Oct 31 15:25:05.878135: | newref logger@0x55e8fe942bb8(0->1) (in main() at plutomain.c:1591) Oct 31 15:25:05.878187: | delref logger@0x55e8fe942bb8(1->0) (in main() at plutomain.c:1592) Oct 31 15:25:05.878194: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:05.878197: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:05.878208: NSS DB directory: sql:/var/lib/ipsec/nss Oct 31 15:25:05.878377: Initializing NSS Oct 31 15:25:05.878383: Opening NSS database "sql:/var/lib/ipsec/nss" read-only Oct 31 15:25:05.910402: FIPS Mode: NO Oct 31 15:25:05.910416: NSS crypto library initialized Oct 31 15:25:05.910445: FIPS mode disabled for pluto daemon Oct 31 15:25:05.910447: FIPS HMAC integrity support [disabled] Oct 31 15:25:05.910522: libcap-ng support [enabled] Oct 31 15:25:05.910531: Linux audit support [enabled] Oct 31 15:25:05.910550: Linux audit activated Oct 31 15:25:05.910556: Starting Pluto (Libreswan Version v4.1-88-gf1d1933837ef-main IKEv2 IKEv1 XFRM(netkey) XFRMI esp-hw-offload FORK PTHREAD_SETSCHEDPRIO NSS (IPsec profile) (NSS-PRF) DNSSEC LABELED_IPSEC (SELINUX) SECCOMP LIBCAP_NG LINUX_AUDIT AUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:2162883 Oct 31 15:25:05.910565: core dump dir: /tmp Oct 31 15:25:05.910568: secrets file: /etc/ipsec.secrets Oct 31 15:25:05.910571: leak-detective enabled Oct 31 15:25:05.910573: NSS crypto [enabled] Oct 31 15:25:05.910575: XAUTH PAM support [enabled] Oct 31 15:25:05.910645: | libevent is using pluto's memory allocator Oct 31 15:25:05.910650: Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) Oct 31 15:25:05.910660: | libevent_malloc: newref ptr-libevent@0x55e8fe9c5fa8 size 40 Oct 31 15:25:05.910664: | libevent_malloc: newref ptr-libevent@0x55e8fe9ba0b8 size 40 Oct 31 15:25:05.910666: | libevent_malloc: newref ptr-libevent@0x55e8fe9c6488 size 40 Oct 31 15:25:05.910667: | creating event base Oct 31 15:25:05.910669: | libevent_malloc: newref ptr-libevent@0x55e8fe9c6788 size 56 Oct 31 15:25:05.910671: | libevent_malloc: newref ptr-libevent@0x55e8fe9bcbd8 size 664 Oct 31 15:25:05.910681: | libevent_malloc: newref ptr-libevent@0x55e8fe9f3458 size 24 Oct 31 15:25:05.910683: | libevent_malloc: newref ptr-libevent@0x55e8fe9f34a8 size 384 Oct 31 15:25:05.910691: | libevent_malloc: newref ptr-libevent@0x55e8fe9f3658 size 16 Oct 31 15:25:05.910693: | libevent_malloc: newref ptr-libevent@0x55e8fe9c6408 size 40 Oct 31 15:25:05.910694: | libevent_malloc: newref ptr-libevent@0x55e8fe9c5c68 size 48 Oct 31 15:25:05.910698: | libevent_realloc: newref ptr-libevent@0x55e8fe9f3698 size 256 Oct 31 15:25:05.910699: | libevent_malloc: newref ptr-libevent@0x55e8fe9f37c8 size 16 Oct 31 15:25:05.910703: | libevent_free: delref ptr-libevent@0x55e8fe9c6788 Oct 31 15:25:05.910705: | libevent initialized Oct 31 15:25:05.910709: | libevent_realloc: newref ptr-libevent@0x55e8fe9c6788 size 64 Oct 31 15:25:05.910711: | global periodic timer EVENT_RESET_LOG_RATE_LIMIT enabled with interval of 3600 seconds Oct 31 15:25:05.910713: | init_nat_traversal() initialized with keep_alive=0s Oct 31 15:25:05.910715: NAT-Traversal support [enabled] Oct 31 15:25:05.910716: | global one-shot timer EVENT_NAT_T_KEEPALIVE initialized Oct 31 15:25:05.910719: | global one-shot timer EVENT_FREE_ROOT_CERTS initialized Oct 31 15:25:05.910722: | global periodic timer EVENT_REINIT_SECRET enabled with interval of 3600 seconds Oct 31 15:25:05.910733: | checking IKEv1 state table Oct 31 15:25:05.910737: | MAIN_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910739: | -> MAIN_R1 EVENT_SO_DISCARD (main_inI1_outR1) Oct 31 15:25:05.910742: | MAIN_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910743: | -> MAIN_I2 EVENT_RETRANSMIT (main_inR1_outI2) Oct 31 15:25:05.910745: | MAIN_R1: category: open IKE SA; flags: 0: Oct 31 15:25:05.910746: | -> MAIN_R2 EVENT_RETRANSMIT (main_inI2_outR2) Oct 31 15:25:05.910748: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:05.910749: | -> MAIN_R1 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:05.910751: | MAIN_I2: category: open IKE SA; flags: 0: Oct 31 15:25:05.910756: | -> MAIN_I3 EVENT_RETRANSMIT (main_inR2_outI3) Oct 31 15:25:05.910758: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:05.910759: | -> MAIN_I2 EVENT_RETRANSMIT (unexpected) Oct 31 15:25:05.910761: | MAIN_R2: category: open IKE SA; flags: 0: Oct 31 15:25:05.910762: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:25:05.910763: | -> MAIN_R3 EVENT_SA_REPLACE (main_inI3_outR3) Oct 31 15:25:05.910765: | -> MAIN_R2 EVENT_SA_REPLACE (unexpected) Oct 31 15:25:05.910766: | MAIN_I3: category: open IKE SA; flags: 0: Oct 31 15:25:05.910768: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:25:05.910769: | -> MAIN_I4 EVENT_SA_REPLACE (main_inR3) Oct 31 15:25:05.910770: | -> MAIN_I3 EVENT_SA_REPLACE (unexpected) Oct 31 15:25:05.910772: | MAIN_R3: category: established IKE SA; flags: 0: Oct 31 15:25:05.910773: | -> MAIN_R3 EVENT_NULL (unexpected) Oct 31 15:25:05.910775: | MAIN_I4: category: established IKE SA; flags: 0: Oct 31 15:25:05.910776: | -> MAIN_I4 EVENT_NULL (unexpected) Oct 31 15:25:05.910778: | AGGR_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910779: | -> AGGR_R1 EVENT_SO_DISCARD (aggr_inI1_outR1) Oct 31 15:25:05.910781: | AGGR_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910782: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:25:05.910784: | -> AGGR_I2 EVENT_SA_REPLACE (aggr_inR1_outI2) Oct 31 15:25:05.910785: | AGGR_R1: category: open IKE SA; flags: 0: Oct 31 15:25:05.910787: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:25:05.910788: | -> AGGR_R2 EVENT_SA_REPLACE (aggr_inI2) Oct 31 15:25:05.910790: | AGGR_I2: category: established IKE SA; flags: 0: Oct 31 15:25:05.910791: | -> AGGR_I2 EVENT_NULL (unexpected) Oct 31 15:25:05.910792: | AGGR_R2: category: established IKE SA; flags: 0: Oct 31 15:25:05.910794: | -> AGGR_R2 EVENT_NULL (unexpected) Oct 31 15:25:05.910795: | QUICK_R0: category: established CHILD SA; flags: 0: Oct 31 15:25:05.910797: | -> QUICK_R1 EVENT_RETRANSMIT (quick_inI1_outR1) Oct 31 15:25:05.910798: | QUICK_I1: category: established CHILD SA; flags: 0: Oct 31 15:25:05.910800: | -> QUICK_I2 EVENT_SA_REPLACE (quick_inR1_outI2) Oct 31 15:25:05.910801: | QUICK_R1: category: established CHILD SA; flags: 0: Oct 31 15:25:05.910803: | -> QUICK_R2 EVENT_SA_REPLACE (quick_inI2) Oct 31 15:25:05.910804: | QUICK_I2: category: established CHILD SA; flags: 0: Oct 31 15:25:05.910806: | -> QUICK_I2 EVENT_NULL (unexpected) Oct 31 15:25:05.910807: | QUICK_R2: category: established CHILD SA; flags: 0: Oct 31 15:25:05.910809: | -> QUICK_R2 EVENT_NULL (unexpected) Oct 31 15:25:05.910810: | INFO: category: informational; flags: 0: Oct 31 15:25:05.910812: | -> INFO EVENT_NULL (informational) Oct 31 15:25:05.910813: | INFO_PROTECTED: category: informational; flags: 0: Oct 31 15:25:05.910814: | -> INFO_PROTECTED EVENT_NULL (informational) Oct 31 15:25:05.910816: | XAUTH_R0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910817: | -> XAUTH_R1 EVENT_NULL (xauth_inR0) Oct 31 15:25:05.910819: | XAUTH_R1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910820: | -> MAIN_R3 EVENT_SA_REPLACE (xauth_inR1) Oct 31 15:25:05.910822: | MODE_CFG_R0: category: informational; flags: 0: Oct 31 15:25:05.910823: | -> MODE_CFG_R1 EVENT_SA_REPLACE (modecfg_inR0) Oct 31 15:25:05.910825: | MODE_CFG_R1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910826: | -> MODE_CFG_R2 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:25:05.910828: | MODE_CFG_R2: category: established IKE SA; flags: 0: Oct 31 15:25:05.910829: | -> MODE_CFG_R2 EVENT_NULL (unexpected) Oct 31 15:25:05.910831: | MODE_CFG_I1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910832: | -> MAIN_I4 EVENT_SA_REPLACE (modecfg_inR1) Oct 31 15:25:05.910834: | XAUTH_I0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910835: | -> XAUTH_I1 EVENT_RETRANSMIT (xauth_inI0) Oct 31 15:25:05.910838: | XAUTH_I1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910839: | -> MAIN_I4 EVENT_RETRANSMIT (xauth_inI1) Oct 31 15:25:05.910844: | checking IKEv2 state table Oct 31 15:25:05.910849: | V2_REKEY_IKE_I0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910851: | -> V2_REKEY_IKE_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IKE Rekey) Oct 31 15:25:05.910853: | V2_REKEY_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910855: | -> V2_REKEY_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec Rekey SA) Oct 31 15:25:05.910857: | V2_NEW_CHILD_I0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910858: | -> V2_NEW_CHILD_I1 EVENT_RETRANSMIT send-request (Initiate CREATE_CHILD_SA IPsec SA) Oct 31 15:25:05.910860: | PARENT_I0: category: ignore; flags: 0: Oct 31 15:25:05.910862: | -> PARENT_I1 EVENT_RETRANSMIT send-request (initiate IKE_SA_INIT) Oct 31 15:25:05.910863: | PARENT_I1: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910865: | -> PARENT_I0 EVENT_SO_DISCARD (received anti-DDOS COOKIE notify response; resending IKE_SA_INIT request with cookie payload added) Oct 31 15:25:05.910870: | -> PARENT_I0 EVENT_SO_DISCARD (received IKE_SA_INIT INVALID_KE_PAYLOAD notify response; resending IKE_SA_INIT with new KE payload) Oct 31 15:25:05.910871: | -> IKESA_DEL EVENT_v2_REDIRECT (received REDIRECT notify response; resending IKE_SA_INIT request to new destination) Oct 31 15:25:05.910873: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_SA_INIT reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:25:05.910875: | PARENT_I2: category: open IKE SA; flags: 0: Oct 31 15:25:05.910876: | -> PARENT_I2 EVENT_RETRANSMIT send-request (Initiator: process IKE_INTERMEDIATE reply, initiate IKE_AUTH or IKE_INTERMEDIATE) Oct 31 15:25:05.910878: | -> PARENT_I2 EVENT_NULL (Initiator: process INVALID_SYNTAX AUTH notification) Oct 31 15:25:05.910879: | -> PARENT_I2 EVENT_NULL (Initiator: process AUTHENTICATION_FAILED AUTH notification) Oct 31 15:25:05.910881: | -> PARENT_I2 EVENT_NULL (Initiator: process UNSUPPORTED_CRITICAL_PAYLOAD AUTH notification) Oct 31 15:25:05.910882: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Initiator: process IKE_AUTH response) Oct 31 15:25:05.910883: | -> PARENT_I2 EVENT_NULL (IKE SA: process IKE_AUTH response containing unknown notification) Oct 31 15:25:05.910885: | PARENT_R0: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910887: | -> PARENT_R1 EVENT_SO_DISCARD send-response (Respond to IKE_SA_INIT) Oct 31 15:25:05.910888: | PARENT_R1: category: half-open IKE SA; flags: 0: Oct 31 15:25:05.910890: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request (no SKEYSEED)) Oct 31 15:25:05.910891: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (no SKEYSEED)) Oct 31 15:25:05.910893: | -> PARENT_R1 EVENT_SA_REPLACE send-response (Responder: process IKE_INTERMEDIATE request (with SKEYSEED)) Oct 31 15:25:05.910894: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Responder: process IKE_AUTH request) Oct 31 15:25:05.910896: | V2_REKEY_IKE_R0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910897: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IKE Rekey) Oct 31 15:25:05.910899: | V2_REKEY_IKE_I1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910900: | -> ESTABLISHED_IKE_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IKE Rekey Response) Oct 31 15:25:05.910902: | V2_NEW_CHILD_I1: category: established IKE SA; flags: 0: Oct 31 15:25:05.910903: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE (Process CREATE_CHILD_SA IPsec SA Response) Oct 31 15:25:05.910905: | V2_REKEY_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910906: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA rekey CHILD SA request) Oct 31 15:25:05.910908: | V2_NEW_CHILD_R0: category: established IKE SA; flags: 0: Oct 31 15:25:05.910911: | -> ESTABLISHED_CHILD_SA EVENT_SA_REPLACE send-response (Respond to CREATE_CHILD_SA IPsec SA Request) Oct 31 15:25:05.910912: | ESTABLISHED_IKE_SA: category: established IKE SA; flags: 0: Oct 31 15:25:05.910914: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request (liveness probe)) Oct 31 15:25:05.910915: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response (liveness probe)) Oct 31 15:25:05.910917: | -> ESTABLISHED_IKE_SA EVENT_RETAIN send-response (Informational Request) Oct 31 15:25:05.910918: | -> ESTABLISHED_IKE_SA EVENT_RETAIN (Informational Response) Oct 31 15:25:05.910920: | IKESA_DEL: category: established IKE SA; flags: 0: Oct 31 15:25:05.910922: | -> IKESA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:25:05.910923: | CHILDSA_DEL: category: informational; flags: 0: Oct 31 15:25:05.910925: | -> CHILDSA_DEL EVENT_RETAIN (IKE_SA_DEL: process INFORMATIONAL) Oct 31 15:25:05.910927: | global one-shot timer EVENT_REVIVE_CONNS initialized Oct 31 15:25:05.910929: | global periodic timer EVENT_PENDING_DDNS enabled with interval of 60 seconds Oct 31 15:25:05.910931: | global periodic timer EVENT_PENDING_PHASE2 enabled with interval of 120 seconds Oct 31 15:25:05.911034: Encryption algorithms: Oct 31 15:25:05.911044: AES_CCM_16 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm, aes_ccm_c Oct 31 15:25:05.911051: AES_CCM_12 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_b Oct 31 15:25:05.911056: AES_CCM_8 {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_ccm_a Oct 31 15:25:05.911062: 3DES_CBC [*192] IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) 3des Oct 31 15:25:05.911066: CAMELLIA_CTR {256,192,*128} IKEv1: ESP IKEv2: ESP Oct 31 15:25:05.911069: CAMELLIA_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP NSS(CBC) camellia Oct 31 15:25:05.911072: AES_GCM_16 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm, aes_gcm_c Oct 31 15:25:05.911075: AES_GCM_12 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_b Oct 31 15:25:05.911078: AES_GCM_8 {256,192,*128} IKEv1: ESP IKEv2: IKE ESP FIPS NSS(GCM) aes_gcm_a Oct 31 15:25:05.911080: AES_CTR {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CTR) aesctr Oct 31 15:25:05.911083: AES_CBC {256,192,*128} IKEv1: IKE ESP IKEv2: IKE ESP FIPS NSS(CBC) aes Oct 31 15:25:05.911086: NULL_AUTH_AES_GMAC {256,192,*128} IKEv1: ESP IKEv2: ESP FIPS aes_gmac Oct 31 15:25:05.911088: NULL [] IKEv1: ESP IKEv2: ESP Oct 31 15:25:05.911091: CHACHA20_POLY1305 [*256] IKEv1: IKEv2: IKE ESP NSS(AEAD) chacha20poly1305 Oct 31 15:25:05.911093: Hash algorithms: Oct 31 15:25:05.911095: MD5 IKEv1: IKE IKEv2: NSS Oct 31 15:25:05.911101: SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha Oct 31 15:25:05.911107: SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256 Oct 31 15:25:05.911111: SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384 Oct 31 15:25:05.911114: SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512 Oct 31 15:25:05.911117: PRF algorithms: Oct 31 15:25:05.911121: HMAC_MD5 IKEv1: IKE IKEv2: IKE native(HMAC) md5 Oct 31 15:25:05.911125: HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS NSS sha, sha1 Oct 31 15:25:05.911131: HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS NSS sha2, sha256, sha2_256 Oct 31 15:25:05.911141: HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS NSS sha384, sha2_384 Oct 31 15:25:05.911146: HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS NSS sha512, sha2_512 Oct 31 15:25:05.911149: AES_XCBC IKEv1: IKEv2: IKE native(XCBC) aes128_xcbc Oct 31 15:25:05.911151: Integrity algorithms: Oct 31 15:25:05.911154: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH native(HMAC) md5, hmac_md5 Oct 31 15:25:05.911157: HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha, sha1, sha1_96, hmac_sha1 Oct 31 15:25:05.911160: HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha512, sha2_512, sha2_512_256, hmac_sha2_512 Oct 31 15:25:05.911163: HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha384, sha2_384, sha2_384_192, hmac_sha2_384 Oct 31 15:25:05.911165: HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS sha2, sha256, sha2_256, sha2_256_128, hmac_sha2_256 Oct 31 15:25:05.911168: HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH Oct 31 15:25:05.911170: AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH native(XCBC) aes_xcbc, aes128_xcbc, aes128_xcbc_96 Oct 31 15:25:05.911173: AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac Oct 31 15:25:05.911175: NONE IKEv1: ESP IKEv2: IKE ESP FIPS null Oct 31 15:25:05.911176: DH algorithms: Oct 31 15:25:05.911179: NONE IKEv1: IKEv2: IKE ESP AH FIPS NSS(MODP) null, dh0 Oct 31 15:25:05.911181: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH NSS(MODP) dh5 Oct 31 15:25:05.911183: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh14 Oct 31 15:25:05.911185: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh15 Oct 31 15:25:05.911187: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh16 Oct 31 15:25:05.911189: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh17 Oct 31 15:25:05.911191: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS NSS(MODP) dh18 Oct 31 15:25:05.911194: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_256, ecp256 Oct 31 15:25:05.911196: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_384, ecp384 Oct 31 15:25:05.911203: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS NSS(ECP) ecp_521, ecp521 Oct 31 15:25:05.911209: DH31 IKEv1: IKE IKEv2: IKE ESP AH NSS(ECP) curve25519 Oct 31 15:25:05.911211: testing CAMELLIA_CBC: Oct 31 15:25:05.911213: Camellia: 16 bytes with 128-bit key Oct 31 15:25:05.911285: Camellia: 16 bytes with 128-bit key Oct 31 15:25:05.911309: Camellia: 16 bytes with 256-bit key Oct 31 15:25:05.911359: Camellia: 16 bytes with 256-bit key Oct 31 15:25:05.911392: testing AES_GCM_16: Oct 31 15:25:05.911395: empty string Oct 31 15:25:05.911414: one block Oct 31 15:25:05.911431: two blocks Oct 31 15:25:05.911449: two blocks with associated data Oct 31 15:25:05.911467: testing AES_CTR: Oct 31 15:25:05.911469: Encrypting 16 octets using AES-CTR with 128-bit key Oct 31 15:25:05.911487: Encrypting 32 octets using AES-CTR with 128-bit key Oct 31 15:25:05.911532: Encrypting 36 octets using AES-CTR with 128-bit key Oct 31 15:25:05.911572: Encrypting 16 octets using AES-CTR with 192-bit key Oct 31 15:25:05.911606: Encrypting 32 octets using AES-CTR with 192-bit key Oct 31 15:25:05.911646: Encrypting 36 octets using AES-CTR with 192-bit key Oct 31 15:25:05.911668: Encrypting 16 octets using AES-CTR with 256-bit key Oct 31 15:25:05.911686: Encrypting 32 octets using AES-CTR with 256-bit key Oct 31 