Oct 31 15:25:00.599629: | cmd( 640):m' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_AL: Oct 31 15:25:00.599632: | cmd( 720):LOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK: Oct 31 15:25:00.599634: | cmd( 800):_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Oct 31 15:25:00.599636: | cmd( 880):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Oct 31 15:25:00.599638: | cmd( 960):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Oct 31 15:25:00.599641: | cmd(1040):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:25:00.654945: | running updown command "ipsec _updown" for verb route Oct 31 15:25:00.654963: | command executing route-client Oct 31 15:25:00.654998: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_... Oct 31 15:25:00.655002: | popen cmd is 1100 chars long Oct 31 15:25:00.655006: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUT: Oct 31 15:25:00.655009: | cmd( 80):O_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_H: Oct 31 15:25:00.655011: | cmd( 160):OP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0: Oct 31 15:25:00.655013: | cmd( 240):.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PL: Oct 31 15:25:00.655015: | cmd( 320):UTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none: Oct 31 15:25:00.655017: | cmd( 400):' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/: Oct 31 15:25:00.655020: | cmd( 480):32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255': Oct 31 15:25:00.655022: | cmd( 560): PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm': Oct 31 15:25:00.655024: | cmd( 640): PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLO: Oct 31 15:25:00.655026: | cmd( 720):W+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_T: Oct 31 15:25:00.655028: | cmd( 800):EMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLU: Oct 31 15:25:00.655030: | cmd( 880):TO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SER: Oct 31 15:25:00.655033: | cmd( 960):VER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='n: Oct 31 15:25:00.655035: | cmd(1040):o' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:25:00.747514: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.747536: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.747548: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.747553: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.747557: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748117: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748130: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748136: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748151: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748166: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.748182: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.749074: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.749089: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.749094: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.749108: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:00.838879: | delref fd@0x559d3fb39dd8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.839059: | freeref fd-fd@0x559d3fb39dd8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:00.839072: | spent 0.685 (240) milliseconds in whack Oct 31 15:25:00.839088: | processing signal PLUTO_SIGCHLD Oct 31 15:25:00.839095: | waitpid returned nothing left to do (all child processes are busy) Oct 31 15:25:00.839100: | spent 0.00613 (0.006) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:00.839751: | processing signal PLUTO_SIGCHLD Oct 31 15:25:00.839759: | waitpid returned nothing left to do (all child processes are busy) Oct 31 15:25:00.839765: | spent 0.00547 (0.00508) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:00.840520: | processing signal PLUTO_SIGCHLD Oct 31 15:25:00.840543: | waitpid returned pid 2157103 (exited with status 0) Oct 31 15:25:00.840549: | reaped addconn helper child (status 0) Oct 31 15:25:00.840555: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:00.840560: | spent 0.026 (0.0259) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:02.338773: | spent 0.0069 (0.00678) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:02.338794: | newref struct msg_digest@0x559d3fb444d8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.338802: | newref alloc logger@0x559d3fb3d028(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.338813: | *received 842 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:02.338818: | c0 ab 5f b0 46 3d 51 5a 00 00 00 00 00 00 00 00 Oct 31 15:25:02.338821: | 21 20 22 08 00 00 00 00 00 00 03 4a 22 00 01 b4 Oct 31 15:25:02.338823: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Oct 31 15:25:02.338825: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Oct 31 15:25:02.338828: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Oct 31 15:25:02.338830: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Oct 31 15:25:02.338833: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Oct 31 15:25:02.338835: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Oct 31 15:25:02.338837: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Oct 31 15:25:02.338840: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Oct 31 15:25:02.338843: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Oct 31 15:25:02.338845: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Oct 31 15:25:02.338848: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Oct 31 15:25:02.338850: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Oct 31 15:25:02.338854: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Oct 31 15:25:02.338859: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Oct 31 15:25:02.338864: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:25:02.338867: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Oct 31 15:25:02.338875: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Oct 31 15:25:02.338878: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Oct 31 15:25:02.338880: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Oct 31 15:25:02.338882: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Oct 31 15:25:02.338885: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Oct 31 15:25:02.338887: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Oct 31 15:25:02.338889: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Oct 31 15:25:02.338892: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Oct 31 15:25:02.338895: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Oct 31 15:25:02.338897: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Oct 31 15:25:02.338900: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Oct 31 15:25:02.338902: | 28 00 01 08 00 0e 00 00 ec 67 0f 08 92 41 2b 01 Oct 31 15:25:02.338904: | 11 c7 13 35 ee c2 a9 3e a4 8b 27 bd 82 78 c8 7b Oct 31 15:25:02.338910: | fb 31 b6 27 ec 5b 87 4e 02 3d d9 40 1d 19 8f 64 Oct 31 15:25:02.338914: | 5b 71 d7 08 f8 e7 bf d5 ce 90 32 4d e3 86 e8 df Oct 31 15:25:02.338916: | 0f 57 25 12 06 1e 21 63 1c bc 0b 18 e4 c0 3f ac Oct 31 15:25:02.338918: | f6 b2 01 e0 ea e9 1c 6b b5 80 a4 00 0c 49 be cb Oct 31 15:25:02.338920: | 34 c4 6c db a5 15 a5 ff bb 8a 9c 0e 34 bd 16 c8 Oct 31 15:25:02.338922: | a3 bb 70 0e b9 1d 6e 98 9f 05 6b 2d db cb a4 ef Oct 31 15:25:02.338925: | 59 0e 3a 7e 71 6a 4a 26 36 98 b0 f0 bd be e8 94 Oct 31 15:25:02.338927: | aa d6 86 6f 88 02 93 8a cc ee b7 b3 28 e9 f9 12 Oct 31 15:25:02.338929: | e5 c1 34 67 5a 28 c1 6c 27 43 4a 29 3e cc dd 8c Oct 31 15:25:02.338931: | d8 f8 b6 65 66 15 e8 ee e8 1f 7e 2e 36 87 2d 1f Oct 31 15:25:02.338934: | 2e bf ce e9 bc db 16 14 7b 2e 0a 51 16 c4 58 77 Oct 31 15:25:02.338939: | 7b 87 31 65 a1 72 c2 7a 81 38 91 b1 eb 8d d3 f6 Oct 31 15:25:02.338942: | f9 94 17 68 e8 0d 07 43 db 01 90 80 fe 8a 7b 6e Oct 31 15:25:02.338944: | 19 4a 81 46 34 c0 46 b5 e8 43 52 af b7 8a 6d 16 Oct 31 15:25:02.338947: | f4 d6 e7 a5 58 9d 12 29 29 00 00 24 80 ae 7c 69 Oct 31 15:25:02.338949: | 0b e0 e4 92 1f 1c f4 0a c4 cd 43 7f 5e 85 53 8e Oct 31 15:25:02.338952: | 85 db 21 ad 6c 38 b3 44 d0 d0 07 8b 29 00 00 08 Oct 31 15:25:02.338954: | 00 00 40 2e 29 00 00 0e 00 00 40 2f 00 02 00 03 Oct 31 15:25:02.338956: | 00 04 29 00 00 1c 00 00 40 04 1c 33 38 d0 d5 76 Oct 31 15:25:02.338959: | 6c 9a 50 a8 87 df e8 f6 7f e0 50 1c fe 69 00 00 Oct 31 15:25:02.338961: | 00 1c 00 00 40 05 72 74 c0 0f f3 d6 9e 02 d0 4c Oct 31 15:25:02.338963: | 15 ef 5c 22 de 58 ce 33 c5 be Oct 31 15:25:02.338972: | **parse ISAKMP Message: Oct 31 15:25:02.338978: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.338984: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:25:02.338989: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:25:02.338992: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:02.338995: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:25:02.338999: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:02.339003: | Message ID: 0 (00 00 00 00) Oct 31 15:25:02.339007: | length: 842 (00 00 03 4a) Oct 31 15:25:02.339012: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:25:02.339023: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Oct 31 15:25:02.339027: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Oct 31 15:25:02.339031: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:25:02.339034: | ***parse IKEv2 Security Association Payload: Oct 31 15:25:02.339037: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:25:02.339040: | flags: none (0x0) Oct 31 15:25:02.339043: | length: 436 (01 b4) Oct 31 15:25:02.339046: | processing payload: ISAKMP_NEXT_v2SA (len=432) Oct 31 15:25:02.339049: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:25:02.339054: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:25:02.339058: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:25:02.339063: | flags: none (0x0) Oct 31 15:25:02.339069: | length: 264 (01 08) Oct 31 15:25:02.339073: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.339075: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:25:02.339078: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:25:02.339081: | ***parse IKEv2 Nonce Payload: Oct 31 15:25:02.339083: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:02.339086: | flags: none (0x0) Oct 31 15:25:02.339089: | length: 36 (00 24) Oct 31 15:25:02.339092: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:25:02.339095: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:02.339098: | ***parse IKEv2 Notify Payload: Oct 31 15:25:02.339101: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:02.339104: | flags: none (0x0) Oct 31 15:25:02.339107: | length: 8 (00 08) Oct 31 15:25:02.339110: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.339113: | SPI size: 0 (00) Oct 31 15:25:02.339119: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:25:02.339123: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:25:02.339126: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:02.339129: | ***parse IKEv2 Notify Payload: Oct 31 15:25:02.339132: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:02.339134: | flags: none (0x0) Oct 31 15:25:02.339138: | length: 14 (00 0e) Oct 31 15:25:02.339140: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.339144: | SPI size: 0 (00) Oct 31 15:25:02.339147: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:25:02.339149: | processing payload: ISAKMP_NEXT_v2N (len=6) Oct 31 15:25:02.339152: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:02.339155: | ***parse IKEv2 Notify Payload: Oct 31 15:25:02.339158: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:02.339163: | flags: none (0x0) Oct 31 15:25:02.339167: | length: 28 (00 1c) Oct 31 15:25:02.339170: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.339173: | SPI size: 0 (00) Oct 31 15:25:02.339175: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:25:02.339178: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:25:02.339180: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:02.339183: | ***parse IKEv2 Notify Payload: Oct 31 15:25:02.339186: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.339188: | flags: none (0x0) Oct 31 15:25:02.339191: | length: 28 (00 1c) Oct 31 15:25:02.339193: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.339196: | SPI size: 0 (00) Oct 31 15:25:02.339202: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:25:02.339208: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:25:02.339211: | DDOS disabled and no cookie sent, continuing Oct 31 15:25:02.339214: | looking for message matching transition from STATE_PARENT_R0 Oct 31 15:25:02.339217: | trying Respond to IKE_SA_INIT Oct 31 15:25:02.339220: | matched unencrypted message Oct 31 15:25:02.339226: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:25:02.339232: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:02.339235: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:25:02.339239: | found policy = RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5 (north-east) Oct 31 15:25:02.339242: | find_next_host_connection returns "north-east" Oct 31 15:25:02.339244: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:25:02.339246: | find_next_host_connection returns Oct 31 15:25:02.339249: | local endpoint has narrowing=yes - needs instantiation Oct 31 15:25:02.339256: | Connection DB: adding connection "north-east" $2 Oct 31 15:25:02.339263: | addref vip@NULL (in unshare_connection_end() at connections.c:676) Oct 31 15:25:02.339267: | addref vip@NULL (in unshare_connection_end() at connections.c:676) Oct 31 15:25:02.339272: | updating connection from left.host_addr Oct 31 15:25:02.339277: | left host_port 500 Oct 31 15:25:02.339279: | updating connection from right.host_addr Oct 31 15:25:02.339282: | right host_port 500 Oct 31 15:25:02.339345: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:02.339354: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x559d3fb40778: north-east Oct 31 15:25:02.339360: | rw_instantiate() instantiated "north-east"[1] 192.1.3.33 for 192.1.3.33 Oct 31 15:25:02.339366: | found connection: "north-east"[1] 192.1.3.33 with policy ECDSA+IKEV2_ALLOW Oct 31 15:25:02.339395: | newref alloc logger@0x559d3fb2ffc8(0->1) (in new_state() at state.c:576) Oct 31 15:25:02.339400: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:25:02.339403: | creating state object #1 at 0x559d3fb45ce8 Oct 31 15:25:02.339408: | State DB: adding IKEv2 state #1 in UNDEFINED Oct 31 15:25:02.339420: | pstats #1 ikev2.ike started Oct 31 15:25:02.339424: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Oct 31 15:25:02.339428: | #1.st_v2_transition NULL -> PARENT_R0->PARENT_R1 (in new_v2_ike_state() at state.c:620) Oct 31 15:25:02.339437: | Message ID: IKE #1 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744576.772227 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744576.772227 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:25:02.339441: | orienting north-east Oct 31 15:25:02.339447: | north-east doesn't match 127.0.0.1:4500 at all Oct 31 15:25:02.339451: | north-east doesn't match 127.0.0.1:500 at all Oct 31 15:25:02.339456: | north-east doesn't match 192.0.2.254:4500 at all Oct 31 15:25:02.339463: | north-east doesn't match 192.0.2.254:500 at all Oct 31 15:25:02.339467: | north-east doesn't match 192.1.2.23:4500 at all Oct 31 15:25:02.339469: | oriented north-east's this Oct 31 15:25:02.339479: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1758) Oct 31 15:25:02.339486: | Message ID: IKE #1 responder starting message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744576.772227 ike.wip.initiator=-1 ike.wip.responder=-1->0 Oct 31 15:25:02.339489: | calling processor Respond to IKE_SA_INIT Oct 31 15:25:02.339496: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:25:02.339499: | constructing local IKE proposals for north-east (IKE SA responder matching remote proposals) Oct 31 15:25:02.339510: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:02.339523: | ... ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339527: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:02.339533: | ... ikev2_proposal: 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339537: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:02.339543: | ... ikev2_proposal: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339546: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:02.339554: | ... ikev2_proposal: 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339559: "north-east"[1] 192.1.3.33: local IKE proposals (IKE SA responder matching remote proposals): Oct 31 15:25:02.339566: "north-east"[1] 192.1.3.33: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339573: "north-east"[1] 192.1.3.33: 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339580: "north-east"[1] 192.1.3.33: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339586: "north-east"[1] 192.1.3.33: 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:02.339590: | comparing remote proposals against IKE responder 4 local proposals Oct 31 15:25:02.339594: | local proposal 1 type ENCR has 1 transforms Oct 31 15:25:02.339597: | local proposal 1 type PRF has 2 transforms Oct 31 15:25:02.339599: | local proposal 1 type INTEG has 1 transforms Oct 31 15:25:02.339602: | local proposal 1 type DH has 8 transforms Oct 31 15:25:02.339604: | local proposal 1 type ESN has 0 transforms Oct 31 15:25:02.339608: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:25:02.339610: | local proposal 2 type ENCR has 1 transforms Oct 31 15:25:02.339613: | local proposal 2 type PRF has 2 transforms Oct 31 15:25:02.339615: | local proposal 2 type INTEG has 1 transforms Oct 31 15:25:02.339617: | local proposal 2 type DH has 8 transforms Oct 31 15:25:02.339619: | local proposal 2 type ESN has 0 transforms Oct 31 15:25:02.339622: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:25:02.339625: | local proposal 3 type ENCR has 1 transforms Oct 31 15:25:02.339627: | local proposal 3 type PRF has 2 transforms Oct 31 15:25:02.339629: | local proposal 3 type INTEG has 2 transforms Oct 31 15:25:02.339632: | local proposal 3 type DH has 8 transforms Oct 31 15:25:02.339634: | local proposal 3 type ESN has 0 transforms Oct 31 15:25:02.339636: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:25:02.339639: | local proposal 4 type ENCR has 1 transforms Oct 31 15:25:02.339641: | local proposal 4 type PRF has 2 transforms Oct 31 15:25:02.339643: | local proposal 4 type INTEG has 2 transforms Oct 31 15:25:02.339646: | local proposal 4 type DH has 8 transforms Oct 31 15:25:02.339648: | local proposal 4 type ESN has 0 transforms Oct 31 15:25:02.339651: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:25:02.339654: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.339657: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.339661: | length: 100 (00 64) Oct 31 15:25:02.339663: | prop #: 1 (01) Oct 31 15:25:02.339666: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:02.339669: | spi size: 0 (00) Oct 31 15:25:02.339671: | # transforms: 11 (0b) Oct 31 15:25:02.339675: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:25:02.339678: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339681: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339687: | length: 12 (00 0c) Oct 31 15:25:02.339690: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.339693: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.339696: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.339699: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.339702: | length/value: 256 (01 00) Oct 31 15:25:02.339709: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:25:02.339713: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339716: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339720: | length: 8 (00 08) Oct 31 15:25:02.339722: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.339725: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:02.339729: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Oct 31 15:25:02.339733: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Oct 31 15:25:02.339739: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Oct 31 15:25:02.339743: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Oct 31 15:25:02.339746: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339749: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339752: | length: 8 (00 08) Oct 31 15:25:02.339755: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.339758: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:02.339761: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339764: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339768: | length: 8 (00 08) Oct 31 15:25:02.339770: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339773: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.339777: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:25:02.339782: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Oct 31 15:25:02.339789: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Oct 31 15:25:02.339794: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Oct 31 15:25:02.339797: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339800: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339803: | length: 8 (00 08) Oct 31 15:25:02.339806: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339808: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:02.339812: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339814: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339818: | length: 8 (00 08) Oct 31 15:25:02.339821: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339823: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:02.339827: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339830: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339833: | length: 8 (00 08) Oct 31 15:25:02.339836: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339840: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:02.339845: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339848: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339851: | length: 8 (00 08) Oct 31 15:25:02.339854: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339856: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:02.339859: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339862: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339865: | length: 8 (00 08) Oct 31 15:25:02.339868: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339871: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:02.339874: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339877: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339880: | length: 8 (00 08) Oct 31 15:25:02.339883: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339890: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:02.339898: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339901: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.339905: | length: 8 (00 08) Oct 31 15:25:02.339907: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.339909: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:02.339914: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Oct 31 15:25:02.339919: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Oct 31 15:25:02.339922: | remote proposal 1 matches local proposal 1 Oct 31 15:25:02.339926: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.339928: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.339932: | length: 100 (00 64) Oct 31 15:25:02.339935: | prop #: 2 (02) Oct 31 15:25:02.339938: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:02.339944: | spi size: 0 (00) Oct 31 15:25:02.339947: | # transforms: 11 (0b) Oct 31 15:25:02.339951: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.339955: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339957: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339960: | length: 12 (00 0c) Oct 31 15:25:02.339963: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.339967: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.339971: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.339974: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.339977: | length/value: 128 (00 80) Oct 31 15:25:02.339981: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339983: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.339987: | length: 8 (00 08) Oct 31 15:25:02.339989: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.339991: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:02.339995: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.339997: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340001: | length: 8 (00 08) Oct 31 15:25:02.340003: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.340006: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:02.340009: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340012: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340015: | length: 8 (00 08) Oct 31 15:25:02.340017: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340019: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.340022: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340025: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340027: | length: 8 (00 08) Oct 31 15:25:02.340030: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340032: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:02.340039: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340045: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340048: | length: 8 (00 08) Oct 31 15:25:02.340051: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340053: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:02.340057: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340059: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340063: | length: 8 (00 08) Oct 31 15:25:02.340065: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340067: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:02.340071: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340074: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340079: | length: 8 (00 08) Oct 31 15:25:02.340082: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340085: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:02.340088: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340093: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340099: | length: 8 (00 08) Oct 31 15:25:02.340103: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340106: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:02.340110: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340112: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340115: | length: 8 (00 08) Oct 31 15:25:02.340118: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340120: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:02.340123: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340126: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.340129: | length: 8 (00 08) Oct 31 15:25:02.340132: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340135: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:02.340139: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Oct 31 15:25:02.340143: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Oct 31 15:25:02.340146: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.340149: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.340154: | length: 116 (00 74) Oct 31 15:25:02.340159: | prop #: 3 (03) Oct 31 15:25:02.340161: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:02.340164: | spi size: 0 (00) Oct 31 15:25:02.340167: | # transforms: 13 (0d) Oct 31 15:25:02.340170: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.340173: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340176: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340179: | length: 12 (00 0c) Oct 31 15:25:02.340182: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.340185: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:02.340188: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.340190: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.340194: | length/value: 256 (01 00) Oct 31 15:25:02.340203: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340211: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340214: | length: 8 (00 08) Oct 31 15:25:02.340217: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.340219: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:02.340223: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340225: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340228: | length: 8 (00 08) Oct 31 15:25:02.340230: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.340233: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:02.340236: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340238: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340241: | length: 8 (00 08) Oct 31 15:25:02.340243: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.340246: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:02.340249: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340251: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340254: | length: 8 (00 08) Oct 31 15:25:02.340257: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.340259: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:02.340262: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340265: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340268: | length: 8 (00 08) Oct 31 15:25:02.340271: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340275: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.340278: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340281: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340284: | length: 8 (00 08) Oct 31 15:25:02.340286: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340288: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:02.340291: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340294: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340297: | length: 8 (00 08) Oct 31 15:25:02.340299: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340304: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:02.340308: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340311: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340314: | length: 8 (00 08) Oct 31 15:25:02.340317: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340379: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:02.340385: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340387: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340391: | length: 8 (00 08) Oct 31 15:25:02.340393: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340396: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:02.340399: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340402: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340406: | length: 8 (00 08) Oct 31 15:25:02.340408: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340411: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:02.340418: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340421: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340424: | length: 8 (00 08) Oct 31 15:25:02.340427: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340430: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:02.340433: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340435: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.340441: | length: 8 (00 08) Oct 31 15:25:02.340444: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340447: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:02.340452: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:25:02.340455: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:25:02.340458: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.340460: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:02.340463: | length: 116 (00 74) Oct 31 15:25:02.340466: | prop #: 4 (04) Oct 31 15:25:02.340469: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:02.340472: | spi size: 0 (00) Oct 31 15:25:02.340475: | # transforms: 13 (0d) Oct 31 15:25:02.340478: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.340482: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340484: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340489: | length: 12 (00 0c) Oct 31 15:25:02.340493: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.340496: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:02.340499: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.340501: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.340504: | length/value: 128 (00 80) Oct 31 15:25:02.340508: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340510: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340513: | length: 8 (00 08) Oct 31 15:25:02.340516: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.340518: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:02.340523: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340526: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340529: | length: 8 (00 08) Oct 31 15:25:02.340532: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.340534: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:02.340537: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340540: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340543: | length: 8 (00 08) Oct 31 15:25:02.340545: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.340548: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:02.340551: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340553: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340556: | length: 8 (00 08) Oct 31 15:25:02.340559: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.340561: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:02.340564: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340566: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340569: | length: 8 (00 08) Oct 31 15:25:02.340572: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340574: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.340577: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340579: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340582: | length: 8 (00 08) Oct 31 15:25:02.340585: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340587: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:02.340590: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340592: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340595: | length: 8 (00 08) Oct 31 15:25:02.340597: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340600: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:02.340603: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340605: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340608: | length: 8 (00 08) Oct 31 15:25:02.340611: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340613: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:02.340616: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340618: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340621: | length: 8 (00 08) Oct 31 15:25:02.340623: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340626: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:02.340629: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340631: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340634: | length: 8 (00 08) Oct 31 15:25:02.340636: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340639: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:02.340642: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340644: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.340647: | length: 8 (00 08) Oct 31 15:25:02.340649: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340652: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:02.340655: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.340657: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.340660: | length: 8 (00 08) Oct 31 15:25:02.340662: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.340664: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:02.340669: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:25:02.340672: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:25:02.340679: "north-east"[1] 192.1.3.33 #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Oct 31 15:25:02.340686: | accepted IKE proposal ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 Oct 31 15:25:02.340689: | converting proposal to internal trans attrs Oct 31 15:25:02.340696: | nat: IKE.SPIr is zero Oct 31 15:25:02.340715: | natd_hash: hasher=0x559d3e910f80(20) Oct 31 15:25:02.340720: | natd_hash: icookie= Oct 31 15:25:02.340723: | c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.340725: | natd_hash: rcookie= Oct 31 15:25:02.340727: | 00 00 00 00 00 00 00 00 Oct 31 15:25:02.340729: | natd_hash: ip= Oct 31 15:25:02.340731: | c0 01 02 17 Oct 31 15:25:02.340734: | natd_hash: port= Oct 31 15:25:02.340736: | 01 f4 Oct 31 15:25:02.340738: | natd_hash: hash= Oct 31 15:25:02.340740: | 72 74 c0 0f f3 d6 9e 02 d0 4c 15 ef 5c 22 de 58 Oct 31 15:25:02.340742: | ce 33 c5 be Oct 31 15:25:02.340745: | nat: IKE.SPIr is zero Oct 31 15:25:02.340755: | natd_hash: hasher=0x559d3e910f80(20) Oct 31 15:25:02.340758: | natd_hash: icookie= Oct 31 15:25:02.340761: | c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.340763: | natd_hash: rcookie= Oct 31 15:25:02.340765: | 00 00 00 00 00 00 00 00 Oct 31 15:25:02.340768: | natd_hash: ip= Oct 31 15:25:02.340772: | c0 01 03 21 Oct 31 15:25:02.340775: | natd_hash: port= Oct 31 15:25:02.340778: | 01 f4 Oct 31 15:25:02.340780: | natd_hash: hash= Oct 31 15:25:02.340782: | 1c 33 38 d0 d5 76 6c 9a 50 a8 87 df e8 f6 7f e0 Oct 31 15:25:02.340785: | 50 1c fe 69 Oct 31 15:25:02.340788: | NAT_TRAVERSAL encaps using auto-detect Oct 31 15:25:02.340790: | NAT_TRAVERSAL this end is NOT behind NAT Oct 31 15:25:02.340792: | NAT_TRAVERSAL that end is NOT behind NAT Oct 31 