15:25:05.911705: Encrypting 36 octets using AES-CTR with 256-bit key Oct 31 15:25:05.911725: testing AES_CBC: Oct 31 15:25:05.911727: Encrypting 16 bytes (1 block) using AES-CBC with 128-bit key Oct 31 15:25:05.911745: Encrypting 32 bytes (2 blocks) using AES-CBC with 128-bit key Oct 31 15:25:05.911765: Encrypting 48 bytes (3 blocks) using AES-CBC with 128-bit key Oct 31 15:25:05.911784: Encrypting 64 bytes (4 blocks) using AES-CBC with 128-bit key Oct 31 15:25:05.911808: testing AES_XCBC: Oct 31 15:25:05.911810: RFC 3566 Test Case 1: AES-XCBC-MAC-96 with 0-byte input Oct 31 15:25:05.911908: RFC 3566 Test Case 2: AES-XCBC-MAC-96 with 3-byte input Oct 31 15:25:05.912042: RFC 3566 Test Case 3: AES-XCBC-MAC-96 with 16-byte input Oct 31 15:25:05.912167: RFC 3566 Test Case 4: AES-XCBC-MAC-96 with 20-byte input Oct 31 15:25:05.912328: RFC 3566 Test Case 5: AES-XCBC-MAC-96 with 32-byte input Oct 31 15:25:05.912480: RFC 3566 Test Case 6: AES-XCBC-MAC-96 with 34-byte input Oct 31 15:25:05.914158: RFC 3566 Test Case 7: AES-XCBC-MAC-96 with 1000-byte input Oct 31 15:25:05.914393: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 16) Oct 31 15:25:05.914510: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 10) Oct 31 15:25:05.914628: RFC 4434 Test Case AES-XCBC-PRF-128 with 20-byte input (key length 18) Oct 31 15:25:05.914834: testing HMAC_MD5: Oct 31 15:25:05.914840: RFC 2104: MD5_HMAC test 1 Oct 31 15:25:05.915009: RFC 2104: MD5_HMAC test 2 Oct 31 15:25:05.915141: RFC 2104: MD5_HMAC test 3 Oct 31 15:25:05.915344: 8 CPU cores online Oct 31 15:25:05.915352: starting up 7 helper threads Oct 31 15:25:05.915408: started thread for helper 0 Oct 31 15:25:05.915437: started thread for helper 1 Oct 31 15:25:05.915459: started thread for helper 2 Oct 31 15:25:05.915468: | starting helper thread 3 Oct 31 15:25:05.915549: seccomp security disabled for crypto helper 3 Oct 31 15:25:05.915557: | status value returned by setting the priority of this helper thread 3: 22 Oct 31 15:25:05.915561: | helper thread 3 has nothing to do Oct 31 15:25:05.915637: | starting helper thread 4 Oct 31 15:25:05.915645: seccomp security disabled for crypto helper 4 Oct 31 15:25:05.915649: | status value returned by setting the priority of this helper thread 4: 22 Oct 31 15:25:05.915652: | helper thread 4 has nothing to do Oct 31 15:25:05.915490: started thread for helper 3 Oct 31 15:25:05.915870: started thread for helper 4 Oct 31 15:25:05.915876: | starting helper thread 5 Oct 31 15:25:05.915887: seccomp security disabled for crypto helper 5 Oct 31 15:25:05.915892: | status value returned by setting the priority of this helper thread 5: 22 Oct 31 15:25:05.915894: | helper thread 5 has nothing to do Oct 31 15:25:05.915904: started thread for helper 5 Oct 31 15:25:05.915908: | starting helper thread 6 Oct 31 15:25:05.915911: seccomp security disabled for crypto helper 6 Oct 31 15:25:05.915915: | status value returned by setting the priority of this helper thread 6: 22 Oct 31 15:25:05.915917: | helper thread 6 has nothing to do Oct 31 15:25:05.915927: started thread for helper 6 Oct 31 15:25:05.915932: | starting helper thread 7 Oct 31 15:25:05.915934: seccomp security disabled for crypto helper 7 Oct 31 15:25:05.915937: | status value returned by setting the priority of this helper thread 7: 22 Oct 31 15:25:05.915940: | helper thread 7 has nothing to do Oct 31 15:25:05.915951: Using Linux XFRM/NETKEY IPsec kernel support code on 5.8.15-201.fc32.x86_64 Oct 31 15:25:05.915998: | Hard-wiring algorithms Oct 31 15:25:05.916002: | adding AES_CCM_16 to kernel algorithm db Oct 31 15:25:05.916008: | adding AES_CCM_12 to kernel algorithm db Oct 31 15:25:05.916011: | adding AES_CCM_8 to kernel algorithm db Oct 31 15:25:05.916018: | adding 3DES_CBC to kernel algorithm db Oct 31 15:25:05.916021: | adding CAMELLIA_CBC to kernel algorithm db Oct 31 15:25:05.916023: | adding AES_GCM_16 to kernel algorithm db Oct 31 15:25:05.916025: | adding AES_GCM_12 to kernel algorithm db Oct 31 15:25:05.916027: | adding AES_GCM_8 to kernel algorithm db Oct 31 15:25:05.916029: | adding AES_CTR to kernel algorithm db Oct 31 15:25:05.916031: | adding AES_CBC to kernel algorithm db Oct 31 15:25:05.916034: | adding NULL_AUTH_AES_GMAC to kernel algorithm db Oct 31 15:25:05.916036: | adding NULL to kernel algorithm db Oct 31 15:25:05.916039: | adding CHACHA20_POLY1305 to kernel algorithm db Oct 31 15:25:05.916041: | adding HMAC_MD5_96 to kernel algorithm db Oct 31 15:25:05.916044: | adding HMAC_SHA1_96 to kernel algorithm db Oct 31 15:25:05.916046: | adding HMAC_SHA2_512_256 to kernel algorithm db Oct 31 15:25:05.916048: | adding HMAC_SHA2_384_192 to kernel algorithm db Oct 31 15:25:05.916050: | adding HMAC_SHA2_256_128 to kernel algorithm db Oct 31 15:25:05.916053: | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db Oct 31 15:25:05.916055: | adding AES_XCBC_96 to kernel algorithm db Oct 31 15:25:05.916057: | adding AES_CMAC_96 to kernel algorithm db Oct 31 15:25:05.916059: | adding NONE to kernel algorithm db Oct 31 15:25:05.916082: | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes Oct 31 15:25:05.916090: | global periodic timer EVENT_SHUNT_SCAN enabled with interval of 20 seconds Oct 31 15:25:05.916093: | setup kernel fd callback Oct 31 15:25:05.916096: | add_fd_read_event_handler: newref KERNEL_XRM_FD-pe@0x55e8fe9fcfb8 Oct 31 15:25:05.916100: | libevent_malloc: newref ptr-libevent@0x55e8fe9c3f18 size 128 Oct 31 15:25:05.916103: | libevent_malloc: newref ptr-libevent@0x55e8fe9f75c8 size 16 Oct 31 15:25:05.916111: | add_fd_read_event_handler: newref KERNEL_ROUTE_FD-pe@0x55e8fea009c8 Oct 31 15:25:05.916114: | libevent_malloc: newref ptr-libevent@0x55e8fe9c3fc8 size 128 Oct 31 15:25:05.916117: | libevent_malloc: newref ptr-libevent@0x55e8fe9f6f88 size 16 Oct 31 15:25:05.916380: | global one-shot timer EVENT_CHECK_CRLS initialized Oct 31 15:25:05.916489: SELinux support is enabled in PERMISSIVE mode. Oct 31 15:25:05.916675: | starting helper thread 2 Oct 31 15:25:05.916683: seccomp security disabled for crypto helper 2 Oct 31 15:25:05.916687: | status value returned by setting the priority of this helper thread 2: 22 Oct 31 15:25:05.916690: | helper thread 2 has nothing to do Oct 31 15:25:05.916693: | unbound context created - setting debug level to 5 Oct 31 15:25:05.916724: | /etc/hosts lookups activated Oct 31 15:25:05.916738: | /etc/resolv.conf usage activated Oct 31 15:25:05.916782: | outgoing-port-avoid set 0-65535 Oct 31 15:25:05.916805: | outgoing-port-permit set 32768-60999 Oct 31 15:25:05.916809: | loading dnssec root key from:/var/lib/unbound/root.key Oct 31 15:25:05.916812: | no additional dnssec trust anchors defined via dnssec-trusted= option Oct 31 15:25:05.916816: | Setting up events, loop start Oct 31 15:25:05.916819: | add_fd_read_event_handler: newref PLUTO_CTL_FD-pe@0x55e8fea03f28 Oct 31 15:25:05.916822: | libevent_malloc: newref ptr-libevent@0x55e8fea00ae8 size 128 Oct 31 15:25:05.916826: | libevent_malloc: newref ptr-libevent@0x55e8fe9f79a8 size 16 Oct 31 15:25:05.916833: | libevent_realloc: newref ptr-libevent@0x55e8fea03f98 size 256 Oct 31 15:25:05.916835: | libevent_malloc: newref ptr-libevent@0x55e8fe9f7608 size 8 Oct 31 15:25:05.916837: | libevent_realloc: newref ptr-libevent@0x55e8fe9f8008 size 144 Oct 31 15:25:05.916839: | libevent_malloc: newref ptr-libevent@0x55e8fe9ba378 size 152 Oct 31 15:25:05.916841: | libevent_malloc: newref ptr-libevent@0x55e8fe9f77b8 size 16 Oct 31 15:25:05.916844: | signal event handler PLUTO_SIGCHLD installed Oct 31 15:25:05.916850: | libevent_malloc: newref ptr-libevent@0x55e8fea040c8 size 8 Oct 31 15:25:05.916855: | libevent_malloc: newref ptr-libevent@0x55e8fe9569d8 size 152 Oct 31 15:25:05.916858: | signal event handler PLUTO_SIGTERM installed Oct 31 15:25:05.916865: | libevent_malloc: newref ptr-libevent@0x55e8fea04108 size 8 Oct 31 15:25:05.916868: | libevent_malloc: newref ptr-libevent@0x55e8fe956738 size 152 Oct 31 15:25:05.916871: | signal event handler PLUTO_SIGHUP installed Oct 31 15:25:05.916874: | libevent_malloc: newref ptr-libevent@0x55e8fea04148 size 8 Oct 31 15:25:05.916877: | libevent_realloc: delref ptr-libevent@0x55e8fe9f8008 Oct 31 15:25:05.916880: | libevent_realloc: newref ptr-libevent@0x55e8fea04188 size 256 Oct 31 15:25:05.916883: | libevent_malloc: newref ptr-libevent@0x55e8fea042b8 size 152 Oct 31 15:25:05.916886: | signal event handler PLUTO_SIGSYS installed Oct 31 15:25:05.917167: | created addconn helper (pid:2162943) using fork+execve Oct 31 15:25:05.917185: | forked child 2162943 Oct 31 15:25:05.917203: seccomp security disabled Oct 31 15:25:05.921192: | newref struct fd@0x55e8fea04418(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.921239: | fd_accept: new fd-fd@0x55e8fea04418 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.921255: | whack: listen Oct 31 15:25:05.921258: listening for IKE messages Oct 31 15:25:05.921308: | Inspecting interface lo Oct 31 15:25:05.921314: | found lo with address 127.0.0.1 Oct 31 15:25:05.921317: | Inspecting interface eth0 Oct 31 15:25:05.921320: | found eth0 with address 192.0.2.254 Oct 31 15:25:05.921322: | Inspecting interface eth1 Oct 31 15:25:05.921326: | found eth1 with address 192.1.2.23 Oct 31 15:25:05.921333: | newref struct iface_dev@0x55e8fea04938(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:05.921369: Kernel supports NIC esp-hw-offload Oct 31 15:25:05.921394: | iface: marking eth1 add Oct 31 15:25:05.921401: | newref struct iface_dev@0x55e8fea04a68(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:05.921422: | iface: marking eth0 add Oct 31 15:25:05.921427: | newref struct iface_dev@0x55e8fea04b38(0->1) (in add_iface_dev() at iface.c:67) Oct 31 15:25:05.921449: | iface: marking lo add Oct 31 15:25:05.921514: | no interfaces to sort Oct 31 15:25:05.921533: | MSG_ERRQUEUE enabled on fd 18 Oct 31 15:25:05.921547: | addref ifd@0x55e8fea04938(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921551: adding UDP interface eth1 192.1.2.23:500 Oct 31 15:25:05.921573: | MSG_ERRQUEUE enabled on fd 19 Oct 31 15:25:05.921583: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:05.921587: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:05.921591: | addref ifd@0x55e8fea04938(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921595: adding UDP interface eth1 192.1.2.23:4500 Oct 31 15:25:05.921609: | MSG_ERRQUEUE enabled on fd 20 Oct 31 15:25:05.921619: | addref ifd@0x55e8fea04a68(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921623: adding UDP interface eth0 192.0.2.254:500 Oct 31 15:25:05.921640: | MSG_ERRQUEUE enabled on fd 21 Oct 31 15:25:05.921651: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:05.921655: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:05.921659: | addref ifd@0x55e8fea04a68(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921663: adding UDP interface eth0 192.0.2.254:4500 Oct 31 15:25:05.921679: | MSG_ERRQUEUE enabled on fd 22 Oct 31 15:25:05.921688: | addref ifd@0x55e8fea04b38(1->2) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921756: adding UDP interface lo 127.0.0.1:500 Oct 31 15:25:05.921773: | MSG_ERRQUEUE enabled on fd 23 Oct 31 15:25:05.921779: | NAT-Traversal: Trying sockopt style NAT-T Oct 31 15:25:05.921781: | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 Oct 31 15:25:05.921784: | addref ifd@0x55e8fea04b38(2->3) (in bind_iface_port() at iface.c:237) Oct 31 15:25:05.921786: adding UDP interface lo 127.0.0.1:4500 Oct 31 15:25:05.921789: | updating interfaces - listing interfaces that are going down Oct 31 15:25:05.921791: | updating interfaces - checking orientation Oct 31 15:25:05.921792: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:25:05.921824: | libevent_malloc: newref ptr-libevent@0x55e8fea00a38 size 128 Oct 31 15:25:05.921830: | libevent_malloc: newref ptr-libevent@0x55e8fea04e78 size 16 Oct 31 15:25:05.921840: | setup callback for interface lo 127.0.0.1:4500 fd 23 on UDP Oct 31 15:25:05.921845: | libevent_malloc: newref ptr-libevent@0x55e8fe9c40c8 size 128 Oct 31 15:25:05.921848: | libevent_malloc: newref ptr-libevent@0x55e8fea05518 size 16 Oct 31 15:25:05.921854: | setup callback for interface lo 127.0.0.1:500 fd 22 on UDP Oct 31 15:25:05.921857: | libevent_malloc: newref ptr-libevent@0x55e8fe9b9388 size 128 Oct 31 15:25:05.921860: | libevent_malloc: newref ptr-libevent@0x55e8fea05558 size 16 Oct 31 15:25:05.921865: | setup callback for interface eth0 192.0.2.254:4500 fd 21 on UDP Oct 31 15:25:05.921868: | libevent_malloc: newref ptr-libevent@0x55e8fe9c41c8 size 128 Oct 31 15:25:05.921869: | libevent_malloc: newref ptr-libevent@0x55e8fea05598 size 16 Oct 31 15:25:05.921872: | setup callback for interface eth0 192.0.2.254:500 fd 20 on UDP Oct 31 15:25:05.921875: | libevent_malloc: newref ptr-libevent@0x55e8fe9c0be8 size 128 Oct 31 15:25:05.921877: | libevent_malloc: newref ptr-libevent@0x55e8fea055d8 size 16 Oct 31 15:25:05.921880: | setup callback for interface eth1 192.1.2.23:4500 fd 19 on UDP Oct 31 15:25:05.921881: | libevent_malloc: newref ptr-libevent@0x55e8fe9c0b38 size 128 Oct 31 15:25:05.921883: | libevent_malloc: newref ptr-libevent@0x55e8fea05618 size 16 Oct 31 15:25:05.921886: | setup callback for interface eth1 192.1.2.23:500 fd 18 on UDP Oct 31 15:25:05.922565: | starting helper thread 1 Oct 31 15:25:05.922579: seccomp security disabled for crypto helper 1 Oct 31 15:25:05.922585: | status value returned by setting the priority of this helper thread 1: 22 Oct 31 15:25:05.922590: | helper thread 1 has nothing to do Oct 31 15:25:05.923442: | no stale xfrmi interface 'ipsec1' found Oct 31 15:25:05.923457: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:25:05.923462: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:25:05.923493: loading secrets from "/etc/ipsec.secrets" Oct 31 15:25:05.923516: | id type added to secret(0x55e8fea06f28) PKK_PSK: @east Oct 31 15:25:05.923521: | id type added to secret(0x55e8fea06f28) PKK_PSK: @north Oct 31 15:25:05.923526: | processing PSK at line 1: passed Oct 31 15:25:05.923528: | certs and keys locked by 'process_secret' Oct 31 15:25:05.923530: | certs and keys unlocked by 'process_secret' Oct 31 15:25:05.923534: | old food groups: Oct 31 15:25:05.923536: | new food groups: Oct 31 15:25:05.923543: | delref fd@0x55e8fea04418(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:05.923552: | freeref fd-fd@0x55e8fea04418 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:05.923561: | spent 0.765 (2.38) milliseconds in whack Oct 31 15:25:05.923918: | processing signal PLUTO_SIGCHLD Oct 31 15:25:05.923930: | waitpid returned pid 2162943 (exited with status 0) Oct 31 15:25:05.923934: | reaped addconn helper child (status 0) Oct 31 15:25:05.923939: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:05.923943: | spent 0.0174 (0.0172) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:05.951565: | newref struct fd@0x55e8fea04458(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.951586: | fd_accept: new fd-fd@0x55e8fea04458 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:05.951599: | whack: options (impair|debug) Oct 31 15:25:05.951605: | old debugging base+cpu-usage + none Oct 31 15:25:05.951608: | new debugging = base+cpu-usage Oct 31 15:25:05.951614: | delref fd@0x55e8fea04458(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:05.951621: | freeref fd-fd@0x55e8fea04458 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:05.951630: | spent 0.0773 (0.0768) milliseconds in whack Oct 31 15:25:06.018950: | newref struct fd@0x55e8fea04498(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.018966: | fd_accept: new fd-fd@0x55e8fea04498 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.018989: | whack: delete 'northnet-eastnet/0x1' Oct 31 15:25:06.018999: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019002: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:06.019005: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019007: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:06.019010: | whack: connection 'northnet-eastnet/0x1' Oct 31 15:25:06.019015: | addref fd@0x55e8fea04498(1->2) (in string_logger() at log.c:838) Oct 31 15:25:06.019019: | newref string logger@0x55e8fe9f7d68(0->1) (in add_connection() at connections.c:1998) Oct 31 15:25:06.019023: | Connection DB: adding connection "northnet-eastnet/0x1" $1 Oct 31 15:25:06.019030: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019044: | added new connection northnet-eastnet/0x1 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:25:06.019122: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Oct 31 15:25:06.019127: | from whack: got --esp= Oct 31 15:25:06.019174: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Oct 31 15:25:06.019181: | counting wild cards for @north is 0 Oct 31 15:25:06.019185: | counting wild cards for @east is 0 Oct 31 15:25:06.019189: | updating connection from left.host_addr Oct 31 15:25:06.019193: | right host_nexthop 192.1.3.33 Oct 31 15:25:06.019196: | left host_port 500 Oct 31 15:25:06.019222: | updating connection from right.host_addr Oct 31 15:25:06.019228: | left host_nexthop 192.1.2.23 Oct 31 15:25:06.019231: | right host_port 500 Oct 31 15:25:06.019237: | orienting northnet-eastnet/0x1 Oct 31 15:25:06.019243: | northnet-eastnet/0x1 doesn't match 127.0.0.1:4500 at all Oct 31 15:25:06.019247: | northnet-eastnet/0x1 doesn't match 127.0.0.1:500 at all Oct 31 15:25:06.019251: | northnet-eastnet/0x1 doesn't match 192.0.2.254:4500 at all Oct 31 15:25:06.019255: | northnet-eastnet/0x1 doesn't match 192.0.2.254:500 at all Oct 31 15:25:06.019259: | northnet-eastnet/0x1 doesn't match 192.1.2.23:4500 at all Oct 31 15:25:06.019261: | oriented northnet-eastnet/0x1's that Oct 31 15:25:06.019264: | swapping ends so that that is this Oct 31 15:25:06.019270: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@(nil): none Oct 31 15:25:06.019278: | newref hp@0x55e8fea077d8(0->1) (in connect_to_host_pair() at hostpair.c:290) Oct 31 15:25:06.019282: added IKEv2 connection "northnet-eastnet/0x1" Oct 31 15:25:06.019291: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:25:06.019302: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Oct 31 15:25:06.019306: | delref logger@0x55e8fe9f7d68(1->0) (in add_connection() at connections.c:2026) Oct 31 15:25:06.019310: | delref fd@0x55e8fea04498(2->1) (in free_logger() at log.c:853) Oct 31 15:25:06.019313: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:06.019317: | delref fd@0x55e8fea04498(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.019323: | freeref fd-fd@0x55e8fea04498 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.019331: | spent 0.363 (0.394) milliseconds in whack Oct 31 15:25:06.019397: | newref struct fd@0x55e8fea05698(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.019401: | fd_accept: new fd-fd@0x55e8fea05698 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.019417: | whack: delete 'northnet-eastnet/0x2' Oct 31 15:25:06.019420: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019426: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:06.019429: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019431: | FOR_EACH_CONNECTION_... in foreach_connection_by_alias Oct 31 15:25:06.019434: | whack: connection 'northnet-eastnet/0x2' Oct 31 15:25:06.019437: | addref fd@0x55e8fea05698(1->2) (in string_logger() at log.c:838) Oct 31 15:25:06.019440: | newref string logger@0x55e8fea045c8(0->1) (in add_connection() at connections.c:1998) Oct 31 15:25:06.019450: | Connection DB: adding connection "northnet-eastnet/0x2" $2 Oct 31 15:25:06.019455: | FOR_EACH_CONNECTION_... in conn_by_name Oct 31 15:25:06.019461: | added new connection northnet-eastnet/0x2 with policy PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:25:06.019526: | ike (phase1) algorithm values: AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31, AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 Oct 31 15:25:06.019530: | from whack: got --esp= Oct 31 15:25:06.019578: | ESP/AH string values: AES_GCM_16_256-NONE, AES_GCM_16_128-NONE, AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128, AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 Oct 31 15:25:06.019583: | counting wild cards for @north is 0 Oct 31 15:25:06.019587: | counting wild cards for @east is 0 Oct 31 15:25:06.019590: | updating connection from left.host_addr Oct 31 15:25:06.019594: | right host_nexthop 192.1.3.33 Oct 31 15:25:06.019597: | left host_port 500 Oct 31 15:25:06.019599: | updating connection from right.host_addr Oct 31 15:25:06.019602: | left host_nexthop 192.1.2.23 Oct 31 15:25:06.019605: | right host_port 500 Oct 31 15:25:06.019608: | orienting northnet-eastnet/0x2 Oct 31 15:25:06.019612: | northnet-eastnet/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:25:06.019616: | northnet-eastnet/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:25:06.019620: | northnet-eastnet/0x2 doesn't match 192.0.2.254:4500 at all Oct 31 15:25:06.019624: | northnet-eastnet/0x2 doesn't match 192.0.2.254:500 at all Oct 31 15:25:06.019627: | northnet-eastnet/0x2 doesn't match 192.1.2.23:4500 at all Oct 31 15:25:06.019630: | oriented northnet-eastnet/0x2's that Oct 31 15:25:06.019632: | swapping ends so that that is this Oct 31 15:25:06.019637: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:06.019642: | connect_to_host_pair: 192.1.2.23:500 192.1.3.33:500 -> hp@0x55e8fea077d8: northnet-eastnet/0x1 Oct 31 15:25:06.019645: added IKEv2 connection "northnet-eastnet/0x2" Oct 31 15:25:06.019653: | ike_life: 3600; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO Oct 31 15:25:06.019663: | 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24 Oct 31 15:25:06.019666: | delref logger@0x55e8fea045c8(1->0) (in add_connection() at connections.c:2026) Oct 31 15:25:06.019669: | delref fd@0x55e8fea05698(2->1) (in free_logger() at log.c:853) Oct 31 15:25:06.019671: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:06.019675: | delref fd@0x55e8fea05698(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.019681: | freeref fd-fd@0x55e8fea05698 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.019686: | spent 0.289 (0.295) milliseconds in whack Oct 31 15:25:06.084027: | newref struct fd@0x55e8fea07888(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.084042: | fd_accept: new fd-fd@0x55e8fea07888 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.084052: | whack: status Oct 31 15:25:06.084248: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:06.084257: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:06.084369: | FOR_EACH_STATE_... in show_states (sort_states) Oct 31 15:25:06.084383: | delref fd@0x55e8fea07888(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.084391: | freeref fd-fd@0x55e8fea07888 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.084399: | spent 0.366 (0.38) milliseconds in whack Oct 31 15:25:06.151875: | newref struct fd@0x55e8fea085c8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.151890: | fd_accept: new fd-fd@0x55e8fea085c8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:06.151900: | whack: options (impair|debug) Oct 31 15:25:06.151904: | old debugging base+cpu-usage + none Oct 31 15:25:06.151906: | new debugging = base+cpu-usage Oct 31 15:25:06.151909: | suppress-retransmits:yes Oct 31 15:25:06.151912: | delref fd@0x55e8fea085c8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.151919: | freeref fd-fd@0x55e8fea085c8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:06.151926: | spent 0.0609 (0.0607) milliseconds in whack Oct 31 15:25:07.056105: | spent 0.00368 (0.00367) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:07.056130: | newref struct msg_digest@0x55e8fea098b8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.056136: | newref alloc logger@0x55e8fea05778(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.056144: | *received 828 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:07.056147: | be 24 bd 7a a6 09 d5 ef 00 00 00 00 00 00 00 00 Oct 31 15:25:07.056150: | 21 20 22 08 00 00 00 00 00 00 03 3c 22 00 01 b4 Oct 31 15:25:07.056152: | 02 00 00 64 01 01 00 0b 03 00 00 0c 01 00 00 14 Oct 31 15:25:07.056154: | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 Oct 31 15:25:07.056156: | 02 00 00 05 03 00 00 08 04 00 00 0e 03 00 00 08 Oct 31 15:25:07.056158: | 04 00 00 0f 03 00 00 08 04 00 00 10 03 00 00 08 Oct 31 15:25:07.056160: | 04 00 00 12 03 00 00 08 04 00 00 13 03 00 00 08 Oct 31 15:25:07.056163: | 04 00 00 14 03 00 00 08 04 00 00 15 00 00 00 08 Oct 31 15:25:07.056165: | 04 00 00 1f 02 00 00 64 02 01 00 0b 03 00 00 0c Oct 31 15:25:07.056167: | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 Oct 31 15:25:07.056170: | 03 00 00 08 02 00 00 05 03 00 00 08 04 00 00 0e Oct 31 15:25:07.056172: | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 Oct 31 15:25:07.056174: | 03 00 00 08 04 00 00 12 03 00 00 08 04 00 00 13 Oct 31 15:25:07.056176: | 03 00 00 08 04 00 00 14 03 00 00 08 04 00 00 15 Oct 31 15:25:07.056179: | 00 00 00 08 04 00 00 1f 02 00 00 74 03 01 00 0d Oct 31 15:25:07.056181: | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 Oct 31 15:25:07.056183: | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 Oct 31 15:25:07.056186: | 03 00 00 0e 03 00 00 08 03 00 00 0c 03 00 00 08 Oct 31 15:25:07.056188: | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 Oct 31 15:25:07.056190: | 04 00 00 10 03 00 00 08 04 00 00 12 03 00 00 08 Oct 31 15:25:07.056192: | 04 00 00 13 03 00 00 08 04 00 00 14 03 00 00 08 Oct 31 15:25:07.056194: | 04 00 00 15 00 00 00 08 04 00 00 1f 00 00 00 74 Oct 31 15:25:07.056196: | 04 01 00 0d 03 00 00 0c 01 00 00 0c 80 0e 00 80 Oct 31 15:25:07.056212: | 03 00 00 08 02 00 00 07 03 00 00 08 02 00 00 05 Oct 31 15:25:07.056216: | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c Oct 31 15:25:07.056219: | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f Oct 31 15:25:07.056221: | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 Oct 31 15:25:07.056223: | 03 00 00 08 04 00 00 13 03 00 00 08 04 00 00 14 Oct 31 15:25:07.056225: | 03 00 00 08 04 00 00 15 00 00 00 08 04 00 00 1f Oct 31 15:25:07.056227: | 28 00 01 08 00 0e 00 00 f1 22 18 27 da 0a 5a ac Oct 31 15:25:07.056229: | 39 cb f1 d6 22 ec 10 e5 ba c0 8b 0c eb f4 14 a4 Oct 31 15:25:07.056231: | 97 35 b1 12 55 70 a4 19 d6 dd 05 0f 99 23 69 db Oct 31 15:25:07.056233: | ac 67 4e ee c5 17 88 bc 7e ba 37 c7 b0 33 dc 6a Oct 31 15:25:07.056239: | 66 0f bf f5 dc 09 19 91 92 2c 99 8f e9 ff bf af Oct 31 15:25:07.056242: | ae 6c 2a 65 9d 82 28 8b d8 3b 38 d7 66 6f 80 34 Oct 31 15:25:07.056244: | 42 d6 8b 41 40 1f 63 ed 0c a3 a5 08 64 50 51 fe Oct 31 15:25:07.056246: | dc ed 4f 1b c8 d1 61 70 33 4a 19 e1 52 9a b5 93 Oct 31 15:25:07.056248: | e7 ea 9b 9d 66 a6 8f dc 7e 32 6f a7 3e 16 bf f6 Oct 31 15:25:07.056251: | 70 a1 06 47 9c c2 0d 41 9c 4b 81 19 59 20 74 18 Oct 31 15:25:07.056253: | e5 eb 16 11 f5 8b 95 09 4f 96 d1 33 f7 cd 6d 88 Oct 31 15:25:07.056256: | 7b d9 b5 74 19 7b 4a ea 41 28 f2 f8 48 0f 62 74 Oct 31 15:25:07.056258: | f4 fd b9 ae a9 db 69 39 ac 29 eb 1f 4e 92 56 c1 Oct 31 15:25:07.056260: | 84 cf d1 fc e2 93 7b 92 79 ec 4c d5 10 d7 c5 0e Oct 31 15:25:07.056262: | ea f8 aa 25 91 59 fd 84 88 49 0f 1d bf 2d fc 80 Oct 31 15:25:07.056264: | 7f 30 9c 2b 82 7c 39 78 f1 8a db be 55 a3 70 38 Oct 31 15:25:07.056265: | 17 94 13 60 f2 59 e3 ee 29 00 00 24 be 61 bb 04 Oct 31 15:25:07.056267: | 4f 69 e6 af db 9c 21 82 8f 59 12 a7 54 f6 e9 6e Oct 31 15:25:07.056270: | 87 df 4d be 72 60 78 a2 eb 7f 44 bc 29 00 00 08 Oct 31 15:25:07.056272: | 00 00 40 2e 29 00 00 1c 00 00 40 04 9a 17 c0 c3 Oct 31 15:25:07.056274: | ae 40 38 a7 19 2f c7 75 55 77 0c 82 5c c6 ae 64 Oct 31 15:25:07.056277: | 00 00 00 1c 00 00 40 05 48 5d 05 ba 6b fb f5 54 Oct 31 15:25:07.056279: | b7 59 d2 3f ec d7 33 f7 e9 69 18 c3 Oct 31 15:25:07.056286: | **parse ISAKMP Message: Oct 31 15:25:07.056294: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.056299: | responder SPI: 00 00 00 00 00 00 00 00 Oct 31 15:25:07.056302: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:25:07.056305: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.056308: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:25:07.056312: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:07.056316: | Message ID: 0 (00 00 00 00) Oct 31 15:25:07.056319: | length: 828 (00 00 03 3c) Oct 31 15:25:07.056323: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) Oct 31 15:25:07.056327: | I am the IKE SA Original Responder receiving an IKEv2 IKE_SA_INIT request Oct 31 15:25:07.056331: | State DB: IKEv2 state not found (find_v2_ike_sa_by_initiator_spi) Oct 31 15:25:07.056334: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:25:07.056338: | ***parse IKEv2 Security Association Payload: Oct 31 15:25:07.056342: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:25:07.056347: | flags: none (0x0) Oct 31 15:25:07.056351: | length: 436 (01 b4) Oct 31 15:25:07.056354: | processing payload: ISAKMP_NEXT_v2SA (len=432) Oct 31 15:25:07.056357: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:25:07.056360: | ***parse IKEv2 Key Exchange Payload: Oct 31 15:25:07.056363: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:25:07.056367: | flags: none (0x0) Oct 31 15:25:07.056372: | length: 264 (01 08) Oct 31 15:25:07.056374: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.056377: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:25:07.056379: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:25:07.056382: | ***parse IKEv2 Nonce Payload: Oct 31 15:25:07.056385: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:07.056387: | flags: none (0x0) Oct 31 15:25:07.056391: | length: 36 (00 24) Oct 31 15:25:07.056393: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:25:07.056395: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:07.056398: | ***parse IKEv2 Notify Payload: Oct 31 15:25:07.056401: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:07.056404: | flags: none (0x0) Oct 31 15:25:07.056407: | length: 8 (00 08) Oct 31 15:25:07.056410: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.056414: | SPI size: 0 (00) Oct 31 15:25:07.056417: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:25:07.056425: | processing payload: ISAKMP_NEXT_v2N (len=0) Oct 31 15:25:07.056431: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:07.056434: | ***parse IKEv2 Notify Payload: Oct 31 15:25:07.056437: | next payload type: ISAKMP_NEXT_v2N (0x29) Oct 31 15:25:07.056439: | flags: none (0x0) Oct 31 15:25:07.056443: | length: 28 (00 1c) Oct 31 15:25:07.056446: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.056449: | SPI size: 0 (00) Oct 31 15:25:07.056452: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:25:07.056454: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:25:07.056457: | Now let's proceed with payload (ISAKMP_NEXT_v2N) Oct 31 15:25:07.056460: | ***parse IKEv2 Notify Payload: Oct 31 15:25:07.056463: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.056466: | flags: none (0x0) Oct 31 15:25:07.056470: | length: 28 (00 1c) Oct 31 15:25:07.056472: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.056475: | SPI size: 0 (00) Oct 31 15:25:07.056477: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:25:07.056481: | processing payload: ISAKMP_NEXT_v2N (len=20) Oct 31 15:25:07.056485: | DDOS disabled and no cookie sent, continuing Oct 31 15:25:07.056488: | looking for message matching transition from STATE_PARENT_R0 Oct 31 15:25:07.056491: | trying Respond to IKE_SA_INIT Oct 31 15:25:07.056494: | matched unencrypted message Oct 31 15:25:07.056502: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:25:07.056509: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:07.056513: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:25:07.056516: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Oct 31 15:25:07.056520: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Oct 31 15:25:07.056522: | find_next_host_connection returns Oct 31 15:25:07.056528: | find_host_connection local=192.1.2.23:500 remote= policy=ECDSA+IKEV2_ALLOW but ignoring ports Oct 31 15:25:07.056532: | find_next_host_connection policy=ECDSA+IKEV2_ALLOW Oct 31 15:25:07.056534: | find_next_host_connection returns Oct 31 15:25:07.056539: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW Oct 31 15:25:07.056546: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:25:07.056553: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:07.056556: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:25:07.056560: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Oct 31 15:25:07.056563: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Oct 31 15:25:07.056565: | find_next_host_connection returns Oct 31 15:25:07.056570: | find_host_connection local=192.1.2.23:500 remote= policy=RSASIG+IKEV2_ALLOW but ignoring ports Oct 31 15:25:07.056573: | find_next_host_connection policy=RSASIG+IKEV2_ALLOW Oct 31 15:25:07.056576: | find_next_host_connection returns Oct 31 15:25:07.056581: | ISAKMP_v2_IKE_SA_INIT message received on 192.1.2.23:500 but no connection has been authorized with policy RSASIG+IKEV2_ALLOW Oct 31 15:25:07.056587: | find_host_connection local=192.1.2.23:500 remote=192.1.3.33:500 policy=PSK+IKEV2_ALLOW but ignoring ports Oct 31 15:25:07.056593: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:07.056596: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:25:07.056600: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x2) Oct 31 15:25:07.056602: | find_next_host_connection returns "northnet-eastnet/0x2" Oct 31 15:25:07.056607: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:25:07.056610: | found policy = PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO (northnet-eastnet/0x1) Oct 31 15:25:07.056613: | find_next_host_connection returns "northnet-eastnet/0x1" Oct 31 15:25:07.056616: | find_next_host_connection policy=PSK+IKEV2_ALLOW Oct 31 15:25:07.056619: | find_next_host_connection returns Oct 31 15:25:07.056622: | found connection: "northnet-eastnet/0x2" with policy PSK+IKEV2_ALLOW Oct 31 15:25:07.056656: | newref alloc logger@0x55e8fe9f79e8(0->1) (in new_state() at state.c:576) Oct 31 15:25:07.056661: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:25:07.056664: | creating state object #1 at 0x55e8fea0b228 Oct 31 15:25:07.056667: | State DB: adding IKEv2 state #1 in UNDEFINED Oct 31 15:25:07.056679: | pstats #1 ikev2.ike started Oct 31 15:25:07.056683: | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) Oct 31 15:25:07.056688: | #1.st_v2_transition NULL -> PARENT_R0->PARENT_R1 (in new_v2_ike_state() at state.c:620) Oct 31 15:25:07.056697: | Message ID: IKE #1 initializing (IKE SA): ike.initiator.sent=0->-1 ike.initiator.recv=0->-1 ike.initiator.last_contact=0->744581.489487 ike.responder.sent=0->-1 ike.responder.recv=0->-1 ike.responder.last_contact=0->744581.489487 ike.wip.initiator=0->-1 ike.wip.responder=0->-1 Oct 31 15:25:07.056703: | orienting northnet-eastnet/0x2 Oct 31 15:25:07.056709: | northnet-eastnet/0x2 doesn't match 127.0.0.1:4500 at all Oct 31 15:25:07.056713: | northnet-eastnet/0x2 doesn't match 127.0.0.1:500 at all Oct 31 15:25:07.056717: | northnet-eastnet/0x2 doesn't match 192.0.2.254:4500 at all Oct 31 15:25:07.056721: | northnet-eastnet/0x2 doesn't match 192.0.2.254:500 at all Oct 31 15:25:07.056725: | northnet-eastnet/0x2 doesn't match 192.1.2.23:4500 at all Oct 31 15:25:07.056728: | oriented northnet-eastnet/0x2's this Oct 31 15:25:07.056736: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1758) Oct 31 15:25:07.056743: | Message ID: IKE #1 responder starting message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=-1 ike.responder.recv=-1 ike.responder.last_contact=744581.489487 ike.wip.initiator=-1 ike.wip.responder=-1->0 Oct 31 15:25:07.056746: | calling processor Respond to IKE_SA_INIT Oct 31 15:25:07.056753: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:25:07.056756: | constructing local IKE proposals for northnet-eastnet/0x2 (IKE SA responder matching remote proposals) Oct 31 15:25:07.056766: | converting ike_info AES_GCM_16_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:07.056780: | ... ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056785: | converting ike_info AES_GCM_16_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:07.056791: | ... ikev2_proposal: 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056795: | converting ike_info AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:07.056801: | ... ikev2_proposal: 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056805: | converting ike_info AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-MODP2048+MODP3072+MODP4096+MODP8192+DH19+DH20+DH21+DH31 to ikev2 ... Oct 31 15:25:07.056811: | ... ikev2_proposal: 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056817: "northnet-eastnet/0x2": local IKE proposals (IKE SA responder matching remote proposals): Oct 31 15:25:07.056822: "northnet-eastnet/0x2": 1:IKE=AES_GCM_C_256-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056831: "northnet-eastnet/0x2": 2:IKE=AES_GCM_C_128-HMAC_SHA2_512+HMAC_SHA2_256-NONE-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056838: "northnet-eastnet/0x2": 3:IKE=AES_CBC_256-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056844: "northnet-eastnet/0x2": 4:IKE=AES_CBC_128-HMAC_SHA2_512+HMAC_SHA2_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048+MODP3072+MODP4096+MODP8192+ECP_256+ECP_384+ECP_521+CURVE25519 Oct 31 15:25:07.056848: | comparing remote proposals against IKE responder 4 local proposals Oct 31 15:25:07.056854: | local proposal 1 type ENCR has 1 transforms Oct 31 15:25:07.056923: | local proposal 1 type PRF has 2 transforms Oct 31 15:25:07.056926: | local proposal 1 type INTEG has 1 transforms Oct 31 15:25:07.056929: | local proposal 1 type DH has 8 transforms Oct 31 15:25:07.056931: | local proposal 1 type ESN has 0 transforms Oct 31 15:25:07.056935: | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:25:07.056938: | local proposal 2 type ENCR has 1 transforms Oct 31 15:25:07.056940: | local proposal 2 type PRF has 2 transforms Oct 31 15:25:07.056943: | local proposal 2 type INTEG has 1 transforms Oct 31 15:25:07.056945: | local proposal 2 type DH has 8 transforms Oct 31 15:25:07.056947: | local proposal 2 type ESN has 0 transforms Oct 31 15:25:07.056950: | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG Oct 31 15:25:07.056953: | local proposal 3 type ENCR has 1 transforms Oct 31 15:25:07.056955: | local proposal 3 type PRF has 2 transforms Oct 31 15:25:07.056956: | local proposal 3 type INTEG has 2 transforms Oct 31 15:25:07.056958: | local proposal 3 type DH has 8 transforms Oct 31 15:25:07.056963: | local proposal 3 type ESN has 0 transforms Oct 31 15:25:07.056967: | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:25:07.056969: | local proposal 4 type ENCR has 1 transforms Oct 31 15:25:07.056972: | local proposal 4 type PRF has 2 transforms Oct 31 15:25:07.056974: | local proposal 4 type INTEG has 2 transforms Oct 31 15:25:07.056977: | local proposal 4 type DH has 8 transforms Oct 31 15:25:07.056979: | local proposal 4 type ESN has 0 transforms Oct 31 15:25:07.056982: | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none Oct 31 15:25:07.056986: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.056989: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.056992: | length: 100 (00 64) Oct 31 15:25:07.056995: | prop #: 1 (01) Oct 31 15:25:07.056998: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:07.057001: | spi size: 0 (00) Oct 31 15:25:07.057004: | # transforms: 11 (0b) Oct 31 15:25:07.057007: | Comparing remote proposal 1 containing 11 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:25:07.057011: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057013: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057016: | length: 12 (00 0c) Oct 31 15:25:07.057018: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.057021: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.057023: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.057026: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.057029: | length/value: 256 (01 00) Oct 31 15:25:07.057033: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:25:07.057036: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057039: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057046: | length: 8 (00 08) Oct 31 15:25:07.057049: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057051: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:07.057055: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 Oct 31 15:25:07.057058: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 Oct 31 15:25:07.057061: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 Oct 31 15:25:07.057063: | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 Oct 31 15:25:07.057066: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057068: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057071: | length: 8 (00 08) Oct 31 15:25:07.057074: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057076: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:07.057079: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057082: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057085: | length: 8 (00 08) Oct 31 15:25:07.057088: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057090: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.057094: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:25:07.057097: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Oct 31 15:25:07.057099: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Oct 31 15:25:07.057102: | remote proposal 1 transform 3 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Oct 31 15:25:07.057105: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057108: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057111: | length: 8 (00 08) Oct 31 15:25:07.057113: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057115: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:07.057117: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057118: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057120: | length: 8 (00 08) Oct 31 15:25:07.057122: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057123: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:07.057125: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057126: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057128: | length: 8 (00 08) Oct 31 15:25:07.057130: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057131: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:07.057133: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057134: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057136: | length: 8 (00 08) Oct 31 15:25:07.057137: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057139: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:07.057141: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057142: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057144: | length: 8 (00 08) Oct 31 15:25:07.057145: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057147: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:07.057148: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057150: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057152: | length: 8 (00 08) Oct 31 15:25:07.057153: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057154: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:07.057156: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057158: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.057161: | length: 8 (00 08) Oct 31 15:25:07.057162: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057164: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:07.057167: | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none Oct 31 15:25:07.057170: | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH Oct 31 15:25:07.057171: | remote proposal 1 matches local proposal 1 Oct 31 15:25:07.057173: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.057175: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.057177: | length: 100 (00 64) Oct 31 15:25:07.057178: | prop #: 2 (02) Oct 31 15:25:07.057180: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:07.057182: | spi size: 0 (00) Oct 31 15:25:07.057183: | # transforms: 11 (0b) Oct 31 15:25:07.057185: | Comparing remote proposal 2 containing 11 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.057187: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057189: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057190: | length: 12 (00 0c) Oct 31 15:25:07.057192: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.057193: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.057195: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.057197: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.057203: | length/value: 128 (00 80) Oct 31 15:25:07.057208: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057210: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057211: | length: 8 (00 08) Oct 31 15:25:07.057213: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057214: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:07.057216: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057218: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057219: | length: 8 (00 08) Oct 31 15:25:07.057221: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057222: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:07.057224: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057225: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057227: | length: 8 (00 08) Oct 31 15:25:07.057229: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057231: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.057233: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057235: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057237: | length: 8 (00 08) Oct 31 15:25:07.057238: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057239: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:07.057241: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057243: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057244: | length: 8 (00 08) Oct 31 15:25:07.057246: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057247: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:07.057249: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057255: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057259: | length: 8 (00 08) Oct 31 15:25:07.057261: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057263: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:07.057267: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057269: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057272: | length: 8 (00 08) Oct 31 15:25:07.057275: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057277: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:07.057280: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057285: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057289: | length: 8 (00 08) Oct 31 15:25:07.057291: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057294: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:07.057298: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057300: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057304: | length: 8 (00 08) Oct 31 15:25:07.057306: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057309: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:07.057311: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057312: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.057314: | length: 8 (00 08) Oct 31 15:25:07.057316: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057317: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:07.057321: | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH Oct 31 15:25:07.057326: | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH Oct 31 15:25:07.057330: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.057333: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.057336: | length: 116 (00 74) Oct 31 15:25:07.057339: | prop #: 3 (03) Oct 31 15:25:07.057342: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:07.057345: | spi size: 0 (00) Oct 31 15:25:07.057348: | # transforms: 13 (0d) Oct 31 15:25:07.057351: | Comparing remote proposal 3 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.057354: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057356: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057360: | length: 12 (00 0c) Oct 31 15:25:07.057363: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.057365: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.057368: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.057371: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.057375: | length/value: 256 (01 00) Oct 31 15:25:07.057378: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057380: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057381: | length: 8 (00 08) Oct 31 15:25:07.057383: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057384: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:07.057386: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057388: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057389: | length: 8 (00 08) Oct 31 15:25:07.057391: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057392: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:07.057394: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057395: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057398: | length: 8 (00 08) Oct 31 15:25:07.057400: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.057404: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.057409: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057411: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057414: | length: 8 (00 08) Oct 31 15:25:07.057417: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.057419: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.057422: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057425: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057428: | length: 8 (00 08) Oct 31 15:25:07.057430: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057433: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.057436: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057439: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057445: | length: 8 (00 08) Oct 31 15:25:07.057447: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057450: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:07.057454: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057456: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057458: | length: 8 (00 08) Oct 31 15:25:07.057460: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057461: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:07.057463: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057464: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057466: | length: 8 (00 08) Oct 31 15:25:07.057468: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057469: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:07.057471: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057472: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057474: | length: 8 (00 08) Oct 31 15:25:07.057475: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057477: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:07.057479: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057480: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057482: | length: 8 (00 08) Oct 31 15:25:07.057483: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057485: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:07.057486: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057488: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057489: | length: 8 (00 08) Oct 31 15:25:07.057491: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057492: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:07.057494: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057495: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.057497: | length: 8 (00 08) Oct 31 15:25:07.057499: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057500: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:07.057503: | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:25:07.057505: | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:25:07.057507: | ****parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.057508: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.057510: | length: 116 (00 74) Oct 31 15:25:07.057511: | prop #: 4 (04) Oct 31 15:25:07.057513: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:07.057515: | spi size: 0 (00) Oct 31 15:25:07.057516: | # transforms: 13 (0d) Oct 31 15:25:07.057518: | Comparing remote proposal 4 containing 13 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.057520: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057522: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057523: | length: 12 (00 0c) Oct 31 15:25:07.057525: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.057526: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.057528: | ******parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.057530: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.057531: | length/value: 128 (00 80) Oct 31 15:25:07.057533: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057535: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057536: | length: 8 (00 08) Oct 31 15:25:07.057538: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057539: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:07.057541: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057542: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057544: | length: 8 (00 08) Oct 31 15:25:07.057545: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.057548: | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) Oct 31 15:25:07.057550: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057551: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057553: | length: 8 (00 08) Oct 31 15:25:07.057555: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.057556: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.057558: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057559: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057561: | length: 8 (00 08) Oct 31 15:25:07.057562: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.057564: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.057565: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057567: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057569: | length: 8 (00 08) Oct 31 15:25:07.057570: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057571: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.057573: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057574: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057576: | length: 8 (00 08) Oct 31 15:25:07.057578: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057579: | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) Oct 31 15:25:07.057581: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057582: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057584: | length: 8 (00 08) Oct 31 15:25:07.057585: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057587: | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) Oct 31 15:25:07.057588: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057590: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057591: | length: 8 (00 08) Oct 31 15:25:07.057593: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057594: | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) Oct 31 15:25:07.057596: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057597: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057599: | length: 8 (00 08) Oct 31 15:25:07.057600: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057602: | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) Oct 31 15:25:07.057603: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057605: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057607: | length: 8 (00 08) Oct 31 15:25:07.057608: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057609: | IKEv2 transform ID: OAKLEY_GROUP_ECP_384 (0x14) Oct 31 15:25:07.057611: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057612: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.057614: | length: 8 (00 08) Oct 31 15:25:07.057616: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057617: | IKEv2 transform ID: OAKLEY_GROUP_ECP_521 (0x15) Oct 31 15:25:07.057619: | *****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.057620: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.057622: | length: 8 (00 08) Oct 31 15:25:07.057623: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.057625: | IKEv2 transform ID: OAKLEY_GROUP_CURVE25519 (0x1f) Oct 31 15:25:07.057627: | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH Oct 31 15:25:07.057629: | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH Oct 31 15:25:07.057633: "northnet-eastnet/0x2" #1: proposal 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256;DH=ECP_384;DH=ECP_521;DH=CURVE25519 Oct 31 15:25:07.057637: | accepted IKE proposal ikev2_proposal: 1:IKE=AES_GCM_C_256-HMAC_SHA2_512-MODP2048 Oct 31 15:25:07.057639: | converting proposal to internal trans attrs Oct 31 15:25:07.057644: | nat: IKE.SPIr is zero Oct 31 15:25:07.057658: | natd_hash: hasher=0x55e8fd703f80(20) Oct 31 15:25:07.057659: | natd_hash: icookie= Oct 31 15:25:07.057661: | be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.057662: | natd_hash: rcookie= Oct 31 15:25:07.057664: | 00 00 00 00 00 00 00 00 Oct 31 15:25:07.057665: | natd_hash: ip= Oct 31 15:25:07.057666: | c0 01 02 17 Oct 31 15:25:07.057668: | natd_hash: port= Oct 31 15:25:07.057669: | 01 f4 Oct 31 15:25:07.057670: | natd_hash: hash= Oct 31 15:25:07.057672: | 48 5d 05 ba 6b fb f5 54 b7 59 d2 3f ec d7 33 f7 Oct 31 15:25:07.057673: | e9 69 18 c3 Oct 31 15:25:07.057675: | nat: IKE.SPIr is zero Oct 31 15:25:07.057680: | natd_hash: hasher=0x55e8fd703f80(20) Oct 31 15:25:07.057682: | natd_hash: icookie= Oct 31 15:25:07.057683: | be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.057684: | natd_hash: rcookie= Oct 31 15:25:07.057686: | 00 00 00 00 00 00 00 00 Oct 31 15:25:07.057687: | natd_hash: ip= Oct 31 15:25:07.057688: | c0 01 03 21 Oct 31 15:25:07.057690: | natd_hash: port= Oct 31 15:25:07.057691: | 01 f4 Oct 31 15:25:07.057692: | natd_hash: hash= Oct 31 15:25:07.057694: | 9a 17 c0 c3 ae 40 38 a7 19 2f c7 75 55 77 0c 82 Oct 31 15:25:07.057695: | 5c c6 ae 64 Oct 31 15:25:07.057697: | NAT_TRAVERSAL encaps using auto-detect Oct 31 15:25:07.057699: | NAT_TRAVERSAL this end is NOT behind NAT Oct 31 15:25:07.057700: | NAT_TRAVERSAL that end is NOT behind NAT Oct 31 15:25:07.057702: | NAT_TRAVERSAL nat-keepalive enabled 192.1.3.33 Oct 31 15:25:07.057707: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:07.057709: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:07.057711: | newref clone logger@0x55e8fe9f7cf8(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:07.057713: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): adding job to queue Oct 31 15:25:07.057715: | state #1 has no .st_event to delete Oct 31 15:25:07.057717: | #1 STATE_PARENT_R0: retransmits: cleared Oct 31 15:25:07.057719: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e6b8 Oct 31 15:25:07.057721: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:25:07.057723: | libevent_malloc: newref ptr-libevent@0x55e8fea0d9c8 size 128 Oct 31 15:25:07.057738: | #1 spent 0.929 (0.986) milliseconds in processing: Respond to IKE_SA_INIT in v2_dispatch() Oct 31 15:25:07.057742: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.057747: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_SUSPEND Oct 31 15:25:07.057754: | suspending state #1 and saving MD 0x55e8fea098b8 Oct 31 15:25:07.057748: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper 3 starting job Oct 31 15:25:07.057757: | addref md@0x55e8fea098b8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:07.059238: | #1 is busy; has suspended MD 0x55e8fea098b8 Oct 31 15:25:07.059249: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1760) Oct 31 15:25:07.059258: | #1 spent 1.62 (3.16) milliseconds in ikev2_process_packet() Oct 31 15:25:07.059262: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:07.059265: | delref mdp@0x55e8fea098b8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:07.059273: | spent 1.63 (3.18) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:07.059773: | "northnet-eastnet/0x2" #1: spent 1.99 (2.03) milliseconds in helper 3 processing job 1 for state #1: ikev2_inI1outR1 KE (pcr) Oct 31 15:25:07.059782: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): helper thread 3 sending result back to state Oct 31 15:25:07.059785: | scheduling resume sending helper answer back to state for #1 Oct 31 15:25:07.059789: | libevent_malloc: newref ptr-libevent@0x7ffb88006108 size 128 Oct 31 15:25:07.059798: | helper thread 3 has nothing to do Oct 31 15:25:07.059807: | processing resume sending helper answer back to state for #1 Oct 31 15:25:07.059816: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:07.059821: | unsuspending #1 MD 0x55e8fea098b8 Oct 31 15:25:07.059824: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): processing response from helper 3 Oct 31 15:25:07.059827: | job 1 for #1: ikev2_inI1outR1 KE (build KE and nonce): calling continuation function 0x55e8fd611fe7 Oct 31 15:25:07.059830: | ikev2_parent_inI1outR1_continue() for #1 STATE_PARENT_R0: calculated ke+nonce, sending R1 Oct 31 15:25:07.059861: | opening output PBS reply packet Oct 31 15:25:07.059866: | **emit ISAKMP Message: Oct 31 15:25:07.059871: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.059875: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.059878: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:07.059881: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.059884: | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) Oct 31 15:25:07.059887: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:25:07.059891: | Message ID: 0 (00 00 00 00) Oct 31 15:25:07.059894: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:07.059898: | emitting ikev2_proposal ... Oct 31 15:25:07.059901: | ***emit IKEv2 Security Association Payload: Oct 31 15:25:07.059904: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.059907: | flags: none (0x0) Oct 31 15:25:07.059910: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:25:07.059912: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.059917: | ****emit IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.059920: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.059923: | prop #: 1 (01) Oct 31 15:25:07.059925: | proto ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:07.059928: | spi size: 0 (00) Oct 31 15:25:07.059931: | # transforms: 3 (03) Oct 31 15:25:07.059934: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:25:07.059937: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.059940: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.059942: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.059944: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.059947: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.059950: | ******emit IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.059952: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.059955: | length/value: 256 (01 00) Oct 31 15:25:07.059959: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:25:07.059962: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.059964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.059967: | IKEv2 transform type: TRANS_TYPE_PRF (0x2) Oct 31 15:25:07.059969: | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) Oct 31 15:25:07.059974: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.059977: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.059980: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:07.059982: | *****emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.059985: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.059987: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.059990: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.059993: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.059995: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.059998: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:07.060000: | emitting length of IKEv2 Proposal Substructure Payload: 36 Oct 31 15:25:07.060003: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:25:07.060005: | emitting length of IKEv2 Security Association Payload: 40 Oct 31 15:25:07.060007: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:25:07.060012: | DH secret MODP2048@0x7ffb88006ba8: transferring ownership from helper KE to state #1 Oct 31 15:25:07.060015: | ***emit IKEv2 Key Exchange Payload: Oct 31 15:25:07.060018: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.060021: | flags: none (0x0) Oct 31 15:25:07.060036: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.060039: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:25:07.060041: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.060045: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:25:07.060048: | ikev2 g^x: Oct 31 15:25:07.060050: | 74 54 b8 54 ea 3a cf 65 db a3 4a f3 54 66 8a 8a Oct 31 15:25:07.060052: | fe 89 d8 29 ec c0 64 7a 76 9f a0 16 b6 e9 62 83 Oct 31 15:25:07.060055: | b6 a0 5f d7 06 5b 1e 31 c2 b6 87 f2 ba 5f 95 8b Oct 31 15:25:07.060057: | dd 2d a0 bb 48 9f 9e 24 90 d0 be 09 40 97 a1 8c Oct 31 15:25:07.060059: | 29 4b b7 63 b6 73 80 21 e7 e9 41 4c fa ac 57 27 Oct 31 15:25:07.060061: | 0a ac 4e de 1b 14 bb d3 60 9e 8f d1 52 84 c5 86 Oct 31 15:25:07.060063: | 55 d3 4b 55 01 70 f4 9b 6d 21 18 df 3b ca 8c cb Oct 31 15:25:07.060066: | b6 01 d8 4f ee db cf bd 2d 70 26 4e 7a 5f d9 7c Oct 31 15:25:07.060068: | 8e d6 d4 65 d3 fd ec 17 73 90 49 e5 e9 6b f3 98 Oct 31 15:25:07.060070: | 1f 8b 2b 8f e3 4d d5 e6 6d 97 84 aa 35 2b 55 b6 Oct 31 15:25:07.060072: | 5c bd 89 bf 40 9f 04 be 5a 82 12 ad 65 c7 e5 07 Oct 31 15:25:07.060074: | de b0 f7 95 eb 13 17 8c 72 ba ca aa 1a 6e 6e ec Oct 31 15:25:07.060076: | ba b0 cc bc bd 68 1f 3d 8f 92 0f 85 1c 29 26 2f Oct 31 15:25:07.060078: | 02 df 6b 12 be 43 5f f7 2a 93 c6 34 45 a7 b0 2c Oct 31 15:25:07.060080: | 01 0b b2 ca 84 57 55 65 c9 3f 58 fa da b0 27 48 Oct 31 15:25:07.060083: | 16 e2 04 44 05 8b 56 94 d1 7b b8 bb 90 cd d1 56 Oct 31 15:25:07.060085: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:25:07.060088: | ***emit IKEv2 Nonce Payload: Oct 31 15:25:07.060091: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.060093: | flags: none (0x0) Oct 31 15:25:07.060096: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:25:07.060100: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.060103: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:25:07.060105: | IKEv2 nonce: Oct 31 15:25:07.060107: | fe 26 66 b2 8a 91 e3 34 40 b8 79 47 31 ab 1a 1f Oct 31 15:25:07.060109: | a6 51 35 cd 1e 0d 3a 8c bd 10 1a 07 c4 76 9d ba Oct 31 15:25:07.060112: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:25:07.060114: | adding a v2N Payload Oct 31 15:25:07.060117: | ***emit IKEv2 Notify Payload: Oct 31 15:25:07.060119: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.060122: | flags: none (0x0) Oct 31 15:25:07.060124: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.060127: | SPI size: 0 (00) Oct 31 15:25:07.060130: | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) Oct 31 15:25:07.060133: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:07.060135: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.060138: | emitting length of IKEv2 Notify Payload: 8 Oct 31 15:25:07.060141: | NAT-Traversal support [enabled] add v2N payloads. Oct 31 15:25:07.060154: | natd_hash: hasher=0x55e8fd703f80(20) Oct 31 15:25:07.060158: | natd_hash: icookie= Oct 31 15:25:07.060160: | be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.060162: | natd_hash: rcookie= Oct 31 15:25:07.060164: | 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.060167: | natd_hash: ip= Oct 31 15:25:07.060169: | c0 01 02 17 Oct 31 15:25:07.060171: | natd_hash: port= Oct 31 15:25:07.060173: | 01 f4 Oct 31 15:25:07.060175: | natd_hash: hash= Oct 31 15:25:07.060177: | 83 45 34 dc bc 5c f5 1e dc e0 4c bd d2 81 db 7a Oct 31 15:25:07.060180: | 29 48 a2 83 Oct 31 15:25:07.060182: | adding a v2N Payload Oct 31 15:25:07.060184: | ***emit IKEv2 Notify Payload: Oct 31 15:25:07.060187: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.060189: | flags: none (0x0) Oct 31 15:25:07.060192: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.060194: | SPI size: 0 (00) Oct 31 15:25:07.060197: | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) Oct 31 15:25:07.060220: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:07.060223: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.060226: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:25:07.060228: | Notify data: Oct 31 15:25:07.060230: | 83 45 34 dc bc 5c f5 1e dc e0 4c bd d2 81 db 7a Oct 31 15:25:07.060232: | 29 48 a2 83 Oct 31 15:25:07.060235: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:25:07.060243: | natd_hash: hasher=0x55e8fd703f80(20) Oct 31 15:25:07.060246: | natd_hash: icookie= Oct 31 15:25:07.060249: | be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.060251: | natd_hash: rcookie= Oct 31 15:25:07.060253: | 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.060255: | natd_hash: ip= Oct 31 15:25:07.060257: | c0 01 03 21 Oct 31 15:25:07.060259: | natd_hash: port= Oct 31 15:25:07.060262: | 01 f4 Oct 31 15:25:07.060264: | natd_hash: hash= Oct 31 15:25:07.060266: | ae 40 3c a4 01 ac e0 bc b8 24 66 62 d6 33 c4 6a Oct 31 15:25:07.060268: | 9c 83 b3 fd Oct 31 15:25:07.060271: | adding a v2N Payload Oct 31 15:25:07.060273: | ***emit IKEv2 Notify Payload: Oct 31 15:25:07.060276: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.060278: | flags: none (0x0) Oct 31 15:25:07.060280: | Protocol ID: IKEv2_SEC_PROTO_NONE (0x0) Oct 31 15:25:07.060283: | SPI size: 0 (00) Oct 31 15:25:07.060285: | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) Oct 31 15:25:07.060288: | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) Oct 31 15:25:07.060292: | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.060295: | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload Oct 31 15:25:07.060298: | Notify data: Oct 31 15:25:07.060300: | ae 40 3c a4 01 ac e0 bc b8 24 66 62 d6 33 c4 6a Oct 31 15:25:07.060302: | 9c 83 b3 fd Oct 31 15:25:07.060304: | emitting length of IKEv2 Notify Payload: 28 Oct 31 15:25:07.060307: | emitting length of ISAKMP Message: 432 Oct 31 15:25:07.060314: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.060319: | #1 complete_v2_state_transition() PARENT_R0->PARENT_R1 with status STF_OK Oct 31 15:25:07.060322: | transitioning from state STATE_PARENT_R0 to state STATE_PARENT_R1 Oct 31 15:25:07.060324: | Message ID: updating counters for #1 Oct 31 15:25:07.060338: | Message ID: IKE #1 updating responder received message request 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=-1 ike.responder.recv=-1->0 ike.responder.last_contact=744581.489487->744581.493128 ike.wip.initiator=-1 ike.wip.responder=0->-1 Oct 31 15:25:07.060345: | Message ID: IKE #1 updating responder sent message response 0: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=-1->0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.060351: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.060355: | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) Oct 31 15:25:07.060358: | announcing the state transition Oct 31 15:25:07.060364: "northnet-eastnet/0x2" #1: sent IKE_SA_INIT reply {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} Oct 31 15:25:07.060375: | sending 432 bytes for STATE_PARENT_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:07.060378: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.060380: | 21 20 22 20 00 00 00 00 00 00 01 b0 22 00 00 28 Oct 31 15:25:07.060382: | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 Oct 31 15:25:07.060385: | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 Oct 31 15:25:07.060387: | 04 00 00 0e 28 00 01 08 00 0e 00 00 74 54 b8 54 Oct 31 15:25:07.060389: | ea 3a cf 65 db a3 4a f3 54 66 8a 8a fe 89 d8 29 Oct 31 15:25:07.060392: | ec c0 64 7a 76 9f a0 16 b6 e9 62 83 b6 a0 5f d7 Oct 31 15:25:07.060394: | 06 5b 1e 31 c2 b6 87 f2 ba 5f 95 8b dd 2d a0 bb Oct 31 15:25:07.060396: | 48 9f 9e 24 90 d0 be 09 40 97 a1 8c 29 4b b7 63 Oct 31 15:25:07.060398: | b6 73 80 21 e7 e9 41 4c fa ac 57 27 0a ac 4e de Oct 31 15:25:07.060400: | 1b 14 bb d3 60 9e 8f d1 52 84 c5 86 55 d3 4b 55 Oct 31 15:25:07.060403: | 01 70 f4 9b 6d 21 18 df 3b ca 8c cb b6 01 d8 4f Oct 31 15:25:07.060405: | ee db cf bd 2d 70 26 4e 7a 5f d9 7c 8e d6 d4 65 Oct 31 15:25:07.060407: | d3 fd ec 17 73 90 49 e5 e9 6b f3 98 1f 8b 2b 8f Oct 31 15:25:07.060410: | e3 4d d5 e6 6d 97 84 aa 35 2b 55 b6 5c bd 89 bf Oct 31 15:25:07.060412: | 40 9f 04 be 5a 82 12 ad 65 c7 e5 07 de b0 f7 95 Oct 31 15:25:07.060414: | eb 13 17 8c 72 ba ca aa 1a 6e 6e ec ba b0 cc bc Oct 31 15:25:07.060417: | bd 68 1f 3d 8f 92 0f 85 1c 29 26 2f 02 df 6b 12 Oct 31 15:25:07.060419: | be 43 5f f7 2a 93 c6 34 45 a7 b0 2c 01 0b b2 ca Oct 31 15:25:07.060421: | 84 57 55 65 c9 3f 58 fa da b0 27 48 16 e2 04 44 Oct 31 15:25:07.060423: | 05 8b 56 94 d1 7b b8 bb 90 cd d1 56 29 00 00 24 Oct 31 15:25:07.060425: | fe 26 66 b2 8a 91 e3 34 40 b8 79 47 31 ab 1a 1f Oct 31 15:25:07.060429: | a6 51 35 cd 1e 0d 3a 8c bd 10 1a 07 c4 76 9d ba Oct 31 15:25:07.060431: | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 Oct 31 15:25:07.060433: | 83 45 34 dc bc 5c f5 1e dc e0 4c bd d2 81 db 7a Oct 31 15:25:07.060436: | 29 48 a2 83 00 00 00 1c 00 00 40 05 ae 40 3c a4 Oct 31 15:25:07.060438: | 01 ac e0 bc b8 24 66 62 d6 33 c4 6a 9c 83 b3 fd Oct 31 15:25:07.060499: | sent 1 messages Oct 31 15:25:07.060504: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:07.060508: | libevent_free: delref ptr-libevent@0x55e8fea0d9c8 Oct 31 15:25:07.060512: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e6b8 Oct 31 15:25:07.060516: | event_schedule: newref EVENT_SO_DISCARD-pe@0x55e8fea0d9c8 Oct 31 15:25:07.060519: | inserting event EVENT_SO_DISCARD, timeout in 200 seconds for #1 Oct 31 15:25:07.060521: | libevent_malloc: newref ptr-libevent@0x55e8fea0eb98 size 128 Oct 31 15:25:07.060526: | delref logger@0x55e8fe9f7cf8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:07.060529: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.060531: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.060535: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition() Oct 31 15:25:07.060538: | delref mdp@0x55e8fea098b8(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.060553: | delref logger@0x55e8fea05778(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.060556: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.060558: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.060565: | #1 spent 0.708 (0.743) milliseconds in resume sending helper answer back to state Oct 31 15:25:07.060570: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:07.060573: | libevent_free: delref ptr-libevent@0x7ffb88006108 Oct 31 15:25:07.063411: | spent 0.00206 (0.00206) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:07.063430: | newref struct msg_digest@0x55e8fea098b8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.063436: | newref alloc logger@0x55e8fea05778(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.063447: | *received 366 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:07.063451: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.063454: | 2e 20 23 08 00 00 00 01 00 00 01 6e 23 00 01 52 Oct 31 15:25:07.063456: | a3 04 d3 0c 77 76 5b 26 05 15 ac 5c 5c 93 78 f3 Oct 31 15:25:07.063459: | 57 01 a8 d7 07 88 02 5c 92 2b 7d bb d0 4c bf 89 Oct 31 15:25:07.063461: | 72 cb 4c c4 e1 e8 44 5d 07 eb 38 ac 5d bc cd 4d Oct 31 15:25:07.063463: | f3 42 9a 53 e6 d0 6e c8 04 90 a9 b8 25 03 88 31 Oct 31 15:25:07.063466: | 0f 78 4d f0 92 dd ca 45 e2 b8 b8 e9 e1 7e 61 00 Oct 31 15:25:07.063468: | be 90 82 d4 dd 70 1c 81 c5 db 5a 47 ac a3 d8 51 Oct 31 15:25:07.063469: | d4 e6 2b 73 0c 85 ad 4b eb 31 88 7a 89 45 85 94 Oct 31 15:25:07.063471: | 23 f6 28 53 67 47 62 4f bd 06 36 8e 84 ed a4 2a Oct 31 15:25:07.063472: | 9c 1e de bc a9 0f f0 ac 51 bf eb 4d 37 82 d7 f7 Oct 31 15:25:07.063473: | 71 7b 25 65 e4 c2 46 d1 70 3d d2 f0 a2 fd fa 00 Oct 31 15:25:07.063475: | ee 50 c1 6d 38 44 f6 c0 83 6e 7f 8b 3c 1a 58 6c Oct 31 15:25:07.063477: | 50 b1 b7 6c 8f ec 7d 53 b1 89 45 44 17 e0 09 6d Oct 31 15:25:07.063479: | ca 11 ce 07 64 ad 91 fb 52 80 87 85 05 00 56 ea Oct 31 15:25:07.063482: | f1 de 9f 9d 3d 10 dc 21 2a 88 24 70 2c 23 40 bf Oct 31 15:25:07.063486: | 74 d9 e7 40 fc e4 0e 02 0b 7a 1e 90 8a 0d 05 6a Oct 31 15:25:07.063489: | 4c 0e 75 f2 82 6f 08 51 60 14 4b 5c 95 09 93 d0 Oct 31 15:25:07.063491: | 67 30 80 01 34 4d 34 5e 84 97 42 db f9 7f b7 29 Oct 31 15:25:07.063493: | e0 e8 02 e0 77 5a bc e4 c3 c7 2c a7 95 b8 f3 1d Oct 31 15:25:07.063496: | ab b3 57 31 5e 8c 87 f8 f1 6b 24 e8 fa 88 68 50 Oct 31 15:25:07.063500: | 22 db af a1 1f e9 83 01 e8 b3 57 9e 72 87 d0 65 Oct 31 15:25:07.063502: | f9 35 00 0b de 7b 68 72 37 29 4b 25 26 b1 Oct 31 15:25:07.063507: | **parse ISAKMP Message: Oct 31 15:25:07.063512: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.063517: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.063520: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:25:07.063523: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.063526: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:25:07.063529: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:07.063533: | Message ID: 1 (00 00 00 01) Oct 31 15:25:07.063535: | length: 366 (00 00 01 6e) Oct 31 15:25:07.063538: | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) Oct 31 15:25:07.063540: | I am the IKE SA Original Responder receiving an IKEv2 IKE_AUTH request Oct 31 15:25:07.063544: | State DB: found IKEv2 state #1 in PARENT_R1 (find_v2_ike_sa) Oct 31 15:25:07.063549: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:25:07.063552: | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 Oct 31 15:25:07.063554: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:25:07.063556: | #1 is idle Oct 31 15:25:07.063560: | Message ID: IKE #1 not a duplicate - message request 1 is new: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.063564: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:25:07.063565: | unpacking clear payload Oct 31 15:25:07.063567: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:25:07.063570: | ***parse IKEv2 Encryption Payload: Oct 31 15:25:07.063572: | next payload type: ISAKMP_NEXT_v2IDi (0x23) Oct 31 15:25:07.063574: | flags: none (0x0) Oct 31 15:25:07.063579: | length: 338 (01 52) Oct 31 15:25:07.063583: | processing payload: ISAKMP_NEXT_v2SK (len=334) Oct 31 15:25:07.063586: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:25:07.063589: | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:25:07.063592: | calling processor Responder: process IKE_AUTH request (no SKEYSEED) Oct 31 15:25:07.063596: | ikev2 parent ikev2_ike_sa_process_auth_request_no_skeyid(): calculating g^{xy} in order to decrypt I2 Oct 31 15:25:07.063600: | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 Oct 31 15:25:07.063604: | DH secret MODP2048@0x7ffb88006ba8: transferring ownership from state #1 to helper IKEv2 DH Oct 31 15:25:07.063609: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:07.063611: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:07.063615: | newref clone logger@0x55e8fe9f7cf8(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:07.063618: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): adding job to queue Oct 31 15:25:07.063621: | state #1 deleting .st_event EVENT_SO_DISCARD Oct 31 15:25:07.063625: | libevent_free: delref ptr-libevent@0x55e8fea0eb98 Oct 31 15:25:07.063629: | free_event_entry: delref EVENT_SO_DISCARD-pe@0x55e8fea0d9c8 Oct 31 15:25:07.063632: | #1 STATE_PARENT_R1: retransmits: cleared Oct 31 15:25:07.063635: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0eb98 Oct 31 15:25:07.063638: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #1 Oct 31 15:25:07.063640: | libevent_malloc: newref ptr-libevent@0x7ffb88006108 size 128 Oct 31 15:25:07.063649: | #1 spent 0.0523 (0.0521) milliseconds in processing: Responder: process IKE_AUTH request (no SKEYSEED) in v2_dispatch() Oct 31 15:25:07.063653: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.063658: | #1 complete_v2_state_transition() PARENT_R1->PARENT_R1 with status STF_SUSPEND; .st_v2_transition=PARENT_R0->PARENT_R1 Oct 31 15:25:07.063659: | suspending state #1 and saving MD 0x55e8fea098b8 Oct 31 15:25:07.063661: | addref md@0x55e8fea098b8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:07.063664: | #1 is busy; has suspended MD 0x55e8fea098b8 Oct 31 15:25:07.063667: | stop processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:25:07.063660: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper 4 starting job Oct 31 15:25:07.063671: | #1 spent 0.269 (0.269) milliseconds in ikev2_process_packet() Oct 31 15:25:07.063682: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:07.063684: | delref mdp@0x55e8fea098b8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:07.063687: | spent 0.281 (0.285) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:07.064364: | calculating skeyseed using prf=HMAC_SHA2_512 integ=NONE cipherkey-size=32 salt-size=4 Oct 31 15:25:07.064485: | "northnet-eastnet/0x2" #1: spent 0.801 (0.825) milliseconds in helper 4 processing job 2 for state #1: ikev2_inI2outR2 KE (pcr) Oct 31 15:25:07.064489: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): helper thread 4 sending result back to state Oct 31 15:25:07.064491: | scheduling resume sending helper answer back to state for #1 Oct 31 15:25:07.064493: | libevent_malloc: newref ptr-libevent@0x7ffb8000b578 size 128 Oct 31 15:25:07.064500: | helper thread 4 has nothing to do Oct 31 15:25:07.064508: | processing resume sending helper answer back to state for #1 Oct 31 15:25:07.064518: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:07.064521: | unsuspending #1 MD 0x55e8fea098b8 Oct 31 15:25:07.064524: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): processing response from helper 4 Oct 31 15:25:07.064525: | job 2 for #1: ikev2_inI2outR2 KE (compute dh (V2)): calling continuation function 0x55e8fd611fe7 Oct 31 15:25:07.064527: | ikev2_ike_sa_process_auth_request_no_skeyid_continue() for #1 STATE_PARENT_R1: calculating g^{xy}, sending R2 Oct 31 15:25:07.064530: | DH secret MODP2048@0x7ffb88006ba8: transferring ownership from helper IKEv2 DH to state #1 Oct 31 15:25:07.064532: | #1 in state PARENT_R1: sent IKE_SA_INIT reply Oct 31 15:25:07.064548: | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success Oct 31 15:25:07.064555: | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) Oct 31 15:25:07.064559: | **parse IKEv2 Identification - Initiator - Payload: Oct 31 15:25:07.064562: | next payload type: ISAKMP_NEXT_v2IDr (0x24) Oct 31 15:25:07.064565: | flags: none (0x0) Oct 31 15:25:07.064569: | length: 13 (00 0d) Oct 31 15:25:07.064571: | ID type: ID_FQDN (0x2) Oct 31 15:25:07.064575: | reserved: 00 00 00 Oct 31 15:25:07.064578: | processing payload: ISAKMP_NEXT_v2IDi (len=5) Oct 31 15:25:07.064580: | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) Oct 31 15:25:07.064583: | **parse IKEv2 Identification - Responder - Payload: Oct 31 15:25:07.064585: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) Oct 31 15:25:07.064588: | flags: none (0x0) Oct 31 15:25:07.064592: | length: 12 (00 0c) Oct 31 15:25:07.064595: | ID type: ID_FQDN (0x2) Oct 31 15:25:07.064598: | reserved: 00 00 00 Oct 31 15:25:07.064601: | processing payload: ISAKMP_NEXT_v2IDr (len=4) Oct 31 15:25:07.064603: | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) Oct 31 15:25:07.064607: | **parse IKEv2 Authentication Payload: Oct 31 15:25:07.064609: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:25:07.064610: | flags: none (0x0) Oct 31 15:25:07.064612: | length: 72 (00 48) Oct 31 15:25:07.064614: | auth method: IKEv2_AUTH_SHARED (0x2) Oct 31 15:25:07.064617: | processing payload: ISAKMP_NEXT_v2AUTH (len=64) Oct 31 15:25:07.064622: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:25:07.064627: | **parse IKEv2 Security Association Payload: Oct 31 15:25:07.064630: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:25:07.064632: | flags: none (0x0) Oct 31 15:25:07.064636: | length: 164 (00 a4) Oct 31 15:25:07.064638: | processing payload: ISAKMP_NEXT_v2SA (len=160) Oct 31 15:25:07.064641: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:25:07.064644: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:07.064646: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:25:07.064648: | flags: none (0x0) Oct 31 15:25:07.064652: | length: 24 (00 18) Oct 31 15:25:07.064655: | number of TS: 1 (01) Oct 31 15:25:07.064658: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:25:07.064660: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:25:07.064663: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:07.064666: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.064669: | flags: none (0x0) Oct 31 15:25:07.064672: | length: 24 (00 18) Oct 31 15:25:07.064675: | number of TS: 1 (01) Oct 31 15:25:07.064677: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:25:07.064679: | selected state microcode Responder: process IKE_AUTH request Oct 31 15:25:07.064684: | Message ID: IKE #1 responder starting message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 ike.wip.initiator=-1 ike.wip.responder=-1->1 Oct 31 15:25:07.064686: | calling processor Responder: process IKE_AUTH request Oct 31 15:25:07.064691: "northnet-eastnet/0x2" #1: processing decrypted IKE_AUTH request: SK{IDi,IDr,AUTH,SA,TSi,TSr} Oct 31 15:25:07.064693: | no certs to decode Oct 31 15:25:07.064698: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:25:07.064700: | received IDr payload - extracting our alleged ID Oct 31 15:25:07.064703: | refine_host_connection for IKEv2: starting with "northnet-eastnet/0x2" Oct 31 15:25:07.064705: | match_id a=@north Oct 31 15:25:07.064707: | b=@north Oct 31 15:25:07.064708: | results matched Oct 31 15:25:07.064711: | refine_host_connection: checking "northnet-eastnet/0x2" against "northnet-eastnet/0x2", best=(none) with match=1(id=1(0)/ca=1(0)/reqca=1(0)) Oct 31 15:25:07.064712: | warning: not switching back to template of current instance Oct 31 15:25:07.064714: | peer expects us to be @east (ID_FQDN) according to its IDr payload Oct 31 15:25:07.064716: | this connection's local id is @east (ID_FQDN) Oct 31 15:25:07.064718: | refine_host_connection: checked "northnet-eastnet/0x2" against "northnet-eastnet/0x2", now for see if best Oct 31 15:25:07.064720: | lsw_get_secret() using IDs for @east->@north of kind PKK_PSK Oct 31 15:25:07.064722: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:25:07.064724: | 1: compared key @north to @east / @north -> 004 Oct 31 15:25:07.064726: | 2: compared key @east to @east / @north -> 014 Oct 31 15:25:07.064728: | line 1: match=014 Oct 31 15:25:07.064730: | match 014 beats previous best_match 000 match=0x55e8fea06f28 (line=1) Oct 31 15:25:07.064731: | concluding with best_match=014 best=0x55e8fea06f28 (lineno=1) Oct 31 15:25:07.064733: | returning because exact peer id match Oct 31 15:25:07.064735: | offered CA: '%none' Oct 31 15:25:07.064737: "northnet-eastnet/0x2" #1: IKEv2 mode peer ID is ID_FQDN: '@north' Oct 31 15:25:07.064756: | verifying AUTH payload Oct 31 15:25:07.064759: | ikev2_calculate_psk_sighash() called from STATE_PARENT_R1 to verify PSK with authby=secret Oct 31 15:25:07.064761: | lsw_get_secret() using IDs for @east->@north of kind PKK_PSK Oct 31 15:25:07.064763: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:25:07.064765: | 1: compared key @north to @east / @north -> 004 Oct 31 15:25:07.064767: | 2: compared key @east to @east / @north -> 014 Oct 31 15:25:07.064770: | line 1: match=014 Oct 31 15:25:07.064771: | match 014 beats previous best_match 000 match=0x55e8fea06f28 (line=1) Oct 31 15:25:07.064773: | concluding with best_match=014 best=0x55e8fea06f28 (lineno=1) Oct 31 15:25:07.064807: "northnet-eastnet/0x2" #1: authenticated using authby=secret Oct 31 15:25:07.064819: | parent state #1: PARENT_R1(half-open IKE SA) => ESTABLISHED_IKE_SA(established IKE SA) Oct 31 15:25:07.064822: | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:25:07.064824: | state #1 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:07.064826: | libevent_free: delref ptr-libevent@0x7ffb88006108 Oct 31 15:25:07.064828: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0eb98 Oct 31 15:25:07.064831: | event_schedule: newref EVENT_SA_REKEY-pe@0x55e8fea0f088 Oct 31 15:25:07.064832: | inserting event EVENT_SA_REKEY, timeout in 3330 seconds for #1 Oct 31 15:25:07.064834: | libevent_malloc: newref ptr-libevent@0x55e8fea0ee98 size 128 Oct 31 15:25:07.064914: | pstats #1 ikev2.ike established Oct 31 15:25:07.064923: | opening output PBS reply packet Oct 31 15:25:07.064927: | **emit ISAKMP Message: Oct 31 15:25:07.064932: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.064936: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.064940: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:07.064943: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.064946: | exchange type: ISAKMP_v2_IKE_AUTH (0x23) Oct 31 15:25:07.064949: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:25:07.064953: | Message ID: 1 (00 00 00 01) Oct 31 15:25:07.064956: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:07.064960: | IKEv2 CERT: send a certificate? Oct 31 15:25:07.064964: | IKEv2 CERT: policy does not have RSASIG or ECDSA: PSK Oct 31 15:25:07.064966: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:07.064968: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.064969: | flags: none (0x0) Oct 31 15:25:07.064972: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:07.064973: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.064976: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:07.064985: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:25:07.064990: | ****emit IKEv2 Identification - Responder - Payload: Oct 31 15:25:07.064993: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.064995: | flags: none (0x0) Oct 31 15:25:07.064998: | ID type: ID_FQDN (0x2) Oct 31 15:25:07.065000: | reserved: 00 00 00 Oct 31 15:25:07.065003: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) Oct 31 15:25:07.065006: | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.065009: | emitting 4 raw bytes of my identity into IKEv2 Identification - Responder - Payload Oct 31 15:25:07.065013: | my identity: 65 61 73 74 Oct 31 15:25:07.065015: | emitting length of IKEv2 Identification - Responder - Payload: 12 Oct 31 15:25:07.065017: | added IDr payload to packet Oct 31 15:25:07.065020: | CHILD SA proposals received Oct 31 15:25:07.065022: | going to assemble AUTH payload Oct 31 15:25:07.065024: | ****emit IKEv2 Authentication Payload: Oct 31 15:25:07.065027: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.065029: | flags: none (0x0) Oct 31 15:25:07.065032: | auth method: IKEv2_AUTH_SHARED (0x2) Oct 31 15:25:07.065035: | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) Oct 31 15:25:07.065037: | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.065044: | ikev2_calculate_psk_sighash() called from STATE_V2_ESTABLISHED_IKE_SA to create PSK with authby=secret Oct 31 15:25:07.065047: | lsw_get_secret() using IDs for @east->@north of kind PKK_PSK Oct 31 15:25:07.065051: | line 1: key type PKK_PSK(@east) to type PKK_PSK Oct 31 15:25:07.065054: | 1: compared key @north to @east / @north -> 004 Oct 31 15:25:07.065057: | 2: compared key @east to @east / @north -> 014 Oct 31 15:25:07.065058: | line 1: match=014 Oct 31 15:25:07.065061: | match 014 beats previous best_match 000 match=0x55e8fea06f28 (line=1) Oct 31 15:25:07.065063: | concluding with best_match=014 best=0x55e8fea06f28 (lineno=1) Oct 31 15:25:07.065114: | emitting 64 raw bytes of PSK auth into IKEv2 Authentication Payload Oct 31 15:25:07.065120: | PSK auth: Oct 31 15:25:07.065123: | 64 71 90 0c ae b7 a8 33 9c 9a aa 9c cd d7 8e 9c Oct 31 15:25:07.065125: | f8 0e 0d 4c cf b8 80 84 8f 84 51 e4 04 ac ca c3 Oct 31 15:25:07.065128: | 69 e7 3e 9f f9 9c 5c 0a 49 6e 68 85 02 b8 28 d8 Oct 31 15:25:07.065130: | 8c 5e a6 61 1e 66 37 1d 28 f5 b5 f1 7c f7 65 3c Oct 31 15:25:07.065132: | emitting length of IKEv2 Authentication Payload: 72 Oct 31 15:25:07.065139: | newref alloc logger@0x55e8fea0eb98(0->1) (in new_state() at state.c:576) Oct 31 15:25:07.065142: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:25:07.065144: | creating state object #2 at 0x55e8fea0f4e8 Oct 31 15:25:07.065146: | State DB: adding IKEv2 state #2 in UNDEFINED Oct 31 15:25:07.065152: | pstats #2 ikev2.child started Oct 31 15:25:07.065154: | duplicating state object #1 "northnet-eastnet/0x2" as #2 for IPSEC SA Oct 31 15:25:07.065158: | #2 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:25:07.065164: | Message ID: CHILD #1.