15:25:02.340796: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Oct 31 15:25:02.340799: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:25:02.340801: | hash algorithm identifier (network ordered) Oct 31 15:25:02.340804: | 00 02 Oct 31 15:25:02.340806: | received HASH_ALGORITHM_SHA2_256 which is allowed by local policy Oct 31 15:25:02.340809: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:25:02.340812: | hash algorithm identifier (network ordered) Oct 31 15:25:02.340814: | 00 03 Oct 31 15:25:02.340816: | received HASH_ALGORITHM_SHA2_384 which is allowed by local policy Oct 31 15:25:02.340819: | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) Oct 31 15:25:02.340821: | hash algorithm identifier (network ordered) Oct 31 15:25:02.340824: | 00 04 Oct 31 15:25:02.340828: | received HASH_ALGORITHM_SHA2_512 which is allowed by local policy Oct 31 15:25:02.340839: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:02.340842: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:02.340846: | newref clone logger@0x559d3fb302d8(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:02.340849: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): adding job to queue Oct 31 15:25:02.340852: | state #1 has no .st_event to delete Oct 31 15:25:02.340855: | #1 STATE_PARENT_R0: retransmits: cleared Oct 31 15:25:02.340859: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb3ce38 Oct 31 15:25:02.340862: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:25:02.340868: | libevent_malloc: newref ptr-libevent@0x559d3fb41e68 size 128 Oct 31 15:25:02.340888: | #1 spent 1.34 (1.39) milliseconds in processing: Respond to IKE_SA_INIT in v2_dispatch() Oct 31 15:25:02.340892: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper 1 starting job Oct 31 15:25:02.340898: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.340903: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Oct 31 15:25:02.340906: | suspending state #1 and saving MD 0x559d3fb444d8 Oct 31 15:25:02.340909: | addref md@0x559d3fb444d8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:02.340913: | #1 is busy; has suspended MD 0x559d3fb444d8 Oct 31 15:25:02.340919: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1760) Oct 31 15:25:02.340925: | #1 spent 2.07 (2.17) milliseconds in ikev2_process_packet() Oct 31 15:25:02.340929: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:02.340935: | delref mdp@0x559d3fb444d8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:02.340941: | spent 2.08 (2.19) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:02.342637: | "north-east"[1] 192.1.3.33 #1: spent 1.73 (1.74) milliseconds in helper 1 processing job 1 for state #1: ikev2_inI1outR1 KE (pcr) Oct 31 15:25:02.342650: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper thread 1 sending result back to state Oct 31 15:25:02.342654: | scheduling resume sending helper answer back to state for #1 Oct 31 15:25:02.342658: | libevent_malloc: newref ptr-libevent@0x7f2cd8006108 size 128 Oct 31 15:25:02.342668: | helper thread 1 has nothing to do Oct 31 15:25:02.342683: | processing resume sending helper answer back to state for #1 Oct 31 15:25:02.342694: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:02.342699: | unsuspending #1 MD 0x559d3fb444d8 Oct 31 15:25:02.342702: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): processing response from helper 1 Oct 31 15:25:02.342705: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): calling continuation function 0x559d3e81efe7 Oct 31 15:25:02.342709: | ikev2_parent_inI1outR1_continue() for #1 STATE_PARENT_R0: calculated ke+nonce, sending R1 Oct 31 15:25:02.342740: | opening output PBS reply packet Oct 31 15:25:02.342745: | **emit ISAKMP Message: Oct 31 15:25:02.342750: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.342754: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.342757: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:02.342760: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:02.342763: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:25:02.342765: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:25:02.342769: | Message ID: 0 (00 00 00 00) Oct 31 15:25:02.342773: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:02.342776: | emitting ikev2_proposal ... Oct 31 15:25:02.342779: | ***emit IKEv2 Security Association Payload: Oct 31 15:25:02.342782: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.342785: | flags: none (0x0) Oct 31 15:25:02.342788: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:25:02.342790: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.342795: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.342797: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:02.342800: | prop #: 1 (01) Oct 31 15:25:02.342803: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:02.342808: | spi size: 0 (00) Oct 31 15:25:02.342811: | # transforms: 3 (03) Oct 31 15:25:02.342814: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:25:02.342818: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:02.342820: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.342823: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.342825: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.342827: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:02.342830: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.342833: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.342836: | length/value: 256 (01 00) Oct 31 15:25:02.342839: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:25:02.342842: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:02.342844: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.342847: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:02.342849: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:02.342853: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.342855: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:02.342858: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:02.342860: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:02.342863: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.342865: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:02.342867: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.342870: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.342872: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:02.342875: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:02.342877: | emitting length of IKEv2 Proposal Substructure Payload: 36 Oct 31 15:25:02.342880: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:25:02.342882: | emitting length of IKEv2 Security Association Payload: 40 Oct 31 15:25:02.342885: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:25:02.342889: | DH secret MODP2048@0x7f2cd8006ba8: transferring ownership from helper KE to state #1 Oct 31 15:25:02.342892: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:25:02.342895: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.342897: | flags: none (0x0) Oct 31 15:25:02.342900: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:02.342902: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:25:02.342905: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.342909: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:25:02.342911: | ikev2 g^x: Oct 31 15:25:02.342914: | f9 00 57 0c ea 32 e6 98 d4 1a e5 28 a1 4e a7 65 Oct 31 15:25:02.342916: | bc c1 48 39 8f f3 35 e1 eb ac a0 3f 59 aa f2 31 Oct 31 15:25:02.342918: | 19 60 0c 74 5d 11 18 ce 74 1d 95 c7 90 9d 4e 73 Oct 31 15:25:02.342921: | 88 49 6e 59 c5 49 43 49 5e 57 a0 13 07 34 7c e7 Oct 31 15:25:02.342923: | 01 d9 62 ea d6 e3 6a 22 68 62 f5 c4 0b 2e 23 7b Oct 31 15:25:02.342927: | f3 7b d2 df 8f 64 b5 b6 03 5f cd 70 91 72 73 84 Oct 31 15:25:02.342929: | 4b 0e 83 6c 1b ad 81 3c 58 0a fa 6f 7a 4a 0f 8d Oct 31 15:25:02.342931: | c9 43 ca 83 c8 df 98 1c 72 4d 18 94 3c a9 5a 18 Oct 31 15:25:02.342934: | 13 d1 8a 6e 03 18 d4 0a 78 80 b2 39 30 54 89 bd Oct 31 15:25:02.342936: | 94 89 af 0e cb af 4d 1b ca 9a 2c 4f 73 81 71 35 Oct 31 15:25:02.342938: | 37 ae 45 a6 f4 96 c0 9f d5 e0 4a 76 28 f1 67 7d Oct 31 15:25:02.342940: | 21 d1 3c 01 93 f1 23 f2 6b 14 af ce 93 2d 85 f7 Oct 31 15:25:02.342942: | 29 9f 8e 16 b8 08 a2 24 b7 6d f7 6d ae 30 37 b8 Oct 31 15:25:02.342944: | e7 2b b5 fd 83 58 7e 7c df 9f d7 e9 58 c2 08 86 Oct 31 15:25:02.342946: | 7e c7 41 92 12 7b 4a 66 f3 a9 1b 85 5c c3 09 cf Oct 31 15:25:02.342948: | f1 b5 73 4f a1 f4 d9 7b 89 8f 87 d3 32 1f 26 73 Oct 31 15:25:02.342951: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:25:02.342954: | ***emit IKEv2 Nonce Payload: Oct 31 15:25:02.342956: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.342959: | flags: none (0x0) Oct 31 15:25:02.342962: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:25:02.342964: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.342967: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:25:02.342969: | IKEv2 nonce: Oct 31 15:25:02.342971: | de f4 74 6a c3 b8 40 0e 78 65 b4 77 f6 1a 40 f4 Oct 31 15:25:02.342974: | 5c fe 1d fd 3d 2e 5f 97 17 a2 a7 12 3b a0 23 4c Oct 31 15:25:02.342976: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:25:02.342979: | adding a v2N Payload Oct 31 15:25:02.342982: | ***emit IKEv2 Notify Payload: Oct 31 15:25:02.342984: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.342986: | flags: none (0x0) Oct 31 15:25:02.342989: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.342992: | SPI size: 0 (00) Oct 31 15:25:02.342995: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:25:02.342997: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:02.343000: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.343002: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:25:02.343005: | adding a v2N Payload Oct 31 15:25:02.343007: | ***emit IKEv2 Notify Payload: Oct 31 15:25:02.343009: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.343011: | flags: none (0x0) Oct 31 15:25:02.343014: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.343016: | SPI size: 0 (00) Oct 31 15:25:02.343019: | Notify Message Type: v2N_SIGNATURE_HASH_ALGORITHMS (0x402f) Oct 31 15:25:02.343021: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:02.343023: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.343027: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256 into IKEv2 Notify Payload Oct 31 15:25:02.343030: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256: 00 02 Oct 31 15:25:02.343033: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384 into IKEv2 Notify Payload Oct 31 15:25:02.343035: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384: 00 03 Oct 31 15:25:02.343038: | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512 into IKEv2 Notify Payload Oct 31 15:25:02.343041: | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512: 00 04 Oct 31 15:25:02.343043: | emitting length of IKEv2 Notify Payload: 14 Oct 31 15:25:02.343046: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:25:02.343058: | natd_hash: hasher=0x559d3e910f80(20) Oct 31 15:25:02.343062: | natd_hash: icookie= Oct 31 15:25:02.343065: | c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.343067: | natd_hash: rcookie= Oct 31 15:25:02.343069: | b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.343071: | natd_hash: ip= Oct 31 15:25:02.343073: | c0 01 02 17 Oct 31 15:25:02.343075: | natd_hash: port= Oct 31 15:25:02.343077: | 01 f4 Oct 31 15:25:02.343079: | natd_hash: hash= Oct 31 15:25:02.343082: | 5b 3f 2b 43 3c 86 62 73 1c 6b ac e6 47 7f 82 6d Oct 31 15:25:02.343084: | b8 86 01 86 Oct 31 15:25:02.343086: | adding a v2N Payload Oct 31 15:25:02.343088: | ***emit IKEv2 Notify Payload: Oct 31 15:25:02.343091: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.343093: | flags: none (0x0) Oct 31 15:25:02.343096: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.343099: | SPI size: 0 (00) Oct 31 15:25:02.343102: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:25:02.343104: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:02.343107: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.343110: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:25:02.343112: | Notify data: Oct 31 15:25:02.343114: | 5b 3f 2b 43 3c 86 62 73 1c 6b ac e6 47 7f 82 6d Oct 31 15:25:02.343116: | b8 86 01 86 Oct 31 15:25:02.343119: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:25:02.343127: | natd_hash: hasher=0x559d3e910f80(20) Oct 31 15:25:02.343129: | natd_hash: icookie= Oct 31 15:25:02.343132: | c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.343134: | natd_hash: rcookie= Oct 31 15:25:02.343136: | b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.343138: | natd_hash: ip= Oct 31 15:25:02.343141: | c0 01 03 21 Oct 31 15:25:02.343143: | natd_hash: port= Oct 31 15:25:02.343145: | 01 f4 Oct 31 15:25:02.343147: | natd_hash: hash= Oct 31 15:25:02.343149: | 6b 69 72 f7 c3 1e dd 70 c5 3c 39 f2 d1 2a 6d 55 Oct 31 15:25:02.343151: | 57 29 6d c0 Oct 31 15:25:02.343153: | adding a v2N Payload Oct 31 15:25:02.343155: | ***emit IKEv2 Notify Payload: Oct 31 15:25:02.343158: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.343160: | flags: none (0x0) Oct 31 15:25:02.343163: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:02.343165: | SPI size: 0 (00) Oct 31 15:25:02.343168: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:25:02.343171: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:02.343173: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.343177: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:25:02.343179: | Notify data: Oct 31 15:25:02.343181: | 6b 69 72 f7 c3 1e dd 70 c5 3c 39 f2 d1 2a 6d 55 Oct 31 15:25:02.343183: | 57 29 6d c0 Oct 31 15:25:02.343185: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:25:02.343188: | going to send a certreq Oct 31 15:25:02.343190: | connection->kind is not CK_PERMANENT (instance), so collect CAs Oct 31 15:25:02.343194: | not a roadwarrior instance, sending empty CA in CERTREQ Oct 31 15:25:02.343197: | ***emit IKEv2 Certificate Request Payload: Oct 31 15:25:02.343207: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.343210: | flags: none (0x0) Oct 31 15:25:02.343212: | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) Oct 31 15:25:02.343215: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) Oct 31 15:25:02.343217: | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.343220: | emitting length of IKEv2 Certificate Request Payload: 5 Oct 31 15:25:02.343225: | emitting length of ISAKMP Message: 451 Oct 31 15:25:02.343234: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.343239: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Oct 31 15:25:02.343242: | transitioning from state STATE_PARENT_R0 to state STATE_PARENT_R1 Oct 31 15:25:02.343244: | Message ID: updating counters for #1 Oct 31 15:25:02.343253: | Message ID: IKE #1 updating responder received message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=-1 ike.responder.recv=-1->0 ike.responder.last_contact=744576.772227->744576.776043 ike.wip.initiator=-1 ike.wip.responder=0->-1 Oct 31 15:25:02.343260: | Message ID: IKE #1 updating responder sent message response 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=-1->0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:02.343266: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:02.343270: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Oct 31 15:25:02.343273: | announcing the state transition Oct 31 15:25:02.343281: "north-east"[1] 192.1.3.33 #1: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Oct 31 15:25:02.343295: | sending 451 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:02.343298: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.343300: | 21 20 22 20 00 00 00 00 00 00 01 c3 22 00 00 28 Oct 31 15:25:02.343303: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Oct 31 15:25:02.343305: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Oct 31 15:25:02.343307: | 04 00 00 0e 28 00 01 08 00 0e 00 00 f9 00 57 0c Oct 31 15:25:02.343309: | ea 32 e6 98 d4 1a e5 28 a1 4e a7 65 bc c1 48 39 Oct 31 15:25:02.343311: | 8f f3 35 e1 eb ac a0 3f 59 aa f2 31 19 60 0c 74 Oct 31 15:25:02.343313: | 5d 11 18 ce 74 1d 95 c7 90 9d 4e 73 88 49 6e 59 Oct 31 15:25:02.343316: | c5 49 43 49 5e 57 a0 13 07 34 7c e7 01 d9 62 ea Oct 31 15:25:02.343318: | d6 e3 6a 22 68 62 f5 c4 0b 2e 23 7b f3 7b d2 df Oct 31 15:25:02.343320: | 8f 64 b5 b6 03 5f cd 70 91 72 73 84 4b 0e 83 6c Oct 31 15:25:02.343397: | 1b ad 81 3c 58 0a fa 6f 7a 4a 0f 8d c9 43 ca 83 Oct 31 15:25:02.343400: | c8 df 98 1c 72 4d 18 94 3c a9 5a 18 13 d1 8a 6e Oct 31 15:25:02.343403: | 03 18 d4 0a 78 80 b2 39 30 54 89 bd 94 89 af 0e Oct 31 15:25:02.343405: | cb af 4d 1b ca 9a 2c 4f 73 81 71 35 37 ae 45 a6 Oct 31 15:25:02.343407: | f4 96 c0 9f d5 e0 4a 76 28 f1 67 7d 21 d1 3c 01 Oct 31 15:25:02.343409: | 93 f1 23 f2 6b 14 af ce 93 2d 85 f7 29 9f 8e 16 Oct 31 15:25:02.343412: | b8 08 a2 24 b7 6d f7 6d ae 30 37 b8 e7 2b b5 fd Oct 31 15:25:02.343414: | 83 58 7e 7c df 9f d7 e9 58 c2 08 86 7e c7 41 92 Oct 31 15:25:02.343416: | 12 7b 4a 66 f3 a9 1b 85 5c c3 09 cf f1 b5 73 4f Oct 31 15:25:02.343418: | a1 f4 d9 7b 89 8f 87 d3 32 1f 26 73 29 00 00 24 Oct 31 15:25:02.343421: | de f4 74 6a c3 b8 40 0e 78 65 b4 77 f6 1a 40 f4 Oct 31 15:25:02.343423: | 5c fe 1d fd 3d 2e 5f 97 17 a2 a7 12 3b a0 23 4c Oct 31 15:25:02.343425: | 29 00 00 08 00 00 40 2e 29 00 00 0e 00 00 40 2f Oct 31 15:25:02.343427: | 00 02 00 03 00 04 29 00 00 1c 00 00 40 04 5b 3f Oct 31 15:25:02.343430: | 2b 43 3c 86 62 73 1c 6b ac e6 47 7f 82 6d b8 86 Oct 31 15:25:02.343432: | 01 86 26 00 00 1c 00 00 40 05 6b 69 72 f7 c3 1e Oct 31 15:25:02.343434: | dd 70 c5 3c 39 f2 d1 2a 6d 55 57 29 6d c0 00 00 Oct 31 15:25:02.343437: | 00 05 04 Oct 31 15:25:02.343486: | sent 1 messages Oct 31 15:25:02.343492: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:02.343496: | libevent_free: delref ptr-libevent@0x559d3fb41e68 Oct 31 15:25:02.343500: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb3ce38 Oct 31 15:25:02.343504: | event_schedule: newref EVENT_SO_DISCARD-pe@0x559d3fb41e68 Oct 31 15:25:02.343508: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Oct 31 15:25:02.343510: | libevent_malloc: newref ptr-libevent@0x559d3fb3f848 size 128 Oct 31 15:25:02.343515: | delref logger@0x559d3fb302d8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:02.343518: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.343521: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.343524: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:25:02.343527: | delref mdp@0x559d3fb444d8(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:02.343530: | delref logger@0x559d3fb3d028(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:02.343533: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.343535: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.343544: | #1 spent 0.753 (0.842) milliseconds in resume sending helper answer back to state Oct 31 