#2 initializing (CHILD SA): ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:25:07.065166: | child state #2: UNDEFINED(ignore) => V2_IKE_AUTH_CHILD_R0(ignore) Oct 31 15:25:07.065169: | #2.st_v2_transition NULL -> NULL (in new_v2_child_state() at state.c:1666) Oct 31 15:25:07.065173: | Message ID: IKE #1 switching from IKE SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 ike.wip.initiator=-1 ike.wip.responder=1->-1 Oct 31 15:25:07.065176: | Message ID: CHILD #1.#2 switching to CHILD SA responder message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0 ike.responder.last_contact=744581.493128 child.wip.initiator=-1 child.wip.responder=-1->1 Oct 31 15:25:07.065179: | switching IKEv2 MD.ST from IKE #1 ESTABLISHED_IKE_SA to CHILD #2 V2_IKE_AUTH_CHILD_R0 (in ike_auth_child_responder() at ikev2_parent.c:3282) Oct 31 15:25:07.065181: | Child SA TS Request has child->sa == md->st; so using child connection Oct 31 15:25:07.065183: | TSi: parsing 1 traffic selectors Oct 31 15:25:07.065185: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:07.065187: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.065189: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.065191: | length: 16 (00 10) Oct 31 15:25:07.065193: | start port: 0 (00 00) Oct 31 15:25:07.065195: | end port: 65535 (ff ff) Oct 31 15:25:07.065197: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:07.065221: | TS low Oct 31 15:25:07.065226: | c0 00 03 00 Oct 31 15:25:07.065229: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:07.065230: | TS high Oct 31 15:25:07.065231: | c0 00 03 ff Oct 31 15:25:07.065233: | TSi: parsed 1 traffic selectors Oct 31 15:25:07.065234: | TSr: parsing 1 traffic selectors Oct 31 15:25:07.065238: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:07.065240: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.065241: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.065243: | length: 16 (00 10) Oct 31 15:25:07.065245: | start port: 0 (00 00) Oct 31 15:25:07.065246: | end port: 65535 (ff ff) Oct 31 15:25:07.065248: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:07.065249: | TS low Oct 31 15:25:07.065251: | c0 00 02 00 Oct 31 15:25:07.065252: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:07.065253: | TS high Oct 31 15:25:07.065255: | c0 00 02 ff Oct 31 15:25:07.065256: | TSr: parsed 1 traffic selectors Oct 31 15:25:07.065258: | looking for best SPD in current connection Oct 31 15:25:07.065263: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.065266: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065271: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.065273: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.065275: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.065277: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.065279: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065281: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065285: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.065287: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.065288: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.065290: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.065291: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065293: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.065294: | found better spd route for TSi[0],TSr[0] Oct 31 15:25:07.065296: | looking for better host pair Oct 31 15:25:07.065299: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:07.065302: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Oct 31 15:25:07.065304: | investigating connection "northnet-eastnet/0x2" as a better match Oct 31 15:25:07.065306: | match_id a=@north Oct 31 15:25:07.065307: | b=@north Oct 31 15:25:07.065309: | results matched Oct 31 15:25:07.065312: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.065314: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065318: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.065320: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.065321: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.065323: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.065324: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065327: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065330: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.065332: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.065333: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.065335: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.065337: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065338: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.065340: | investigating connection "northnet-eastnet/0x1" as a better match Oct 31 15:25:07.065341: | match_id a=@north Oct 31 15:25:07.065343: | b=@north Oct 31 15:25:07.065344: | results matched Oct 31 15:25:07.065348: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.065351: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065354: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.065356: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.065357: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.065359: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.065361: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065363: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.065367: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.065368: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.065370: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.065371: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.065378: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.065380: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.065383: | did not find a better connection using host pair Oct 31 15:25:07.065385: | printing contents struct traffic_selector Oct 31 15:25:07.065386: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:07.065388: | ipprotoid: 0 Oct 31 15:25:07.065389: | port range: 0-65535 Oct 31 15:25:07.065392: | ip range: 192.0.2.0-192.0.2.255 Oct 31 15:25:07.065393: | printing contents struct traffic_selector Oct 31 15:25:07.065394: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:07.065396: | ipprotoid: 0 Oct 31 15:25:07.065397: | port range: 0-65535 Oct 31 15:25:07.065399: | ip range: 192.0.3.0-192.0.3.255 Oct 31 15:25:07.065402: | constructing ESP/AH proposals with all DH removed for northnet-eastnet/0x2 (IKE_AUTH responder matching remote ESP/AH proposals) Oct 31 15:25:07.065408: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Oct 31 15:25:07.065414: | ... ikev2_proposal: 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:25:07.065415: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Oct 31 15:25:07.065418: | ... ikev2_proposal: 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:25:07.065421: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:07.065425: | ... ikev2_proposal: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:07.065428: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:07.065432: | ... ikev2_proposal: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:07.065435: "northnet-eastnet/0x2": local ESP/AH proposals (IKE_AUTH responder matching remote ESP/AH proposals): Oct 31 15:25:07.065439: "northnet-eastnet/0x2": 1:ESP=AES_GCM_C_256-NONE-NONE-DISABLED Oct 31 15:25:07.065442: "northnet-eastnet/0x2": 2:ESP=AES_GCM_C_128-NONE-NONE-DISABLED Oct 31 15:25:07.065446: "northnet-eastnet/0x2": 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:07.065450: "northnet-eastnet/0x2": 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-NONE-DISABLED Oct 31 15:25:07.065452: | comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 4 local proposals Oct 31 15:25:07.065456: | local proposal 1 type ENCR has 1 transforms Oct 31 15:25:07.065458: | local proposal 1 type PRF has 0 transforms Oct 31 15:25:07.065460: | local proposal 1 type INTEG has 1 transforms Oct 31 15:25:07.065462: | local proposal 1 type DH has 1 transforms Oct 31 15:25:07.065464: | local proposal 1 type ESN has 1 transforms Oct 31 15:25:07.065468: | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:25:07.065470: | local proposal 2 type ENCR has 1 transforms Oct 31 15:25:07.065472: | local proposal 2 type PRF has 0 transforms Oct 31 15:25:07.065476: | local proposal 2 type INTEG has 1 transforms Oct 31 15:25:07.065478: | local proposal 2 type DH has 1 transforms Oct 31 15:25:07.065480: | local proposal 2 type ESN has 1 transforms Oct 31 15:25:07.065483: | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG+DH Oct 31 15:25:07.065485: | local proposal 3 type ENCR has 1 transforms Oct 31 15:25:07.065487: | local proposal 3 type PRF has 0 transforms Oct 31 15:25:07.065489: | local proposal 3 type INTEG has 2 transforms Oct 31 15:25:07.065491: | local proposal 3 type DH has 1 transforms Oct 31 15:25:07.065493: | local proposal 3 type ESN has 1 transforms Oct 31 15:25:07.065496: | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:25:07.065498: | local proposal 4 type ENCR has 1 transforms Oct 31 15:25:07.065500: | local proposal 4 type PRF has 0 transforms Oct 31 15:25:07.065502: | local proposal 4 type INTEG has 2 transforms Oct 31 15:25:07.065504: | local proposal 4 type DH has 1 transforms Oct 31 15:25:07.065506: | local proposal 4 type ESN has 1 transforms Oct 31 15:25:07.065509: | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: DH Oct 31 15:25:07.065512: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.065514: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.065518: | length: 32 (00 20) Oct 31 15:25:07.065520: | prop #: 1 (01) Oct 31 15:25:07.065523: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.065525: | spi size: 4 (04) Oct 31 15:25:07.065527: | # transforms: 2 (02) Oct 31 15:25:07.065530: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.065532: | remote SPI Oct 31 15:25:07.065534: | 84 30 c8 47 Oct 31 15:25:07.065536: | Comparing remote proposal 1 containing 2 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:25:07.065538: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065540: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065542: | length: 12 (00 0c) Oct 31 15:25:07.065544: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.065546: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.065549: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.065551: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.065553: | length/value: 256 (01 00) Oct 31 15:25:07.065559: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:25:07.065564: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065567: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.065571: | length: 8 (00 08) Oct 31 15:25:07.065573: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.065576: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.065580: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:25:07.065583: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Oct 31 15:25:07.065586: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Oct 31 15:25:07.065589: | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Oct 31 15:25:07.065593: | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none Oct 31 15:25:07.065598: | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG+DH; matched: ENCR+ESN Oct 31 15:25:07.065601: | remote proposal 1 matches local proposal 1 Oct 31 15:25:07.065605: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.065607: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.065610: | length: 32 (00 20) Oct 31 15:25:07.065612: | prop #: 2 (02) Oct 31 15:25:07.065614: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.065615: | spi size: 4 (04) Oct 31 15:25:07.065617: | # transforms: 2 (02) Oct 31 15:25:07.065621: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.065622: | remote SPI Oct 31 15:25:07.065624: | 84 30 c8 47 Oct 31 15:25:07.065626: | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.065628: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065629: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065631: | length: 12 (00 0c) Oct 31 15:25:07.065632: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.065634: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.065635: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.065637: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.065639: | length/value: 128 (00 80) Oct 31 15:25:07.065641: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065642: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.065644: | length: 8 (00 08) Oct 31 15:25:07.065646: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.065647: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.065649: | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN Oct 31 15:25:07.065651: | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN Oct 31 15:25:07.065653: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.065654: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.065656: | length: 48 (00 30) Oct 31 15:25:07.065658: | prop #: 3 (03) Oct 31 15:25:07.065659: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.065661: | spi size: 4 (04) Oct 31 15:25:07.065662: | # transforms: 4 (04) Oct 31 15:25:07.065664: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.065665: | remote SPI Oct 31 15:25:07.065667: | 84 30 c8 47 Oct 31 15:25:07.065668: | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.065671: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065675: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065680: | length: 12 (00 0c) Oct 31 15:25:07.065683: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.065685: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.065688: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.065690: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.065693: | length/value: 256 (01 00) Oct 31 15:25:07.065697: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065699: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065702: | length: 8 (00 08) Oct 31 15:25:07.065704: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.065707: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.065710: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065712: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065715: | length: 8 (00 08) Oct 31 15:25:07.065717: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.065720: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.065723: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065725: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.065728: | length: 8 (00 08) Oct 31 15:25:07.065730: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.065732: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.065736: | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:25:07.065739: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:25:07.065742: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.065744: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.065747: | length: 48 (00 30) Oct 31 15:25:07.065750: | prop #: 4 (04) Oct 31 15:25:07.065755: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.065758: | spi size: 4 (04) Oct 31 15:25:07.065760: | # transforms: 4 (04) Oct 31 15:25:07.065764: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.065767: | remote SPI Oct 31 15:25:07.065769: | 84 30 c8 47 Oct 31 15:25:07.065772: | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.065774: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065777: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065780: | length: 12 (00 0c) Oct 31 15:25:07.065783: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.065785: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.065788: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.065790: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.065793: | length/value: 128 (00 80) Oct 31 15:25:07.065797: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065799: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065802: | length: 8 (00 08) Oct 31 15:25:07.065805: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.065807: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.065810: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065813: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065816: | length: 8 (00 08) Oct 31 15:25:07.065818: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.065820: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.065824: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065826: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.065829: | length: 8 (00 08) Oct 31 15:25:07.065831: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.065834: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.065838: | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN Oct 31 15:25:07.065841: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN Oct 31 15:25:07.065847: "northnet-eastnet/0x2" #2: proposal 1:ESP=AES_GCM_C_256-DISABLED SPI=8430c847 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED Oct 31 15:25:07.065853: | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP=AES_GCM_C_256-DISABLED