15:25:02.343551: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:02.343555: | libevent_free: delref ptr-libevent@0x7f2cd8006108 Oct 31 15:25:02.358044: | spent 0 (0.00248) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:02.358062: | newref struct msg_digest@0x559d3fb444d8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.358067: | newref alloc logger@0x559d3fb3d028(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.358074: | *received 539 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:02.358077: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.358080: | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff Oct 31 15:25:02.358082: | 00 01 00 02 70 61 74 a0 5f 35 5c 11 84 94 8a de Oct 31 15:25:02.358084: | 98 0c de 2b 7d fa 47 c4 84 1c 46 0b 62 99 98 29 Oct 31 15:25:02.358086: | 06 40 fd 10 51 35 ad 4f 6c 29 fb 82 2d 76 7a a8 Oct 31 15:25:02.358088: | f7 a2 9d 6d 36 2c 78 a2 4c 65 0e 95 5b ff c8 56 Oct 31 15:25:02.358090: | b7 83 7d e0 79 b4 97 3b 06 3b 7a b5 d7 38 e9 ee Oct 31 15:25:02.358092: | 6f 44 6e fb 7f 2a 52 58 41 3d c6 59 c8 01 59 a5 Oct 31 15:25:02.358094: | 39 b5 24 ca bf 0b 00 0c 93 79 88 77 d6 9f d3 95 Oct 31 15:25:02.358096: | b6 e3 63 97 7a 46 15 bd 53 20 3a 3f 3c 92 e4 41 Oct 31 15:25:02.358099: | 08 18 7d cc 35 12 be 8e c1 52 04 94 7e 2a 5b cf Oct 31 15:25:02.358101: | eb 10 9b cd 5b 17 bc e1 c8 7b 6a 4a bd 06 2c aa Oct 31 15:25:02.358103: | ec dd 56 80 d7 ea 0c c1 bb f1 cc f3 e8 80 68 af Oct 31 15:25:02.358105: | 45 7f 19 33 99 ef 60 7f 79 9b b8 b5 c9 dd 18 ba Oct 31 15:25:02.358107: | 8b fd c9 b5 dd c7 92 0b 80 2f a0 85 d7 8f 40 4d Oct 31 15:25:02.358109: | 75 af d3 67 9f ad 42 cd cd e0 91 d6 16 38 b0 31 Oct 31 15:25:02.358111: | a9 8c 08 68 b2 80 f5 a7 c0 24 35 68 58 dd fb 70 Oct 31 15:25:02.358114: | 6c 3b de 1c e8 0f 94 e8 5d cc 08 44 1f 84 3b 65 Oct 31 15:25:02.358116: | de f7 65 d1 19 dd f1 0b 18 9d ff bb 88 ac f9 6f Oct 31 15:25:02.358118: | dd 35 0f 63 2a a3 69 eb da 5d 60 bc 7a 8a 85 85 Oct 31 15:25:02.358121: | 4d 51 53 14 79 6e 84 ed 6f e1 68 ed 73 e4 08 2e Oct 31 15:25:02.358123: | 65 47 1a 96 6b 40 e2 2e b8 8a b0 96 9b b7 6c 19 Oct 31 15:25:02.358125: | 4b e0 c2 87 1e f9 98 c0 8c 6b 81 8c c3 cf 33 d3 Oct 31 15:25:02.358127: | cd 26 51 8a c6 ea 5a 69 19 dd 84 87 fa 68 49 20 Oct 31 15:25:02.358129: | 8f ed 7e 49 58 a7 fc e5 d3 06 f6 f9 fd 94 fe 48 Oct 31 15:25:02.358131: | 53 44 df 57 9d 8c 8e 95 f9 8f 44 ad 76 71 bf ca Oct 31 15:25:02.358138: | ed bf e8 16 7b 68 97 48 c8 42 7a 51 a8 0f 52 c8 Oct 31 15:25:02.358140: | d5 39 db c5 9b 0b 4b eb d2 c2 7f 02 c2 a5 5c 24 Oct 31 15:25:02.358142: | 43 7f 74 28 50 eb 2a 99 a5 2e 23 8f 0a 01 e9 24 Oct 31 15:25:02.358144: | f2 c4 21 b7 9f 13 c8 fb 14 32 f5 9d 35 53 dd 65 Oct 31 15:25:02.358146: | 83 98 28 05 bc bc 96 28 a5 a4 bc 8f 26 9a fc 82 Oct 31 15:25:02.358148: | 46 f8 3b 71 0e 24 7b 81 3e 11 9a 63 f9 e9 61 a6 Oct 31 15:25:02.358151: | 5b 02 d6 33 e2 5a c6 6e 77 b7 f3 8b 8d 54 11 6e Oct 31 15:25:02.358153: | 51 4f f2 ff 7e f5 e7 c9 65 fd 18 Oct 31 15:25:02.358158: | **parse ISAKMP Message: Oct 31 15:25:02.358162: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.358166: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.358169: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Oct 31 15:25:02.358172: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:02.358174: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:25:02.358176: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:02.358181: | Message ID: 1 (00 00 00 01) Oct 31 15:25:02.358184: | length: 539 (00 00 02 1b) Oct 31 15:25:02.358187: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Oct 31 15:25:02.358191: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Oct 31 15:25:02.358196: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Oct 31 15:25:02.358208: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:25:02.358214: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Oct 31 15:25:02.358218: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:25:02.358220: | #1 is idle Oct 31 15:25:02.358227: | Message ID: IKE #1 not a duplicate - message request 1 is new: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:02.358234: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:25:02.358237: | unpacking clear payload Oct 31 15:25:02.358239: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Oct 31 15:25:02.358243: | ***parse IKEv2 Encrypted Fragment: Oct 31 15:25:02.358245: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Oct 31 15:25:02.358248: | flags: none (0x0) Oct 31 15:25:02.358251: | length: 511 (01 ff) Oct 31 15:25:02.358254: | fragment number: 1 (00 01) Oct 31 15:25:02.358257: | total fragments: 2 (00 02) Oct 31 15:25:02.358260: | processing payload: ISAKMP_NEXT_v2SKF (len=503) Oct 31 15:25:02.358263: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:25:02.358267: | received IKE encrypted fragment number '1', total number '2', next payload '35' Oct 31 15:25:02.358274: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:25:02.358281: | #1 spent 0.231 (0.244) milliseconds in ikev2_process_packet() Oct 31 15:25:02.358284: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:02.358287: | delref mdp@0x559d3fb444d8(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:02.358290: | delref logger@0x559d3fb3d028(1->0) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:02.358293: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.358295: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.358301: | spent 0.252 (0.265) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:02.358374: | spent 0.000324 (0.00163) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:02.358382: | newref struct msg_digest@0x559d3fb444d8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.358386: | newref alloc logger@0x559d3fb3d028(0->1) (in read_message() at demux.c:103) Oct 31 15:25:02.358393: | *received 170 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:02.358396: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.358398: | 35 20 23 08 00 00 00 01 00 00 00 aa 00 00 00 8e Oct 31 15:25:02.358401: | 00 02 00 02 a6 42 92 cf 7d 20 7e 9e c4 2c 6b 0a Oct 31 15:25:02.358403: | 26 92 50 a0 83 2d 96 9a 14 bc 02 13 0c b4 d6 cf Oct 31 15:25:02.358405: | 41 74 64 fe 3a 52 7c be 3b 40 23 ac 82 b1 6d 10 Oct 31 15:25:02.358407: | ec fe 73 ba 5e ae d4 4e 0b 5e e2 1c 80 bf 1a 44 Oct 31 15:25:02.358410: | 2f bd f6 e4 29 e9 eb 9d 3d c9 c2 cb 17 28 aa 40 Oct 31 15:25:02.358412: | ee 62 5e d7 5b 05 28 17 af 52 fb bb 29 3e 20 c4 Oct 31 15:25:02.358414: | 1b 19 1c 01 34 bb ee c1 34 cb 1a fd 45 3c 71 13 Oct 31 15:25:02.358416: | 6a 6f 04 8b 45 0a 90 01 20 29 69 da ba 89 90 1e Oct 31 15:25:02.358418: | 76 f6 d2 2c 2a a6 31 02 c3 bd Oct 31 15:25:02.358421: | **parse ISAKMP Message: Oct 31 15:25:02.358425: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.358429: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.358432: | next payload type: ISAKMP_NEXT_v2SKF (0x35) Oct 31 15:25:02.358434: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:02.358437: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:25:02.358439: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:02.358443: | Message ID: 1 (00 00 00 01) Oct 31 15:25:02.358447: | length: 170 (00 00 00 aa) Oct 31 15:25:02.358450: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Oct 31 15:25:02.358453: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Oct 31 15:25:02.358456: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Oct 31 15:25:02.358463: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:25:02.358466: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Oct 31 15:25:02.358469: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:25:02.358471: | #1 is idle Oct 31 15:25:02.358478: | Message ID: IKE #1 not a duplicate - responder is accumulating fragments for message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:02.358484: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:25:02.358486: | unpacking clear payload Oct 31 15:25:02.358489: | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) Oct 31 15:25:02.358492: | ***parse IKEv2 Encrypted Fragment: Oct 31 15:25:02.358494: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.358497: | flags: none (0x0) Oct 31 15:25:02.358500: | length: 142 (00 8e) Oct 31 15:25:02.358503: | fragment number: 2 (00 02) Oct 31 15:25:02.358506: | total fragments: 2 (00 02) Oct 31 15:25:02.358508: | processing payload: ISAKMP_NEXT_v2SKF (len=134) Oct 31 15:25:02.358510: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:25:02.358514: | received IKE encrypted fragment number '2', total number '2', next payload '0' Oct 31 15:25:02.358517: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:25:02.358520: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:25:02.358523: | ikev2 parent ikev2_ike_sa_process_auth_request_no_skeyid(): calculating g^{xy} in order to decrypt I2 Oct 31 15:25:02.358527: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Oct 31 15:25:02.358531: | DH secret MODP2048@0x7f2cd8006ba8: transferring ownership from state #1 to helper IKEv2 DH Oct 31 15:25:02.358536: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:02.358539: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:02.358544: | newref clone logger@0x559d3fb302d8(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:02.358547: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): adding job to queue Oct 31 15:25:02.358550: | state #1 deleting .st_event EVENT_SO_DISCARD Oct 31 15:25:02.358554: | libevent_free: delref ptr-libevent@0x559d3fb3f848 Oct 31 15:25:02.358557: | free_event_entry: delref EVENT_SO_DISCARD-pe@0x559d3fb41e68 Oct 31 15:25:02.358560: | #1 STATE_PARENT_R1: retransmits: cleared Oct 31 15:25:02.358563: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb41ed8 Oct 31 15:25:02.358566: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:25:02.358568: | libevent_malloc: newref ptr-libevent@0x7f2cd8006108 size 128 Oct 31 15:25:02.358579: | #1 spent 0.0544 (0.0543) milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in v2_dispatch() Oct 31 15:25:02.358587: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.358591: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND; .st_v2_transition=PARENT_R0->PARENT_R1 Oct 31 15:25:02.358593: | suspending state #1 and saving MD 0x559d3fb444d8 Oct 31 15:25:02.358596: | addref md@0x559d3fb444d8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:02.358599: | #1 is busy; has suspended MD 0x559d3fb444d8 Oct 31 15:25:02.358604: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:25:02.358609: | #1 spent 0.237 (0.239) milliseconds in ikev2_process_packet() Oct 31 15:25:02.358612: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:02.358615: | delref mdp@0x559d3fb444d8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:02.358619: | spent 0.247 (0.249) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:02.359798: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper 2 starting job Oct 31 15:25:02.360946: | calculating skeyseed using prf=HMAC_SHA2_512 integ=NONE cipherkey-size=32 salt-size=4 Oct 31 15:25:02.361122: | "north-east"[1] 192.1.3.33 #1: spent 1.07 (1.32) milliseconds in helper 2 processing job 2 for state #1: ikev2_inI2outR2 KE (pcr) Oct 31 15:25:02.361128: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper thread 2 sending result back to state Oct 31 15:25:02.361132: | scheduling resume sending helper answer back to state for #1 Oct 31 15:25:02.361136: | libevent_malloc: newref ptr-libevent@0x7f2cd000b578 size 128 Oct 31 15:25:02.361146: | helper thread 2 has nothing to do Oct 31 15:25:02.361159: | processing resume sending helper answer back to state for #1 Oct 31 15:25:02.361168: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:02.361173: | unsuspending #1 MD 0x559d3fb444d8 Oct 31 15:25:02.361176: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): processing response from helper 2 Oct 31 15:25:02.361179: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): calling continuation function 0x559d3e81efe7 Oct 31 15:25:02.361182: | ikev2_ike_sa_process_auth_request_no_skeyid_continue() for #1 STATE_PARENT_R1: calculating g^{xy}, sending R2 Oct 31 15:25:02.361186: | DH secret MODP2048@0x7f2cd8006ba8: transferring ownership from helper IKEv2 DH to state #1 Oct 31 15:25:02.361189: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:25:02.361192: | already have all fragments, skipping fragment collection Oct 31 15:25:02.361194: | already have all fragments, skipping fragment collection Oct 31 15:25:02.361216: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Oct 31 15:25:02.361224: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Oct 31 15:25:02.361230: | **parse IKEv2 Identification - Initiator - Payload: Oct 31 15:25:02.361233: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Oct 31 15:25:02.361238: | flags: none (0x0) Oct 31 15:25:02.361243: | length: 13 (00 0d) Oct 31 15:25:02.361245: | ID type: ID_FQDN (0x2) Oct 31 15:25:02.361248: | reserved: 00 00 00 Oct 31 15:25:02.361251: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Oct 31 15:25:02.361253: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Oct 31 15:25:02.361257: | **parse IKEv2 Identification - Responder - Payload: Oct 31 15:25:02.361259: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Oct 31 15:25:02.361261: | flags: none (0x0) Oct 31 15:25:02.361264: | length: 12 (00 0c) Oct 31 15:25:02.361267: | ID type: ID_FQDN (0x2) Oct 31 15:25:02.361270: | reserved: 00 00 00 Oct 31 15:25:02.361272: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Oct 31 15:25:02.361274: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Oct 31 15:25:02.361277: | **parse IKEv2 Authentication Payload: Oct 31 15:25:02.361279: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:25:02.361282: | flags: none (0x0) Oct 31 15:25:02.361285: | length: 350 (01 5e) Oct 31 15:25:02.361287: | auth method: IKEv2_AUTH_DIGSIG (0xe) Oct 31 15:25:02.361290: | processing payload: ISAKMP_NEXT_v2AUTH (len=342) Oct 31 15:25:02.361292: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:25:02.361295: | **parse IKEv2 Security Association Payload: Oct 31 15:25:02.361298: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:25:02.361300: | flags: none (0x0) Oct 31 15:25:02.361303: | length: 164 (00 a4) Oct 31 15:25:02.361305: | processing payload: ISAKMP_NEXT_v2SA (len=160) Oct 31 15:25:02.361307: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:25:02.361310: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:02.361312: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:25:02.361314: | flags: none (0x0) Oct 31 15:25:02.361317: | length: 24 (00 18) Oct 31 15:25:02.361320: | number of TS: 1 (01) Oct 31 15:25:02.361323: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:25:02.361325: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:25:02.361328: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:02.361330: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.361333: | flags: none (0x0) Oct 31 15:25:02.361336: | length: 24 (00 18) Oct 31 15:25:02.361338: | number of TS: 1 (01) Oct 31 15:25:02.361341: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:25:02.361344: | selected state microcode Responder: process IKE_AUTH request Oct 31 15:25:02.361351: | Message ID: IKE #1 responder starting message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=-1->1 Oct 31 15:25:02.361354: | calling processor Responder: process IKE_AUTH request Oct 31 15:25:02.361364: "north-east"[1] 192.1.3.33 #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Oct 31 15:25:02.361367: | no certs to decode Oct 31 15:25:02.361373: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:25:02.361377: | received IDr payload - extracting our alleged ID Oct 31 15:25:02.361382: | refine_host_connection for IKEv2: starting with "north-east"[1] 192.1.3.33 Oct 31 15:25:02.361386: | match_id a=@north Oct 31 15:25:02.361389: | b=@north Oct 31 15:25:02.361391: | results matched Oct 31 15:25:02.361397: | refine_host_connection: checking "north-east"[1] 192.1.3.33 against "north-east"[1] 192.1.3.33, best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Oct 31 15:25:02.361400: | warning: not switching back to template of current instance Oct 31 15:25:02.361403: | peer expects us to be @east (ID_FQDN) according to its IDr payload Oct 31 15:25:02.361405: | this connection's local id is @east (ID_FQDN) Oct 31 15:25:02.361411: | refine_host_connection: checked "north-east"[1] 192.1.3.33 against "north-east"[1] 192.1.3.33, now for see if best Oct 31 15:25:02.361422: | get_connection_private_key() using CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 to find private key for @east->@north of kind RSA Oct 31 15:25:02.361553: | loaded private key matching CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 Oct 31 15:25:02.361836: | copying key using reference slot Oct 31 15:25:02.363999: | certs and keys locked by 'lsw_add_rsa_secret' Oct 31 15:25:02.364009: | certs and keys unlocked by 'lsw_add_rsa_secret' Oct 31 15:25:02.364023: "north-east"[1] 192.1.3.33 #1: reloaded private key matching right CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 Oct 31 15:25:02.364027: | connection north-east's RSA private key found in NSS DB using CKAID Oct 31 15:25:02.364029: | returning because exact peer id match Oct 31 15:25:02.364033: | offered CA: '%none' Oct 31 15:25:02.364038: "north-east"[1] 192.1.3.33 #1: IKEv2 mode peer ID is ID_FQDN: '@north' Oct 31 15:25:02.364072: | verifying AUTH payload Oct 31 15:25:02.364078: | looking for ASN.1 blob for method rsasig for hash_algo SHA2_512 Oct 31 15:25:02.364081: | parsing 68 raw bytes of IKEv2 Authentication Payload into ASN.1 blob for hash algo Oct 31 15:25:02.364084: | ASN.1 blob for hash algo Oct 31 15:25:02.364087: | 43 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 Oct 31 15:25:02.364089: | a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 Oct 31 15:25:02.364091: | 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 Oct 31 15:25:02.364093: | 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 a2 Oct 31 15:25:02.364095: | 03 02 01 40 Oct 31 15:25:02.364103: | #1 spent 2.7 (2.74) milliseconds Oct 31 15:25:02.364121: | required RSA CA is '%any' Oct 31 15:25:02.364126: | trying all remote certificates public keys for RSA key that matches ID: @north Oct 31 15:25:02.364129: | trying all preloaded keys public keys for RSA key that matches ID: @north Oct 31 15:25:02.364132: | skipping '@east' with wrong ID Oct 31 15:25:02.364135: | trying '@north' issued by CA '%any' Oct 31 15:25:02.364139: | NSS RSA: verifying that decrypted signature matches hash: Oct 31 15:25:02.364141: | 50 9b e3 8e 88 0a 55 ec 14 ab d4 20 83 5f 57 c6 Oct 31 15:25:02.364144: | d2 56 c5 e4 40 0c 39 de 11 48 37 19 40 98 1c 3f Oct 31 15:25:02.364146: | ce c2 36 33 88 5c ff 54 9b 6d 71 0c 3b a1 56 84 Oct 31 15:25:02.364148: | 8a 14 1f 59 58 38 f1 37 00 5b f9 31 7d 75 67 2e Oct 31 15:25:02.364219: | delref pkp@NULL (in try_RSA_signature_v2() at ikev2_rsa.c:170) Oct 31 15:25:02.364228: | addref pk@0x559d3fb43f68(1->2) (in try_RSA_signature_v2() at ikev2_rsa.c:171) Oct 31 15:25:02.364231: | an RSA Sig check passed with *AQPl33O2P [preloaded keys] Oct 31 15:25:02.364239: | #1 spent 0.094 (0.0967) milliseconds in try_all_keys() trying a pubkey Oct 31 15:25:02.364244: "north-east"[1] 192.1.3.33 #1: authenticated using RSA with SHA2_512 Oct 31 15:25:02.364250: | #1 spent 0.146 (0.148) milliseconds in ikev2_verify_rsa_hash() Oct 31 15:25:02.364272: | emit hash algo NEGOTIATE_AUTH_HASH_SHA2_512 Oct 31 15:25:02.364291: | get_connection_private_key() using CKAID 61559973d3acef7d3a370e3e82ad92c18a8225f1 to find private key for @east->@north of kind RSA Oct 31 15:25:02.364296: | trying secret PKK_RSA:AQO9bJbr3 Oct 31 15:25:02.364299: | matched Oct 31 15:25:02.364301: | secrets entry for ckaid already exists Oct 31 15:25:02.364303: | connection north-east's RSA private key found in NSS DB using CKAID Oct 31 15:25:02.364310: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:02.364313: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:02.364316: | newref clone logger@0x559d3fb41e68(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:02.364319: | job 3 for #1: computing responder signature (signature): adding job to queue Oct 31 15:25:02.364322: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:02.364327: | libevent_free: delref ptr-libevent@0x7f2cd8006108 Oct 31 15:25:02.364330: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb41ed8 Oct 31 15:25:02.364338: | #1 STATE_PARENT_R1: retransmits: cleared Oct 31 15:25:02.364341: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb3fe28 Oct 31 15:25:02.364344: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:25:02.364347: | libevent_malloc: newref ptr-libevent@0x559d3fb3f848 size 128 Oct 31 15:25:02.364357: | ikev2_parent_inI2outR2_continue_tail returned STF_SUSPEND Oct 31 15:25:02.364364: | #1 spent 2.96 (3) milliseconds in processing: Responder: process IKE_AUTH request in v2_dispatch() Oct 31 15:25:02.364372: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.364378: | #1 complete_v2_state_transition() PARENT_R1->ESTABLISHED_CHILD_SA with status STF_SUSPEND; .st_v2_transition=PARENT_R0->PARENT_R1 Oct 31 15:25:02.364379: | job 3 for #1: computing responder signature (signature): helper 3 starting job Oct 31 15:25:02.364381: | suspending state #1 and saving MD 0x559d3fb444d8 Oct 31 15:25:02.364396: | addref md@0x559d3fb444d8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:02.364399: | #1 is busy; has suspended MD 0x559d3fb444d8 Oct 31 15:25:02.364403: | delref logger@0x559d3fb302d8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:02.364405: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.364407: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.364410: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:25:02.364414: | delref mdp@0x559d3fb444d8(2->1) (in resume_handler() at server.c:743) Oct 31 15:25:02.364419: | #1 spent 3.2 (3.24) milliseconds in resume sending helper answer back to state Oct 31 15:25:02.364425: | stop processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:02.364428: | libevent_free: delref ptr-libevent@0x7f2cd000b578 Oct 31 15:25:02.364388: | hash to sign Oct 31 15:25:02.364441: | 9e 03 8a 9e f7 ad ac ea cf 45 0d 60 86 23 3b 52 Oct 31 15:25:02.364444: | b6 48 9b c5 c1 08 e8 54 22 3c f1 6f e7 2b 3c 86 Oct 31 15:25:02.364446: | 97 52 da 17 24 0f 24 f1 0b c8 dd c0 82 83 fc 5e Oct 31 15:25:02.364448: | 1a a9 91 db df 54 80 2d 32 20 b3 22 14 03 be 44 Oct 31 15:25:02.364452: | RSA_sign_hash: Started using NSS Oct 31 15:25:02.382123: | RSA_sign_hash: Ended using NSS Oct 31 15:25:02.382147: | "north-east"[1] 192.1.3.33 #1: spent 7.73 (17.7) milliseconds in v2_auth_signature() calling sign_hash() Oct 31 15:25:02.382154: | "north-east"[1] 192.1.3.33 #1: spent 7.76 (17.8) milliseconds in v2_auth_signature() Oct 31 15:25:02.382160: | "north-east"[1] 192.1.3.33 #1: spent 7.77 (17.8) milliseconds in helper 3 processing job 3 for state #1: computing responder signature (signature) Oct 31 15:25:02.382163: | job 3 for #1: computing responder signature (signature): helper thread 3 sending result back to state Oct 31 15:25:02.382167: | scheduling resume sending helper answer back to state for #1 Oct 31 15:25:02.382171: | libevent_malloc: newref ptr-libevent@0x7f2cd4000d38 size 128 Oct 31 15:25:02.382197: | processing resume sending helper answer back to state for #1 Oct 31 15:25:02.382216: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:02.382221: | unsuspending #1 MD 0x559d3fb444d8 Oct 31 15:25:02.382224: | job 3 for #1: computing responder signature (signature): processing response from helper 3 Oct 31 15:25:02.382227: | job 3 for #1: computing responder signature (signature): calling continuation function 0x559d3e74d77f Oct 31 15:25:02.382231: | parent state #1: PARENT_R1(half-open IKE SA) => ESTABLISHED_IKE_SA(established IKE SA) Oct 31 15:25:02.382235: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:25:02.382238: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:02.382242: | libevent_free: delref ptr-libevent@0x559d3fb3f848 Oct 31 15:25:02.382248: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x559d3fb3fe28 Oct 31 15:25:02.382252: | event_schedule: newref EVENT_SA_REKEY-pe@0x559d3fb3fe28 Oct 31 15:25:02.382254: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Oct 31 15:25:02.382257: | libevent_malloc: newref ptr-libevent@0x7f2cd000b578 size 128 Oct 31 15:25:02.382523: | pstats #1 ikev2.ike established Oct 31 15:25:02.382532: | opening output PBS reply packet Oct 31 15:25:02.382536: | **emit ISAKMP Message: Oct 31 15:25:02.382541: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:02.382544: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.382547: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:02.382550: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:02.382552: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:25:02.382555: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:25:02.382559: | Message ID: 1 (00 00 00 01) Oct 31 15:25:02.382562: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:02.382565: | IKEv2 CERT: send a certificate? Oct 31 15:25:02.382567: | IKEv2 CERT: no certificate to send Oct 31 15:25:02.382570: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:02.382572: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.382574: | flags: none (0x0) Oct 31 15:25:02.382577: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:02.382580: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.382583: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:02.382596: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:25:02.382599: | ****emit IKEv2 Identification - Responder - Payload: Oct 31 15:25:02.382602: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.382604: | flags: none (0x0) Oct 31 15:25:02.382606: | ID type: ID_FQDN (0x2) Oct 31 15:25:02.382609: | reserved: 00 00 00 Oct 31 15:25:02.382612: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Oct 31 15:25:02.382614: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.382617: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Oct 31 15:25:02.382620: | my identity: 65 61 73 74 Oct 31 15:25:02.382623: | emitting length of IKEv2 Identification - Responder - Payload: 12 Oct 31 15:25:02.382625: | added IDr payload to packet Oct 31 15:25:02.382627: | CHILD SA proposals received Oct 31 15:25:02.382629: | going to assemble AUTH payload Oct 31 15:25:02.382632: | ****emit IKEv2 Authentication Payload: Oct 31 15:25:02.382634: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.382636: | flags: none (0x0) Oct 31 15:25:02.382639: | auth method: IKEv2_AUTH_DIGSIG (0xe) Oct 31 15:25:02.382641: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Oct 31 15:25:02.382643: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.382646: | emit hash algo NEGOTIATE_AUTH_HASH_SHA2_512 Oct 31 15:25:02.382649: | emitting 68 raw bytes of OID of ASN.1 Algorithm Identifier into IKEv2 Authentication Payload Oct 31 15:25:02.382651: | OID of ASN.1 Algorithm Identifier: Oct 31 15:25:02.382653: | 43 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 Oct 31 15:25:02.382656: | a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 Oct 31 15:25:02.382658: | 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 Oct 31 15:25:02.382660: | 30 0d 06 09 60 86 48 01 65 03 04 02 03 05 00 a2 Oct 31 15:25:02.382664: | 03 02 01 40 Oct 31 15:25:02.382667: | emitting 274 raw bytes of signature into IKEv2 Authentication Payload Oct 31 15:25:02.382669: | signature: Oct 31 15:25:02.382671: | 50 8f 83 e9 d8 93 36 f8 0a f3 7e 6c c1 5a bb 19 Oct 31 15:25:02.382674: | 69 a1 13 b9 0d 8b 49 82 d7 a2 71 0c 9a bd 11 18 Oct 31 15:25:02.382676: | d9 38 f5 b0 d3 d8 2a 99 e9 73 07 6a 4d a7 ae 1f Oct 31 15:25:02.382678: | 48 0d da 27 52 6a 9b 26 cf 5a 66 08 29 19 e3 13 Oct 31 15:25:02.382680: | 46 67 39 f4 fe f1 de 99 17 87 e0 da 49 41 14 9c Oct 31 15:25:02.382682: | f9 14 83 eb e7 38 ef 30 88 34 cf 70 aa dd 60 ca Oct 31 15:25:02.382683: | 7d be f2 fc ca 1a 0b 5e 0b 8f dd e2 a9 db a3 d1 Oct 31 15:25:02.382685: | 67 83 a5 1b 05 4b a7 09 77 1b 32 bf b7 b9 52 d9 Oct 31 15:25:02.382688: | 2e 5f f7 8f dc b1 ff a7 6f 0a 3a 3a 08 c5 81 83 Oct 31 15:25:02.382690: | 6c 93 09 b7 88 36 0b e0 cc c2 fe fd 50 87 e6 ad Oct 31 15:25:02.382692: | 92 07 11 ec 5c 92 b7 23 b0 51 c7 25 f7 b5 55 38 Oct 31 15:25:02.382694: | bd ab 7e b0 8b 3a ee 36 74 42 50 fa e0 1c 03 81 Oct 31 15:25:02.382696: | 04 52 61 2f 19 ed 52 a1 a3 37 39 3d 71 58 7f d8 Oct 31 15:25:02.382698: | a5 4b 8a 66 68 d2 65 6d a8 b1 64 ed e4 97 14 3e Oct 31 15:25:02.382700: | 04 c7 46 a9 c4 b8 9e 2c d7 32 8a 8e 91 80 f5 0e Oct 31 15:25:02.382702: | 1e 52 3b ca fb 0d fe f6 3d 4c 7a e3 4b 9a 03 5d Oct 31 15:25:02.382704: | f4 ac ec f5 00 55 60 39 2e 98 ed 6a 69 91 22 c2 Oct 31 15:25:02.382706: | a3 9f Oct 31 15:25:02.382708: | emitting length of IKEv2 Authentication Payload: 350 Oct 31 15:25:02.382715: | newref alloc logger@0x559d3fb302d8(0->1) (in new_state() at state.c:576) Oct 31 15:25:02.382718: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:25:02.382721: | creating state object #2 at 0x559d3fb4c758 Oct 31 15:25:02.382724: | State DB: adding IKEv2 state #2 in UNDEFINED Oct 31 15:25:02.382732: | pstats #2 ikev2.child started Oct 31 15:25:02.382737: | duplicating state object #1 "north-east"[1] 192.1.3.33 as #2 for IPSEC SA Oct 31 15:25:02.382743: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:25:02.382753: | Message ID: CHILD #1.#2 initializing (CHILD SA): ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:25:02.382757: | child state #2: UNDEFINED(ignore) => V2_IKE_AUTH_CHILD_R0(ignore) Oct 31 15:25:02.382762: | #2.st_v2_transition NULL -> NULL (in new_v2_child_state() at state.c:1666) Oct 31 15:25:02.382768: | Message ID: IKE #1 switching from IKE SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 ike.wip.initiator=-1 ike.wip.responder=1->-1 Oct 31 15:25:02.382774: | Message ID: CHILD #1.#2 switching to CHILD SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744576.776043 child.wip.initiator=-1 child.wip.responder=-1->1 Oct 31 15:25:02.382779: | switching IKEv2 MD.ST from IKE #1 ESTABLISHED_IKE_SA to CHILD #2 V2_IKE_AUTH_CHILD_R0 (in ike_auth_child_responder() at ikev2_parent.c:3282) Oct 31 15:25:02.382782: | Child SA TS Request has child->sa == md->st; so using child connection Oct 31 15:25:02.382785: | TSi: parsing 1 traffic selectors Oct 31 15:25:02.382788: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:02.382791: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:02.382794: | IP Protocol ID: ALL (0x0) Oct 31 15:25:02.382797: | length: 16 (00 10) Oct 31 15:25:02.382800: | start port: 0 (00 00) Oct 31 15:25:02.382804: | end port: 65535 (ff ff) Oct 31 15:25:02.382806: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:02.382811: | TS low Oct 31 15:25:02.382813: | c0 00 03 fe Oct 31 15:25:02.382816: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:02.382818: | TS high Oct 31 15:25:02.382820: | c0 00 03 fe Oct 31 15:25:02.382822: | TSi: parsed 1 traffic selectors Oct 31 15:25:02.382825: | TSr: parsing 1 traffic selectors Oct 31 15:25:02.382827: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:02.382830: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:02.382832: | IP Protocol ID: ALL (0x0) Oct 31 15:25:02.382835: | length: 16 (00 10) Oct 31 15:25:02.382838: | start port: 0 (00 00) Oct 31 15:25:02.382841: | end port: 65535 (ff ff) Oct 31 15:25:02.382844: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:02.382846: | TS low Oct 31 15:25:02.382848: | c0 00 02 00 Oct 31 15:25:02.382851: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:02.382853: | TS high Oct 31 15:25:02.382855: | c0 00 02 ff Oct 31 15:25:02.382857: | TSr: parsed 1 traffic selectors Oct 31 15:25:02.382859: | looking for best SPD in current connection Oct 31 15:25:02.382868: | evaluating our conn="north-east"[1] 192.1.3.33 I=192.0.3.254/32:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:02.382873: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.382882: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Oct 31 15:25:02.382886: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Oct 31 15:25:02.382888: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:02.382891: | narrow protocol end=*0 <= TSi[0]=*0: 0 Oct 31 15:25:02.382894: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.382899: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.382906: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:02.382909: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Oct 31 15:25:02.382912: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:02.382914: | narrow protocol end=*0 <= TSr[0]=*0: 0 Oct 31 15:25:02.382917: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.382919: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:02.382922: | found better spd route for TSi[0],TSr[0] Oct 31 15:25:02.382924: | looking for better host pair Oct 31 15:25:02.382930: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:02.382935: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.254/32:0 is found Oct 31 15:25:02.382938: | investigating connection "north-east" as a better match Oct 31 15:25:02.382941: | match_id a=@north Oct 31 15:25:02.382944: | b=@north Oct 31 15:25:02.382947: | results matched Oct 31 15:25:02.382953: | evaluating our conn="north-east"[1] 192.1.3.33 I=192.0.3.254/32:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:02.382958: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.382965: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Oct 31 15:25:02.382968: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Oct 31 15:25:02.382970: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:02.382973: | narrow protocol end=*0 <= TSi[0]=*0: 0 Oct 31 15:25:02.382975: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.382980: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.382987: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:02.382990: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Oct 31 15:25:02.382992: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:02.382995: | narrow protocol end=*0 <= TSr[0]=*0: 0 Oct 31 15:25:02.382999: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.383002: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:02.383004: | investigating connection "north-east" as a better match Oct 31 15:25:02.383007: | match_id a=@north Oct 31 15:25:02.383009: | b=@north Oct 31 15:25:02.383011: | results matched Oct 31 15:25:02.383018: | evaluating our conn="north-east" I=192.0.3.254/32:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:02.383023: | TSi[0] .net=192.0.3.254-192.0.3.254 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.383029: | match address end->client=192.0.3.254/32 <= TSi[0]net=192.0.3.254-192.0.3.254: YES fitness 32 Oct 31 15:25:02.383032: | narrow port end=0..65535 <= TSi[0]=0..65535: 0 Oct 31 15:25:02.383034: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:02.383037: | narrow protocol end=*0 <= TSi[0]=*0: 0 Oct 31 15:25:02.383039: | match end->protocol=*0 <= TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.383044: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:02.383051: | match address end->client=192.0.2.0/24 <= TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:02.383054: | narrow port end=0..65535 <= TSr[0]=0..65535: 0 Oct 31 15:25:02.383056: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:02.383059: | narrow protocol end=*0 <= TSr[0]=*0: 0 Oct 31 15:25:02.383061: | match end->protocol=*0 <= TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:02.383063: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:02.383066: | did not find a better connection using host pair Oct 31 15:25:02.383069: | printing contents struct traffic_selector Oct 31 15:25:02.383071: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:02.383073: | ipprotoid: 0 Oct 31 15:25:02.383076: | port range: 0-65535 Oct 31 15:25:02.383080: | ip range: 192.0.2.0-192.0.2.255 Oct 31 15:25:02.383082: | printing contents struct traffic_selector Oct 31 15:25:02.383084: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:02.383087: | ipprotoid: 0 Oct 31 15:25:02.383089: | port range: 0-65535 Oct 31 15:25:02.383093: | ip range: 192.0.3.254-192.0.3.254 Oct 31 15:25:02.383098: | constructing ESP/AH proposals with all DH removed for north-east (IKE_AUTH responder matching remote ESP/AH proposals) Oct 31 15:25:02.383106: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Oct 31 15:25:02.383113: | ... ikev2_proposal: 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:25:02.383117: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Oct 31 15:25:02.383121: | ... ikev2_proposal: 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:25:02.383125: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:02.383129: | ... ikev2_proposal: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:02.383132: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:02.383136: | ... ikev2_proposal: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:02.383141: "north-east"[1] 192.1.3.33: local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals): Oct 31 15:25:02.383147: "north-east"[1] 192.1.3.33: 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:25:02.383152: "north-east"[1] 192.1.3.33: 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:25:02.383158: "north-east"[1] 192.1.3.33: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:02.383163: "north-east"[1] 192.1.3.33: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:02.383166: | comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Oct 31 15:25:02.383170: | local proposal 1 type ENCR has 1 transforms Oct 31 15:25:02.383172: | local proposal 1 type PRF has 0 transforms Oct 31 15:25:02.383175: | local proposal 1 type INTEG has 1 transforms Oct 31 15:25:02.383179: | local proposal 1 type DH has 1 transforms Oct 31 15:25:02.383181: | local proposal 1 type ESN has 1 transforms Oct 31 15:25:02.383185: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:25:02.383187: | local proposal 2 type ENCR has 1 transforms Oct 31 15:25:02.383190: | local proposal 2 type PRF has 0 transforms Oct 31 15:25:02.383193: | local proposal 2 type INTEG has 1 transforms Oct 31 15:25:02.383195: | local proposal 2 type DH has 1 transforms Oct 31 15:25:02.383197: | local proposal 2 type ESN has 1 transforms Oct 31 15:25:02.383244: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:25:02.383248: | local proposal 3 type ENCR has 1 transforms Oct 31 15:25:02.383250: | local proposal 3 type PRF has 0 transforms Oct 31 15:25:02.383252: | local proposal 3 type INTEG has 2 transforms Oct 31 15:25:02.383255: | local proposal 3 type DH has 1 transforms Oct 31 15:25:02.383257: | local proposal 3 type ESN has 1 transforms Oct 31 15:25:02.383260: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:25:02.383262: | local proposal 4 type ENCR has 1 transforms Oct 31 15:25:02.383265: | local proposal 4 type PRF has 0 transforms Oct 31 15:25:02.383268: | local proposal 4 type INTEG has 2 transforms Oct 31 15:25:02.383270: | local proposal 4 type DH has 1 transforms Oct 31 15:25:02.383272: | local proposal 4 type ESN has 1 transforms Oct 31 15:25:02.383275: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:25:02.383279: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.383281: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.383285: | length: 32 (00 20) Oct 31 15:25:02.383287: | prop #: 1 (01) Oct 31 15:25:02.383290: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:02.383293: | spi size: 4 (04) Oct 31 15:25:02.383296: | # transforms: 2 (02) Oct 31 15:25:02.383299: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:02.383302: | remote SPI Oct 31 15:25:02.383304: | 7b 6d f8 99 Oct 31 15:25:02.383307: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:25:02.383310: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383313: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383316: | length: 12 (00 0c) Oct 31 15:25:02.383318: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.383321: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.383323: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.383326: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.383329: | length/value: 256 (01 00) Oct 31 15:25:02.383334: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:25:02.383337: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383340: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.383343: | length: 8 (00 08) Oct 31 15:25:02.383345: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:02.383348: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:02.383351: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:25:02.383354: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Oct 31 15:25:02.383357: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Oct 31 15:25:02.383360: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Oct 31 15:25:02.383363: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Oct 31 15:25:02.383368: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Oct 31 15:25:02.383370: | remote proposal 1 matches local proposal 1 Oct 31 15:25:02.383376: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.383379: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.383382: | length: 32 (00 20) Oct 31 15:25:02.383385: | prop #: 2 (02) Oct 31 15:25:02.383387: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:02.383389: | spi size: 4 (04) Oct 31 15:25:02.383392: | # transforms: 2 (02) Oct 31 15:25:02.383395: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:02.383397: | remote SPI Oct 31 15:25:02.383399: | 7b 6d f8 99 Oct 31 15:25:02.383402: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.383405: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383407: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383410: | length: 12 (00 0c) Oct 31 15:25:02.383413: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.383415: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.383418: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.383420: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.383423: | length/value: 128 (00 80) Oct 31 15:25:02.383426: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383428: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.383431: | length: 8 (00 08) Oct 31 15:25:02.383434: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:02.383436: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:02.383440: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Oct 31 15:25:02.383442: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Oct 31 15:25:02.383445: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.383448: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:02.383451: | length: 48 (00 30) Oct 31 15:25:02.383454: | prop #: 3 (03) Oct 31 15:25:02.383456: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:02.383459: | spi size: 4 (04) Oct 31 15:25:02.383461: | # transforms: 4 (04) Oct 31 15:25:02.383464: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:02.383466: | remote SPI Oct 31 15:25:02.383469: | 7b 6d f8 99 Oct 31 15:25:02.383471: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.383474: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383476: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383479: | length: 12 (00 0c) Oct 31 15:25:02.383482: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.383484: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:02.383487: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.383489: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.383492: | length/value: 256 (01 00) Oct 31 15:25:02.383495: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383498: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383500: | length: 8 (00 08) Oct 31 15:25:02.383503: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.383505: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:02.383508: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383510: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383513: | length: 8 (00 08) Oct 31 15:25:02.383516: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.383518: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:02.383521: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383524: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.383527: | length: 8 (00 08) Oct 31 15:25:02.383529: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:02.383531: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:02.383535: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:25:02.383539: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:25:02.383542: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.383545: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:02.383548: | length: 48 (00 30) Oct 31 15:25:02.383551: | prop #: 4 (04) Oct 31 15:25:02.383553: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:02.383556: | spi size: 4 (04) Oct 31 15:25:02.383559: | # transforms: 4 (04) Oct 31 15:25:02.383562: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:02.383564: | remote SPI Oct 31 15:25:02.383566: | 7b 6d f8 99 Oct 31 15:25:02.383568: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:02.383571: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383573: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383576: | length: 12 (00 0c) Oct 31 15:25:02.383579: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.383581: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:02.383583: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.383586: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.383589: | length/value: 128 (00 80) Oct 31 15:25:02.383593: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383595: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383598: | length: 8 (00 08) Oct 31 15:25:02.383600: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.383603: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:02.383606: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383608: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383611: | length: 8 (00 08) Oct 31 15:25:02.383613: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:02.383615: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:02.383618: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383620: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.383623: | length: 8 (00 08) Oct 31 15:25:02.383626: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:02.383629: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:02.383632: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:25:02.383635: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:25:02.383643: "north-east"[1] 192.1.3.33 #2: proposal 1:ESP=AES_GCM_C_256-DISABLED SPI=7b6df899 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Oct 31 15:25:02.383648: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP=AES_GCM_C_256-DISABLED SPI=7b6df899 Oct 31 15:25:02.383650: | converting proposal to internal trans attrs Oct 31 15:25:02.383672: | netlink_get_spi: allocated 0xf138d22c for esp.0@192.1.2.23 Oct 31 15:25:02.383676: | emitting ikev2_proposal ... Oct 31 15:25:02.383679: | ****emit IKEv2 Security Association Payload: Oct 31 15:25:02.383681: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.383684: | flags: none (0x0) Oct 31 15:25:02.383687: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:25:02.383689: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.383694: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:25:02.383696: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:02.383700: | prop #: 1 (01) Oct 31 15:25:02.383702: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:02.383706: | spi size: 4 (04) Oct 31 15:25:02.383709: | # transforms: 2 (02) Oct 31 15:25:02.383712: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:25:02.383715: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:25:02.383718: | our spi: f1 38 d2 2c Oct 31 15:25:02.383721: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383724: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383726: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:02.383728: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:02.383731: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:02.383734: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:25:02.383737: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:02.383740: | length/value: 256 (01 00) Oct 31 15:25:02.383743: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:25:02.383746: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:02.383748: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:02.383750: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:02.383753: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:02.383755: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:02.383758: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:02.383761: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:02.383763: | emitting length of IKEv2 Proposal Substructure Payload: 32 Oct 31 15:25:02.383766: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:25:02.383768: | emitting length of IKEv2 Security Association Payload: 36 Oct 31 15:25:02.383771: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:25:02.383774: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:02.383777: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.383779: | flags: none (0x0) Oct 31 15:25:02.383782: | number of TS: 1 (01) Oct 31 15:25:02.383785: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:25:02.383787: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.383790: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:02.383793: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:02.383795: | IP Protocol ID: ALL (0x0) Oct 31 15:25:02.383798: | start port: 0 (00 00) Oct 31 15:25:02.383801: | end port: 65535 (ff ff) Oct 31 15:25:02.383805: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:02.383809: | IP start: c0 00 03 fe Oct 31 15:25:02.383811: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:02.383814: | IP end: c0 00 03 fe Oct 31 15:25:02.383817: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:02.383819: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:25:02.383822: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:02.383825: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:02.383827: | flags: none (0x0) Oct 31 15:25:02.383830: | number of TS: 1 (01) Oct 31 15:25:02.383832: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:25:02.383837: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:02.383839: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:02.383842: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:02.383844: | IP Protocol ID: ALL (0x0) Oct 31 15:25:02.383847: | start port: 0 (00 00) Oct 31 15:25:02.383850: | end port: 65535 (ff ff) Oct 31 15:25:02.383853: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:02.383856: | IP start: c0 00 02 00 Oct 31 15:25:02.383859: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:02.383862: | IP end: c0 00 02 ff Oct 31 15:25:02.383864: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:02.383866: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:25:02.383869: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:25:02.383872: | integ=NONE: .key_size=0 encrypt=AES_GCM_16: .key_size=32 .salt_size=4 keymat_len=36 Oct 31 15:25:02.383952: | FOR_EACH_CONNECTION_... in IKE_SA_established Oct 31 15:25:02.383958: | install_ipsec_sa() for #2: inbound and outbound Oct 31 15:25:02.383962: | could_route called for north-east; kind=CK_INSTANCE that.has_client=yes oppo=no this.host_port=500 Oct 31 15:25:02.383964: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:02.383967: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:02.383970: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:02.383973: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:02.383975: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:02.383981: | route owner of "north-east"[1] 192.1.3.33 unrouted: "north-east" prospective erouted; eroute owner: "north-east" prospective erouted Oct 31 15:25:02.383986: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:02.383989: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:02.383992: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:02.383994: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:02.383998: | setting IPsec SA replay-window to 32 Oct 31 15:25:02.384001: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Oct 31 15:25:02.384004: | netlink: enabling tunnel mode Oct 31 15:25:02.384007: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:02.384009: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:02.384012: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:02.389906: | netlink response for Add SA esp.7b6df899@192.1.3.33 included non-error error Oct 31 15:25:02.389921: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1 Oct 31 15:25:02.389926: | set up outgoing SA, ref=0/0 Oct 31 15:25:02.389930: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:02.389934: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:02.389936: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:02.389939: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:02.389945: | setting IPsec SA replay-window to 32 Oct 31 15:25:02.389948: | NIC esp-hw-offload not for connection 'north-east' not available on interface eth1 Oct 31 15:25:02.389951: | netlink: enabling tunnel mode Oct 31 15:25:02.389954: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:02.389956: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:02.389959: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:02.390185: | netlink response for Add SA esp.f138d22c@192.1.2.23 included non-error error Oct 31 15:25:02.390192: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#0 mode=1 Oct 31 15:25:02.390195: | setup_half_ipsec_sa() is installing inbound eroute Oct 31 15:25:02.390207: | setup_half_ipsec_sa() before proto 50 Oct 31 15:25:02.390215: | setup_half_ipsec_sa() after proto 50 Oct 31 15:25:02.390218: | setup_half_ipsec_sa() calling raw_eroute backwards (i.e., inbound) Oct 31 15:25:02.390221: | priority calculation of connection "north-east" is 2084799 (0x1fcfbf) Oct 31 15:25:02.390230: | add inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:25:02.390235: | IPsec SA SPD priority set to 2084799 Oct 31 15:25:02.390438: | raw_eroute result=success Oct 31 15:25:02.390444: | set up incoming SA, ref=0/0 Oct 31 15:25:02.390447: | sr for #2: unrouted Oct 31 15:25:02.390450: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:25:02.390453: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:02.390456: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:02.390459: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:02.390462: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:02.390465: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:02.390471: | route owner of "north-east"[1] 192.1.3.33 unrouted: "north-east" prospective erouted; eroute owner: "north-east" prospective erouted Oct 31 15:25:02.390475: | route_and_eroute with c: north-east (next: none) ero:north-east esr:{0x559d3fb3d9a8} ro:north-east rosr:{0x559d3fb3d9a8} and state: #2 Oct 31 15:25:02.390478: | we are replacing an eroute Oct 31 15:25:02.390481: | priority calculation of connection "north-east" is 2084799 (0x1fcfbf) Oct 31 15:25:02.390492: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.254/32:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:25:02.390495: | IPsec SA SPD priority set to 2084799 Oct 31 15:25:02.390592: | raw_eroute result=success Oct 31 15:25:02.390598: | running updown command "ipsec _updown" for verb up Oct 31 15:25:02.390602: | command executing up-client Oct 31 15:25:02.390607: | get_sa_info esp.7b6df899@192.1.3.33 Oct 31 15:25:02.390618: | get_sa_info esp.f138d22c@192.1.2.23 Oct 31 15:25:02.390654: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157902' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUT... Oct 31 15:25:02.390659: | popen cmd is 1156 chars long Oct 31 15:25:02.390662: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_V: Oct 31 15:25:02.390665: | cmd( 80):IRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP=: Oct 31 15:25:02.390667: | cmd( 160):'192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.: Oct 31 15:25:02.390670: | cmd( 240):0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO: Oct 31 15:25:02.390672: | cmd( 320):_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PL: Oct 31 15:25:02.390675: | cmd( 400):UTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' : Oct 31 15:25:02.390677: | cmd( 480):PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLU: Oct 31 15:25:02.390679: | cmd( 560):TO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLU: Oct 31 15:25:02.390686: | cmd( 640):TO_ADDTIME='1604157902' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2: Oct 31 15:25:02.390689: | cmd( 720):_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND=: Oct 31 15:25:02.390691: | cmd( 800):'CK_INSTANCE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0: Oct 31 15:25:02.390693: | cmd( 880):' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CF: Oct 31 15:25:02.390695: | cmd( 960):G_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUT: Oct 31 15:25:02.390698: | cmd(1040):O_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7b6df899 S: Oct 31 15:25:02.390700: | cmd(1120):PI_OUT=0xf138d22c ipsec _updown 2>&1: Oct 31 15:25:02.390750: | helper thread 3 has nothing to do Oct 31 15:25:02.481306: | route_and_eroute: firewall_notified: true Oct 31 15:25:02.481329: | route_and_eroute: instance "north-east"[1] 192.1.3.33, setting eroute_owner {spd=0x559d3fb42968,sr=0x559d3fb42968} to #2 (was #0) (newest_ipsec_sa=#0) Oct 31 15:25:02.481676: | ISAKMP_v2_IKE_AUTH: instance north-east[1], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Oct 31 15:25:02.481683: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:02.481687: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:02.481691: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:02.481694: | emitting length of IKEv2 Encryption Payload: 475 Oct 31 15:25:02.481696: | emitting length of ISAKMP Message: 503 Oct 31 15:25:02.481718: | recording outgoing fragment failed Oct 31 15:25:02.481727: | delref logger@0x559d3fb41e68(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:02.481730: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.481733: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.481738: | XXX: resume sending helper answer back to state for #1 switched MD.ST to #2 Oct 31 15:25:02.481747: | suspend processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.481753: | start processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:02.481759: | #2 complete_v2_state_transition() in state V2_IKE_AUTH_CHILD_R0 PARENT_R1->ESTABLISHED_CHILD_SA with status STF_OK; .st_v2_transition=NULL Oct 31 15:25:02.481762: | transitioning from state STATE_PARENT_R1 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:02.481764: | Message ID: updating counters for #2 Oct 31 15:25:02.481774: | Message ID: CHILD #1.#2 updating responder received message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0 ike.responder.recv=0->1 ike.responder.last_contact=744576.776043->744576.914563 child.wip.initiator=-1 child.wip.responder=1->-1 Oct 31 15:25:02.481781: | Message ID: CHILD #1.#2 updating responder sent message response 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=0->1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:25:02.481788: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:02.481791: | child state #2: V2_IKE_AUTH_CHILD_R0(ignore) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:25:02.481795: | pstats #2 ikev2.child established Oct 31 15:25:02.481798: | announcing the state transition Oct 31 15:25:02.481808: "north-east"[1] 192.1.3.33 #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.254-192.0.3.254:0-65535 0] Oct 31 15:25:02.481818: | NAT-T: encaps is 'auto' Oct 31 15:25:02.481824: "north-east"[1] 192.1.3.33 #2: IPsec SA established tunnel mode {ESP=>0x7b6df899 <0xf138d22c xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Oct 31 15:25:02.481831: | sending 503 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:02.481834: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:02.481837: | 2e 20 23 20 00 00 00 01 00 00 01 f7 24 00 01 db Oct 31 15:25:02.481839: | eb 0a 50 34 49 c2 34 22 bf 08 05 2c 29 56 5c 66 Oct 31 15:25:02.481841: | e2 07 44 0e 34 bd 89 9c d2 75 27 39 8d 6a f1 f9 Oct 31 15:25:02.481844: | c6 42 7a 59 f5 db 28 04 e7 a8 d0 09 65 aa 43 85 Oct 31 15:25:02.481846: | 9c 96 e9 1f 45 56 c6 08 10 2c 8d a0 c0 fd 60 e4 Oct 31 15:25:02.481848: | ee 2e a3 de 90 57 5d b5 61 d8 99 35 32 67 d1 3c Oct 31 15:25:02.481850: | 0c 60 31 bd 8e 1f 8c 14 70 5f 70 75 8e 12 f2 73 Oct 31 15:25:02.481852: | 3d 72 16 c4 6d b7 69 45 9f 3c 9b 96 bd 4f 2a b2 Oct 31 15:25:02.481854: | b9 99 00 4d 35 25 4a 70 c5 69 89 f9 47 32 70 57 Oct 31 15:25:02.481856: | b9 fb ff 5d 35 86 bb 91 e5 fc 24 37 0c 38 4a 24 Oct 31 15:25:02.481858: | ab d4 45 11 f8 76 03 5b f8 2f 7b 4a 40 d3 70 47 Oct 31 15:25:02.481860: | ae d4 b3 0c 2b 7d c2 44 02 a0 8e ba 56 bf 38 35 Oct 31 15:25:02.481862: | f8 00 89 16 37 64 ca 13 74 db 58 32 00 00 a3 a7 Oct 31 15:25:02.481864: | 94 d9 29 0f 21 0c 74 c5 ef 55 61 a7 44 fd de 07 Oct 31 15:25:02.481867: | 4d db 15 e6 33 7f df 25 23 23 bd cc cc 64 92 7c Oct 31 15:25:02.481869: | 0a 01 53 ec b4 da f7 cd ca d5 98 a2 4a 0b 19 d6 Oct 31 15:25:02.481871: | 4d e0 b2 4f c8 25 d6 51 00 f0 2c 58 4f cc b8 d1 Oct 31 15:25:02.481873: | 54 75 95 35 8b 4a 29 7e 0b d0 51 fe 7c ed c0 77 Oct 31 15:25:02.481875: | 33 20 50 d7 c0 3f 88 8d c2 90 75 5a b7 58 dd 74 Oct 31 15:25:02.481877: | 5e 0e fe 1d b9 26 48 32 69 72 58 6c 7d 79 e6 3e Oct 31 15:25:02.481880: | b9 80 0d 69 4f 3f 97 3d 82 96 e9 c9 57 ed e6 d4 Oct 31 15:25:02.481882: | 3c 92 90 97 74 4e 66 85 67 8d a7 2a 3d b5 9d 87 Oct 31 15:25:02.481884: | 9d e2 31 b0 6e 41 22 ef 7b 93 44 0a 6d 62 37 c9 Oct 31 15:25:02.481886: | 03 46 f0 bc 14 de f1 89 1a 0e 40 14 00 18 72 75 Oct 31 15:25:02.481888: | 2c 6e cc e0 6d 66 10 87 5f b4 19 9c 68 a1 af 7f Oct 31 15:25:02.481890: | a2 63 05 76 f2 e8 d7 1e 0e 8c a7 98 7f 8f f6 0f Oct 31 15:25:02.481893: | cf 76 29 41 e3 a4 8c 74 68 86 95 2d e0 1c 9b 4f Oct 31 15:25:02.481895: | 2d 0b af e7 80 8f e6 c1 78 0f ab 28 46 fc 9f 1d Oct 31 15:25:02.481897: | 21 75 30 e8 a7 70 9c 5d ba da ea 20 c5 31 df 07 Oct 31 15:25:02.481899: | bb 1a 60 ca 67 48 68 3b 9f 0b f9 d5 f7 91 a9 e2 Oct 31 15:25:02.481901: | 5f ba 49 2b ae d4 d2 Oct 31 15:25:02.481941: | sent 1 messages Oct 31 15:25:02.481946: | releasing #2's fd-fd@(nil) because IKEv2 transitions finished Oct 31 15:25:02.481949: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:02.481952: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:02.481954: | unpending #2's IKE SA #1 Oct 31 15:25:02.481958: | unpending state #1 connection "north-east"[1] 192.1.3.33 Oct 31 15:25:02.481961: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:25:02.481964: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:02.481966: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:02.481969: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:25:02.481972: | state #2 has no .st_event to delete Oct 31 15:25:02.481976: | event_schedule: newref EVENT_SA_REKEY-pe@0x559d3fb41e68 Oct 31 15:25:02.481979: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Oct 31 15:25:02.481983: | libevent_malloc: newref ptr-libevent@0x559d3fb49bd8 size 128 Oct 31 15:25:02.481989: | delref mdp@0x559d3fb444d8(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:02.481994: | delref logger@0x559d3fb3d028(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:02.481997: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:02.481999: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:02.482010: | #1 spent 2.51 (99.8) milliseconds in resume sending helper answer back to state Oct 31 15:25:02.482017: | stop processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:02.482022: | libevent_free: delref ptr-libevent@0x7f2cd4000d38 Oct 31 15:25:02.482034: | processing signal PLUTO_SIGCHLD Oct 31 15:25:02.482040: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:02.482045: | spent 0.00516 (0.00506) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:03.787518: | newref struct fd@0x559d3fb49ae8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:03.787537: | fd_accept: new fd-fd@0x559d3fb49ae8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:03.787550: | whack: status Oct 31 15:25:03.787894: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:03.787901: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:03.788030: | FOR_EACH_STATE_... in show_states (sort_states) Oct 31 15:25:03.788036: | FOR_EACH_STATE_... in sort_states Oct 31 15:25:03.788058: | get_sa_info esp.f138d22c@192.1.2.23 Oct 31 15:25:03.788077: | get_sa_info esp.7b6df899@192.1.3.33 Oct 31 15:25:03.788100: | delref fd@0x559d3fb49ae8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:03.788107: | freeref fd-fd@0x559d3fb49ae8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:03.788116: | spent 0.487 (0.612) milliseconds in whack Oct 31 15:25:05.145555: | newref struct fd@0x559d3fb49ae8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.145581: | fd_accept: new fd-fd@0x559d3fb49ae8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.145596: shutting down Oct 31 15:25:05.145607: | leaking fd-fd@0x559d3fb49ae8's FD; will be closed when pluto exits (in whack_handle_cb() at rcv_whack.c:889) Oct 31 15:25:05.145611: | delref fd@0x559d3fb49ae8(1->0) (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:25:05.145615: | freeref fd-fd@0x559d3fb49ae8 (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:25:05.145629: | shutting down helper thread 5 Oct 31 15:25:05.145642: | helper thread 5 exited Oct 31 15:25:05.145661: | shutting down helper thread 6 Oct 31 15:25:05.145675: | helper thread 6 exited Oct 31 15:25:05.145686: | shutting down helper thread 4 Oct 31 15:25:05.145694: | helper thread 4 exited Oct 31 15:25:05.145704: | shutting down helper thread 7 Oct 31 15:25:05.145714: | helper thread 7 exited Oct 31 15:25:05.145723: | shutting down helper thread 1 Oct 31 15:25:05.145731: | helper thread 1 exited Oct 31 15:25:05.145744: | shutting down helper thread 2 Oct 31 15:25:05.145758: | helper thread 2 exited Oct 31 15:25:05.145768: | shutting down helper thread 3 Oct 31 15:25:05.145775: | helper thread 3 exited Oct 31 15:25:05.145779: 7 helper threads shutdown Oct 31 15:25:05.145782: | delref root_certs@NULL (in free_root_certs() at root_certs.c:127) Oct 31 15:25:05.145786: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:25:05.145788: forgetting secrets Oct 31 15:25:05.145805: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:25:05.145811: | delref pkp@0x559d3fb43008(1->0) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:25:05.145815: | delref pkp@0x559d3fb43f68(2->1) (in free_public_keyentry() at secrets.c:1591) Oct 31 15:25:05.145824: "north-east"[1] 192.1.3.33: deleting connection instance with peer 192.1.3.33 {isakmp=#1/ipsec=#2} Oct 31 15:25:05.145828: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:25:05.145831: | pass 0 Oct 31 15:25:05.145833: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:05.145836: | state #2 Oct 31 15:25:05.145844: | start processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:25:05.145850: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:25:05.145852: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:25:05.145854: | pstats #2 ikev2.child deleted completed Oct 31 15:25:05.145857: | #2 main thread spent 0 (0) milliseconds helper thread spent 0 (0) milliseconds in total Oct 31 15:25:05.145862: | [RE]START processing: state #2 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in delete_state() at state.c:935) Oct 31 15:25:05.145868: | should_send_delete: yes Oct 31 15:25:05.145876: "north-east"[1] 192.1.3.33 #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 2.763158s and sending notification Oct 31 15:25:05.145880: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:25:05.145886: | get_sa_info esp.7b6df899@192.1.3.33 Oct 31 15:25:05.145906: | get_sa_info esp.f138d22c@192.1.2.23 Oct 31 15:25:05.145916: "north-east"[1] 192.1.3.33 #2: ESP traffic information: in=84B out=84B Oct 31 15:25:05.145920: | unsuspending #2 MD (nil) Oct 31 15:25:05.145922: | should_send_delete: yes Oct 31 15:25:05.145926: | #2 send IKEv2 delete notification for STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:05.145929: | opening output PBS informational exchange delete request Oct 31 15:25:05.145933: | **emit ISAKMP Message: Oct 31 15:25:05.145939: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:05.145943: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:05.145946: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:05.145949: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:05.145951: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:25:05.145954: | flags: none (0x0) Oct 31 15:25:05.145958: | Message ID: 0 (00 00 00 00) Oct 31 15:25:05.145961: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:05.145964: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:05.145967: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:05.145969: | flags: none (0x0) Oct 31 15:25:05.145971: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:05.145974: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:05.145976: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:05.145983: | ****emit IKEv2 Delete Payload: Oct 31 15:25:05.145985: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:05.145986: | flags: none (0x0) Oct 31 15:25:05.145988: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:05.145990: | SPI size: 4 (04) Oct 31 15:25:05.145992: | number of SPIs: 1 (00 01) Oct 31 15:25:05.145994: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:25:05.145995: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:05.145997: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Oct 31 15:25:05.145999: | local spis: f1 38 d2 2c Oct 31 15:25:05.146000: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:25:05.146002: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:05.146004: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:05.146005: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:05.146007: | emitting length of IKEv2 Encryption Payload: 41 Oct 31 15:25:05.146008: | emitting length of ISAKMP Message: 69 Oct 31 15:25:05.146024: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:05.146028: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:05.146029: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Oct 31 15:25:05.146031: | 4a 26 a0 11 e1 3c db a9 41 76 ff 95 fd 47 26 18 Oct 31 15:25:05.146032: | 5a 97 2d 4d b2 bf f9 ee e0 4f 62 26 93 12 fa a6 Oct 31 15:25:05.146033: | 20 7f 0f 5d 1e Oct 31 15:25:05.146078: | sent 1 messages Oct 31 15:25:05.146081: | Message ID: IKE #1 sender #2 in send_delete hacking around record 'n' send Oct 31 15:25:05.146086: | Message ID: IKE #1 scheduling EVENT_RETRANSMIT: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:25:05.146089: | event_schedule: newref EVENT_RETRANSMIT-pe@0x559d3fb4a438 Oct 31 15:25:05.146091: | inserting event EVENT_RETRANSMIT, timeout in 0.5 seconds for #1 Oct 31 15:25:05.146094: | libevent_malloc: newref ptr-libevent@0x7f2cd4000d38 size 128 Oct 31 15:25:05.146101: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: first event in 0.5 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744579.578884 Oct 31 15:25:05.146109: | Message ID: IKE #1 updating initiator sent message request 0: ike.initiator.sent=-1->0 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=-1->0 ike.wip.responder=-1 Oct 31 15:25:05.146113: | state #2 deleting .st_event EVENT_SA_REKEY Oct 31 15:25:05.146117: | libevent_free: delref ptr-libevent@0x559d3fb49bd8 Oct 31 15:25:05.146120: | free_event_entry: delref EVENT_SA_REKEY-pe@0x559d3fb41e68 Oct 31 15:25:05.146123: | #2 STATE_V2_ESTABLISHED_CHILD_SA: retransmits: cleared Oct 31 15:25:05.146182: | running updown command "ipsec _updown" for verb down Oct 31 15:25:05.146189: | command executing down-client Oct 31 15:25:05.146195: | get_sa_info esp.7b6df899@192.1.3.33 Oct 31 15:25:05.146212: | get_sa_info esp.f138d22c@192.1.2.23 Oct 31 15:25:05.146251: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157902' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0... Oct 31 15:25:05.146255: | popen cmd is 1162 chars long Oct 31 15:25:05.146258: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO: Oct 31 15:25:05.146266: | cmd( 80):_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HO: Oct 31 15:25:05.146269: | cmd( 160):P='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.: Oct 31 15:25:05.146271: | cmd( 240):2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLU: Oct 31 15:25:05.146273: | cmd( 320):TO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' : Oct 31 15:25:05.146276: | cmd( 400):PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32: Oct 31 15:25:05.146278: | cmd( 480):' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' P: Oct 31 15:25:05.146280: | cmd( 560):LUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' P: Oct 31 15:25:05.146285: | cmd( 640):LUTO_ADDTIME='1604157902' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE: Oct 31 15:25:05.146287: | cmd( 720):V2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIN: Oct 31 15:25:05.146289: | cmd( 800):D='CK_GOING_AWAY' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISC: Oct 31 15:25:05.146292: | cmd( 880):O='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUT: Oct 31 15:25:05.146294: | cmd( 960):O_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='84': Oct 31 15:25:05.146296: | cmd(1040): PLUTO_OUTBYTES='84' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x7b6d: Oct 31 15:25:05.146299: | cmd(1120):f899 SPI_OUT=0xf138d22c ipsec _updown 2>&1: Oct 31 15:25:05.155321: | shunt_eroute() called for connection 'north-east' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Oct 31 15:25:05.155342: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Oct 31 15:25:05.155347: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:05.155352: | IPsec SA SPD priority set to 2084798 Oct 31 15:25:05.155394: | delete esp.7b6df899@192.1.3.33 Oct 31 15:25:05.155399: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:05.155425: | netlink response for Del SA esp.7b6df899@192.1.3.33 included non-error error Oct 31 15:25:05.155430: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:05.155440: | delete inbound eroute 192.0.3.254/32:0 --0-> 192.0.2.0/24:0 => unk.10000@192.1.2.23 using reqid 0 (raw_eroute) proto=50 Oct 31 15:25:05.155468: | raw_eroute result=success Oct 31 15:25:05.155474: | delete esp.f138d22c@192.1.2.23 Oct 31 15:25:05.155476: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:05.155493: | netlink response for Del SA esp.f138d22c@192.1.2.23 included non-error error Oct 31 15:25:05.155500: | in connection_discard for connection north-east Oct 31 15:25:05.155503: | State DB: deleting IKEv2 state #2 in ESTABLISHED_CHILD_SA Oct 31 15:25:05.155508: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => UNDEFINED(ignore) Oct 31 15:25:05.155511: | releasing #2's fd-fd@(nil) because deleting state Oct 31 15:25:05.155514: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:05.155516: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:05.155519: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:25:05.155526: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1239) Oct 31 15:25:05.155533: | delref logger@0x559d3fb302d8(1->0) (in delete_state() at state.c:1306) Oct 31 15:25:05.155535: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:05.155538: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:05.155541: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:25:05.155543: | state #1 Oct 31 15:25:05.155546: | pass 1 Oct 31 15:25:05.155548: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:05.155550: | state #1 Oct 31 15:25:05.155556: | start processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:25:05.155559: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:25:05.155562: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:25:05.155564: | pstats #1 ikev2.ike deleted completed Oct 31 15:25:05.155574: | #1 main thread spent 8.99 (107) milliseconds helper thread spent 10.6 (20.8) milliseconds in total Oct 31 15:25:05.155580: | [RE]START processing: state #1 connection "north-east"[1] 192.1.3.33 from 192.1.3.33:500 (in delete_state() at state.c:935) Oct 31 15:25:05.155582: | should_send_delete: yes Oct 31 15:25:05.155589: "north-east"[1] 192.1.3.33 #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 2.816192s and sending notification Oct 31 15:25:05.155595: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => delete Oct 31 15:25:05.155640: | unsuspending #1 MD (nil) Oct 31 15:25:05.155644: | should_send_delete: yes Oct 31 15:25:05.155646: | #1 send IKEv2 delete notification for STATE_V2_ESTABLISHED_IKE_SA Oct 31 15:25:05.155650: | opening output PBS informational exchange delete request Oct 31 15:25:05.155653: | **emit ISAKMP Message: Oct 31 15:25:05.155658: | initiator SPI: c0 ab 5f b0 46 3d 51 5a Oct 31 15:25:05.155663: | responder SPI: b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:05.155666: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:05.155669: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:05.155672: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:25:05.155675: | flags: none (0x0) Oct 31 15:25:05.155679: | Message ID: 1 (00 00 00 01) Oct 31 15:25:05.155682: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:05.155686: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:05.155689: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:05.155691: | flags: none (0x0) Oct 31 15:25:05.155694: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:05.155697: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:05.155701: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:05.155712: | ****emit IKEv2 Delete Payload: Oct 31 15:25:05.155715: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:05.155717: | flags: none (0x0) Oct 31 15:25:05.155720: | protocol ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:05.155723: | SPI size: 0 (00) Oct 31 15:25:05.155726: | number of SPIs: 0 (00 00) Oct 31 15:25:05.155729: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:25:05.155732: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:05.155734: | emitting length of IKEv2 Delete Payload: 8 Oct 31 15:25:05.155737: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:05.155740: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:05.155743: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:05.155745: | emitting length of IKEv2 Encryption Payload: 37 Oct 31 15:25:05.155747: | emitting length of ISAKMP Message: 65 Oct 31 15:25:05.155776: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:05.155780: | c0 ab 5f b0 46 3d 51 5a b7 f3 69 f8 2c 8c 41 9e Oct 31 15:25:05.155782: | 2e 20 25 00 00 00 00 01 00 00 00 41 2a 00 00 25 Oct 31 15:25:05.155784: | 95 f9 b0 8e cb 3b aa ee 78 e5 7e 3c 70 c7 ea 0d Oct 31 15:25:05.155787: | 18 17 e6 21 68 ea 6a ed 10 e7 72 18 7a 9a 81 ac Oct 31 15:25:05.155788: | 51 Oct 31 15:25:05.155842: | sent 1 messages Oct 31 15:25:05.155847: | Message ID: IKE #1 sender #1 in send_delete hacking around record 'n' send Oct 31 15:25:05.155857: | Message ID: IKE #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?): ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:25:05.155863: | Message ID: IKE #1 XXX: EVENT_RETRANSMIT already scheduled -- suspect record'n'send: ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:25:05.155872: | Message ID: IKE #1 updating initiator sent message request 1: ike.initiator.sent=0->1 ike.initiator.recv=-1 ike.initiator.last_contact=744576.772227 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744576.914563 ike.wip.initiator=0->1 ike.wip.responder=-1 Oct 31 15:25:05.155875: | state #1 deleting .st_event EVENT_SA_REKEY Oct 31 15:25:05.155885: | libevent_free: delref ptr-libevent@0x7f2cd000b578 Oct 31 15:25:05.155889: | free_event_entry: delref EVENT_SA_REKEY-pe@0x559d3fb3fe28 Oct 31 15:25:05.155893: | #1 requesting EVENT_RETRANSMIT-pe@0x559d3fb4a438 be deleted Oct 31 15:25:05.155896: | libevent_free: delref ptr-libevent@0x7f2cd4000d38 Oct 31 15:25:05.155899: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x559d3fb4a438 Oct 31 15:25:05.155902: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: cleared Oct 31 15:25:05.155905: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:25:05.155908: | in connection_discard for connection north-east Oct 31 15:25:05.155911: | State DB: deleting IKEv2 state #1 in ESTABLISHED_IKE_SA Oct 31 15:25:05.155915: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => UNDEFINED(ignore) Oct 31 15:25:05.155918: | releasing #1's fd-fd@(nil) because deleting state Oct 31 15:25:05.155920: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:05.155923: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:05.155926: | delref pkp@0x559d3fb43f68(1->0) (in delete_state() at state.c:1202) Oct 31 15:25:05.155945: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1239) Oct 31 15:25:05.155962: | delref logger@0x559d3fb2ffc8(1->0) (in delete_state() at state.c:1306) Oct 31 15:25:05.155965: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:05.155968: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:05.155972: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:25:05.155978: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Oct 31 15:25:05.155984: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Oct 31 15:25:05.155988: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:05.156009: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:05.156022: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:05.156025: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:05.156028: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:05.156030: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:05.156033: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:05.156037: | route owner of "north-east" unrouted: "north-east" prospective erouted Oct 31 15:25:05.156043: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:05.156045: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:05.156049: | newref clone logger@0x559d3fb49918(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:05.156052: | flush revival: connection 'north-east' wasn't on the list Oct 31 15:25:05.156055: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:25:05.156058: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:25:05.156063: | Connection DB: deleting connection $2 Oct 31 15:25:05.156066: | delref logger@0x559d3fb49918(1->0) (in delete_connection() at connections.c:214) Oct 31 15:25:05.156069: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:05.156072: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:05.156080: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:25:05.156083: | pass 0 Oct 31 15:25:05.156086: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:05.156088: | pass 1 Oct 31 15:25:05.156090: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:05.156098: | shunt_eroute() called for connection 'north-east' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.254/32:0 Oct 31 15:25:05.156104: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.254/32:0 Oct 31 15:25:05.156106: | priority calculation of connection "north-east" is 2084798 (0x1fcfbe) Oct 31 15:25:05.156119: ERROR: netlink XFRM_MSG_DELPOLICY response for flow eroute_connection delete included errno 2: No such file or directory Oct 31 15:25:05.156122: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:05.156125: | conn north-east mark 0/00000000, 0/00000000 vs Oct 31 15:25:05.156127: | conn north-east mark 0/00000000, 0/00000000 Oct 31 15:25:05.156130: | route owner of "north-east" unrouted: NULL Oct 31 15:25:05.156132: | running updown command "ipsec _updown" for verb unroute Oct 31 15:25:05.156135: | command executing unroute-client Oct 31 15:25:05.156160: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.254/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PL... Oct 31 15:25:05.156164: | popen cmd is 1102 chars long Oct 31 15:25:05.156167: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='north-east' PL: Oct 31 15:25:05.156169: | cmd( 80):UTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT: Oct 31 15:25:05.156171: | cmd( 160):_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192: Oct 31 15:25:05.156173: | cmd( 240):.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' : Oct 31 15:25:05.156175: | cmd( 320):PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='no: Oct 31 15:25:05.156177: | cmd( 400):ne' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.25: Oct 31 15:25:05.156179: | cmd( 480):4/32' PLUTO_PEER_CLIENT_NET='192.0.3.254' PLUTO_PEER_CLIENT_MASK='255.255.255.25: Oct 31 15:25:05.156181: | cmd( 560):5' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfr: Oct 31 15:25:05.156182: | cmd( 640):m' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_AL: Oct 31 15:25:05.156183: | cmd( 720):LOW+IKEV2_ALLOW_NARROWING+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5' PLUTO_CONN_KIND='CK: Oct 31 15:25:05.156185: | cmd( 800):_TEMPLATE' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' P: Oct 31 15:25:05.156186: | cmd( 880):LUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_S: Oct 31 15:25:05.156187: | cmd( 960):ERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING=: Oct 31 15:25:05.156189: | cmd(1040):'no' VTI_SHARED='no' SPI_IN=0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:25:05.171136: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171186: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171232: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171440: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171478: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171515: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171551: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171579: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171590: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171608: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171625: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171643: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.171660: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172131: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172171: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172220: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172231: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172235: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172248: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172272: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172372: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172418: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.172428: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:05.184489: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:05.184506: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:05.184511: | newref clone logger@0x559d3fb49918(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:05.184516: | delref hp@0x559d3fb40778(1->0) (in delete_oriented_hp() at hostpair.c:360) Oct 31 15:25:05.184519: | flush revival: connection 'north-east' wasn't on the list Oct 31 15:25:05.184521: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:25:05.184522: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:25:05.184530: | Connection DB: deleting connection $1 Oct 31 15:25:05.184532: | delref logger@0x559d3fb49918(1->0) (in delete_connection() at connections.c:214) Oct 31 15:25:05.184534: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:05.184535: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:05.184538: | crl fetch request list locked by 'free_crl_fetch' Oct 31 15:25:05.184539: | crl fetch request list unlocked by 'free_crl_fetch' Oct 31 15:25:05.184542: | iface: marking eth1 dead Oct 31 15:25:05.184544: | iface: marking eth0 dead Oct 31 15:25:05.184545: | iface: marking lo dead Oct 31 15:25:05.184547: | updating interfaces - listing interfaces that are going down Oct 31 15:25:05.184551: shutting down interface lo 127.0.0.1:4500 Oct 31 15:25:05.184554: shutting down interface lo 127.0.0.1:500 Oct 31 15:25:05.184556: shutting down interface eth0 192.0.2.254:4500 Oct 31 15:25:05.184558: shutting down interface eth0 192.0.2.254:500 Oct 31 15:25:05.184560: shutting down interface eth1 192.1.2.23:4500 Oct 31 15:25:05.184562: shutting down interface eth1 192.1.2.23:500 Oct 31 15:25:05.184563: | updating interfaces - deleting the dead Oct 31 15:25:05.184567: | FOR_EACH_STATE_... in delete_states_dead_interfaces Oct 31 15:25:05.184574: | libevent_free: delref ptr-libevent@0x559d3fb3f098 Oct 31 15:25:05.184576: | delref id@0x559d3fb43248(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184584: | libevent_free: delref ptr-libevent@0x559d3fb38f28 Oct 31 15:25:05.184586: | delref id@0x559d3fb43248(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184591: | libevent_free: delref ptr-libevent@0x559d3faf9128 Oct 31 15:25:05.184593: | delref id@0x559d3fb431b8(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184599: | libevent_free: delref ptr-libevent@0x559d3faf18d8 Oct 31 15:25:05.184602: | delref id@0x559d3fb431b8(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184610: | libevent_free: delref ptr-libevent@0x559d3faf9228 Oct 31 15:25:05.184612: | delref id@0x559d3fb44208(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184617: | libevent_free: delref ptr-libevent@0x559d3fafc628 Oct 31 15:25:05.184619: | delref id@0x559d3fb44208(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184622: | delref id@0x559d3fb44208(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184624: | delref id@0x559d3fb431b8(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184626: | delref id@0x559d3fb43248(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:05.184627: | updating interfaces - checking orientation Oct 31 15:25:05.184629: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:25:05.186079: | libevent_free: delref ptr-libevent@0x559d3fb38fd8 Oct 31 15:25:05.186093: | free_event_entry: delref EVENT_NULL-pe@0x559d3fb3c498 Oct 31 15:25:05.186098: | libevent_free: delref ptr-libevent@0x559d3fafc728 Oct 31 15:25:05.186099: | free_event_entry: delref EVENT_NULL-pe@0x559d3fb38eb8 Oct 31 15:25:05.186102: | libevent_free: delref ptr-libevent@0x559d3fafc4c8 Oct 31 15:25:05.186104: | free_event_entry: delref EVENT_NULL-pe@0x559d3fb36e98 Oct 31 15:25:05.186107: | global timer EVENT_REINIT_SECRET uninitialized Oct 31 15:25:05.186108: | global timer EVENT_SHUNT_SCAN uninitialized Oct 31 15:25:05.186110: | global timer EVENT_PENDING_DDNS uninitialized Oct 31 15:25:05.186111: | global timer EVENT_PENDING_PHASE2 uninitialized Oct 31 15:25:05.186112: | global timer EVENT_CHECK_CRLS uninitialized Oct 31 15:25:05.186114: | global timer EVENT_REVIVE_CONNS uninitialized Oct 31 15:25:05.186115: | global timer EVENT_FREE_ROOT_CERTS uninitialized Oct 31 15:25:05.186116: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Oct 31 15:25:05.186118: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Oct 31 15:25:05.186121: | libevent_free: delref ptr-libevent@0x559d3fa83f18 Oct 31 15:25:05.186122: | signal event handler PLUTO_SIGCHLD uninstalled Oct 31 15:25:05.186124: | libevent_free: delref ptr-libevent@0x559d3fa8e958 Oct 31 15:25:05.186126: | signal event handler PLUTO_SIGTERM uninstalled Oct 31 15:25:05.186128: | libevent_free: delref ptr-libevent@0x559d3fb3c6b8 Oct 31 15:25:05.186129: | signal event handler PLUTO_SIGHUP uninstalled Oct 31 15:25:05.186131: | libevent_free: delref ptr-libevent@0x559d3fb3c8f8 Oct 31 15:25:05.186133: | signal event handler PLUTO_SIGSYS uninstalled Oct 31 15:25:05.186134: | releasing event base Oct 31 15:25:05.186144: | libevent_free: delref ptr-libevent@0x559d3fb3c7c8 Oct 31 15:25:05.186146: | libevent_free: delref ptr-libevent@0x559d3fb2bc58 Oct 31 15:25:05.186148: | libevent_free: delref ptr-libevent@0x559d3fb2bc08 Oct 31 15:25:05.186150: | libevent_free: delref ptr-libevent@0x559d3fafe518 Oct 31 15:25:05.186151: | libevent_free: delref ptr-libevent@0x559d3fb2be08 Oct 31 15:25:05.186153: | libevent_free: delref ptr-libevent@0x559d3fb2ff88 Oct 31 15:25:05.186154: | libevent_free: delref ptr-libevent@0x559d3fb2fd98 Oct 31 15:25:05.186156: | libevent_free: delref ptr-libevent@0x559d3fb2be48 Oct 31 15:25:05.186157: | libevent_free: delref ptr-libevent@0x559d3fb2fba8 Oct 31 15:25:05.186158: | libevent_free: delref ptr-libevent@0x559d3fb2f568 Oct 31 15:25:05.186160: | libevent_free: delref ptr-libevent@0x559d3fb40968 Oct 31 15:25:05.186161: | libevent_free: delref ptr-libevent@0x559d3fb40928 Oct 31 15:25:05.186163: | libevent_free: delref ptr-libevent@0x559d3fb408e8 Oct 31 15:25:05.186164: | libevent_free: delref ptr-libevent@0x559d3fb408a8 Oct 31 15:25:05.186165: | libevent_free: delref ptr-libevent@0x559d3fb40868 Oct 31 15:25:05.186167: | libevent_free: delref ptr-libevent@0x559d3fb40828 Oct 31 15:25:05.186168: | libevent_free: delref ptr-libevent@0x559d3fb223d8 Oct 31 15:25:05.186169: | libevent_free: delref ptr-libevent@0x559d3fb3c678 Oct 31 15:25:05.186171: | libevent_free: delref ptr-libevent@0x559d3fb3c638 Oct 31 15:25:05.186172: | libevent_free: delref ptr-libevent@0x559d3fb2fbe8 Oct 31 15:25:05.186176: | libevent_free: delref ptr-libevent@0x559d3fb3c788 Oct 31 15:25:05.186177: | libevent_free: delref ptr-libevent@0x559d3fb3c508 Oct 31 15:25:05.186179: | libevent_free: delref ptr-libevent@0x559d3fafe1f8 Oct 31 15:25:05.186180: | libevent_free: delref ptr-libevent@0x559d3fafe178 Oct 31 15:25:05.186182: | libevent_free: delref ptr-libevent@0x559d3faf51c8 Oct 31 15:25:05.186183: | releasing global libevent data Oct 31 15:25:05.186185: | libevent_free: delref ptr-libevent@0x559d3fafe4b8 Oct 31 15:25:05.186186: | libevent_free: delref ptr-libevent@0x559d3fa8e8f8 Oct 31 15:25:05.186188: | libevent_free: delref ptr-libevent@0x559d3fafe9b8 Oct 31 15:25:05.186235: leak detective found no leaks