SPI=8430c847 Oct 31 15:25:07.065856: | converting proposal to internal trans attrs Oct 31 15:25:07.065880: | netlink_get_spi: allocated 0x298ff425 for esp.0@192.1.2.23 Oct 31 15:25:07.065883: | emitting ikev2_proposal ... Oct 31 15:25:07.065885: | ****emit IKEv2 Security Association Payload: Oct 31 15:25:07.065887: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.065889: | flags: none (0x0) Oct 31 15:25:07.065891: | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:25:07.065892: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.065895: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.065897: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.065899: | prop #: 1 (01) Oct 31 15:25:07.065900: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.065902: | spi size: 4 (04) Oct 31 15:25:07.065903: | # transforms: 2 (02) Oct 31 15:25:07.065905: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:25:07.065907: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:25:07.065911: | our spi: 29 8f f4 25 Oct 31 15:25:07.065913: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065915: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065916: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.065918: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.065919: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.065921: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.065923: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.065925: | length/value: 256 (01 00) Oct 31 15:25:07.065926: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:25:07.065928: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.065930: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.065931: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.065932: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.065934: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.065936: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.065938: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:07.065939: | emitting length of IKEv2 Proposal Substructure Payload: 32 Oct 31 15:25:07.065942: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:25:07.065945: | emitting length of IKEv2 Security Association Payload: 36 Oct 31 15:25:07.065950: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:25:07.065953: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:07.065956: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.065959: | flags: none (0x0) Oct 31 15:25:07.065962: | number of TS: 1 (01) Oct 31 15:25:07.065965: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:25:07.065968: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.065971: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:07.065973: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.065976: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.065979: | start port: 0 (00 00) Oct 31 15:25:07.065983: | end port: 65535 (ff ff) Oct 31 15:25:07.065987: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:07.065991: | IP start: c0 00 03 00 Oct 31 15:25:07.065994: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:07.065997: | IP end: c0 00 03 ff Oct 31 15:25:07.065999: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:07.066000: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:25:07.066002: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:07.066004: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.066005: | flags: none (0x0) Oct 31 15:25:07.066007: | number of TS: 1 (01) Oct 31 15:25:07.066009: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:25:07.066010: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.066012: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:07.066014: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.066015: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.066019: | start port: 0 (00 00) Oct 31 15:25:07.066021: | end port: 65535 (ff ff) Oct 31 15:25:07.066023: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:07.066025: | IP start: c0 00 02 00 Oct 31 15:25:07.066026: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:07.066028: | IP end: c0 00 02 ff Oct 31 15:25:07.066030: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:07.066031: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:25:07.066033: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:25:07.066035: | integ=NONE: .key_size=0 encrypt=AES_GCM_16: .key_size=32 .salt_size=4 keymat_len=36 Oct 31 15:25:07.066084: | FOR_EACH_CONNECTION_... in IKE_SA_established Oct 31 15:25:07.066087: | install_ipsec_sa() for #2: inbound and outbound Oct 31 15:25:07.066089: | could_route called for northnet-eastnet/0x2; kind=CK_PERMANENT that.has_client=yes oppo=no this.host_port=500 Oct 31 15:25:07.066091: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:07.066093: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.066095: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Oct 31 15:25:07.066097: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.066098: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Oct 31 15:25:07.066100: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Oct 31 15:25:07.066103: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:07.066105: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:07.066106: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:07.066108: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:07.066111: | setting IPsec SA replay-window to 32 Oct 31 15:25:07.066113: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Oct 31 15:25:07.066115: | netlink: enabling tunnel mode Oct 31 15:25:07.066116: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:07.066118: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:07.066120: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:07.066170: | netlink response for Add SA esp.8430c847@192.1.3.33 included non-error error Oct 31 15:25:07.066174: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#0 mode=1 Oct 31 15:25:07.066175: | set up outgoing SA, ref=0/0 Oct 31 15:25:07.066177: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:07.066179: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:07.066180: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:07.066182: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:07.066184: | setting IPsec SA replay-window to 32 Oct 31 15:25:07.066186: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Oct 31 15:25:07.066187: | netlink: enabling tunnel mode Oct 31 15:25:07.066189: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:07.066190: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:07.066192: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:07.066241: | netlink response for Add SA esp.298ff425@192.1.2.23 included non-error error Oct 31 15:25:07.066250: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#0 mode=1 Oct 31 15:25:07.066253: | setup_half_ipsec_sa() is installing inbound eroute Oct 31 15:25:07.066255: | setup_half_ipsec_sa() before proto 50 Oct 31 15:25:07.066258: | setup_half_ipsec_sa() after proto 50 Oct 31 15:25:07.066260: | setup_half_ipsec_sa() calling raw_eroute backwards (i.e., inbound) Oct 31 15:25:07.066263: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:07.066271: | add inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:25:07.066277: | IPsec SA SPD priority set to 2084814 Oct 31 15:25:07.066308: | raw_eroute result=success Oct 31 15:25:07.066312: | set up incoming SA, ref=0/0 Oct 31 15:25:07.066314: | sr for #2: unrouted Oct 31 15:25:07.066316: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:25:07.066317: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:07.066319: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.066321: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Oct 31 15:25:07.066322: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.066324: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Oct 31 15:25:07.066326: | route owner of "northnet-eastnet/0x2" unrouted: NULL; eroute owner: NULL Oct 31 15:25:07.066328: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 Oct 31 15:25:07.066330: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:07.066335: | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:25:07.066338: | IPsec SA SPD priority set to 2084814 Oct 31 15:25:07.066348: | raw_eroute result=success Oct 31 15:25:07.066352: | running updown command "ipsec _updown" for verb up Oct 31 15:25:07.066354: | command executing up-client Oct 31 15:25:07.066357: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:07.066363: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:07.066383: | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_IN... Oct 31 15:25:07.066385: | popen cmd is 1128 chars long Oct 31 15:25:07.066387: | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x: Oct 31 15:25:07.066389: | cmd( 80):2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO: Oct 31 15:25:07.066390: | cmd( 160):_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT: Oct 31 15:25:07.066391: | cmd( 240):='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.25: Oct 31 15:25:07.066393: | cmd( 320):5.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYP: Oct 31 15:25:07.066394: | cmd( 400):E='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.: Oct 31 15:25:07.066396: | cmd( 480):3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0': Oct 31 15:25:07.066397: | cmd( 560): PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm': Oct 31 15:25:07.066398: | cmd( 640): PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+: Oct 31 15:25:07.066400: | cmd( 720):IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADD: Oct 31 15:25:07.066401: | cmd( 800):RFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLU: Oct 31 15:25:07.066402: | cmd( 880):TO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIEN: Oct 31 15:25:07.066407: | cmd( 960):T='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' : Oct 31 15:25:07.066409: | cmd(1040):VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8430c847 SPI_OUT=0x298ff425 ipsec _upd: Oct 31 15:25:07.066410: | cmd(1120):own 2>&1: Oct 31 15:25:07.075220: | route_and_eroute: firewall_notified: true Oct 31 15:25:07.075232: | running updown command "ipsec _updown" for verb prepare Oct 31 15:25:07.075235: | command executing prepare-client Oct 31 15:25:07.075240: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:07.075256: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:07.075292: | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0... Oct 31 15:25:07.075299: | popen cmd is 1133 chars long Oct 31 15:25:07.075302: | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Oct 31 15:25:07.075305: | cmd( 80):et/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' : Oct 31 15:25:07.075310: | cmd( 160):PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_C: Oct 31 15:25:07.075313: | cmd( 240):LIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.2: Oct 31 15:25:07.075316: | cmd( 320):55.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_S: Oct 31 15:25:07.075318: | cmd( 400):A_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='1: Oct 31 15:25:07.075321: | cmd( 480):92.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.2: Oct 31 15:25:07.075323: | cmd( 560):55.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=': Oct 31 15:25:07.075326: | cmd( 640):xfrm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERL: Oct 31 15:25:07.075328: | cmd( 720):APIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CON: Oct 31 15:25:07.075331: | cmd( 800):N_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO=': Oct 31 15:25:07.075334: | cmd( 880):' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_: Oct 31 15:25:07.075336: | cmd( 960):CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFAC: Oct 31 15:25:07.075339: | cmd(1040):E='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8430c847 SPI_OUT=0x298ff425 ipsec: Oct 31 15:25:07.075342: | cmd(1120): _updown 2>&1: Oct 31 15:25:07.084325: | running updown command "ipsec _updown" for verb route Oct 31 15:25:07.084342: | command executing route-client Oct 31 15:25:07.084350: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:07.084369: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:07.084406: | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PL... Oct 31 15:25:07.084413: | popen cmd is 1131 chars long Oct 31 15:25:07.084417: | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet: Oct 31 15:25:07.084419: | cmd( 80):/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PL: Oct 31 15:25:07.084421: | cmd( 160):UTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLI: Oct 31 15:25:07.084424: | cmd( 240):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: Oct 31 15:25:07.084426: | cmd( 320):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_: Oct 31 15:25:07.084428: | cmd( 400):TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192: Oct 31 15:25:07.084430: | cmd( 480):.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255: Oct 31 15:25:07.084432: | cmd( 560):.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xf: Oct 31 15:25:07.084435: | cmd( 640):rm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAP: Oct 31 15:25:07.084437: | cmd( 720):IP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_: Oct 31 15:25:07.084439: | cmd( 800):ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' : Oct 31 15:25:07.084441: | cmd( 880):PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CL: Oct 31 15:25:07.084444: | cmd( 960):IENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE=: Oct 31 15:25:07.084446: | cmd(1040):'' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x8430c847 SPI_OUT=0x298ff425 ipsec _: Oct 31 15:25:07.084449: | cmd(1120):updown 2>&1: Oct 31 15:25:07.095303: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095330: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095334: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095337: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095341: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095356: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095372: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095391: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095396: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095405: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095415: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095427: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095436: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095445: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095454: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095464: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095474: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095778: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095786: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095797: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095805: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095816: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095826: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095836: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095846: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095855: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.095867: "northnet-eastnet/0x2" #1: route-client output: Error: Peer netns reference is invalid. Oct 31 15:25:07.099138: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55e8fea07e58,sr=0x55e8fea07e58} to #2 (was #0) (newest_ipsec_sa=#0) Oct 31 15:25:07.099212: | ISAKMP_v2_IKE_AUTH: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 Oct 31 15:25:07.099219: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:07.099222: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:07.099224: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:07.099226: | emitting length of IKEv2 Encryption Payload: 197 Oct 31 15:25:07.099228: | emitting length of ISAKMP Message: 225 Oct 31 15:25:07.099245: | recording outgoing fragment failed Oct 31 15:25:07.099249: | ikev2_parent_inI2outR2_continue_tail returned STF_OK Oct 31 15:25:07.099258: | #1 spent 2.46 (34.6) milliseconds in processing: Responder: process IKE_AUTH request in v2_dispatch() Oct 31 15:25:07.099260: | XXX: processor 'Responder: process IKE_AUTH request' for #1 switched state to #2 Oct 31 15:25:07.099264: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.099267: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.099271: | #2 complete_v2_state_transition() in state V2_IKE_AUTH_CHILD_R0 PARENT_R1->ESTABLISHED_CHILD_SA with status STF_OK; .st_v2_transition=NULL Oct 31 15:25:07.099272: | transitioning from state STATE_PARENT_R1 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:07.099274: | Message ID: updating counters for #2 Oct 31 15:25:07.099280: | Message ID: CHILD #1.#2 updating responder received message request 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0 ike.responder.recv=0->1 ike.responder.last_contact=744581.493128->744581.532072 child.wip.initiator=-1 child.wip.responder=1->-1 Oct 31 15:25:07.099284: | Message ID: CHILD #1.#2 updating responder sent message response 1: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=0->1 ike.responder.recv=1 ike.responder.last_contact=744581.532072 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:25:07.099288: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744581.532072 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.099293: | child state #2: V2_IKE_AUTH_CHILD_R0(ignore) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:25:07.099295: | pstats #2 ikev2.child established Oct 31 15:25:07.099297: | announcing the state transition Oct 31 15:25:07.099303: "northnet-eastnet/0x2" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Oct 31 15:25:07.099306: | NAT-T: encaps is 'auto' Oct 31 15:25:07.099310: "northnet-eastnet/0x2" #2: IPsec SA established tunnel mode {ESP=>0x8430c847 <0x298ff425 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} Oct 31 15:25:07.099315: | sending 225 bytes for STATE_PARENT_R1 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:07.099317: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.099318: | 2e 20 23 20 00 00 00 01 00 00 00 e1 24 00 00 c5 Oct 31 15:25:07.099320: | fb 47 a3 13 08 c7 d2 e2 f3 78 a8 0c 4c 7c 3b 1e Oct 31 15:25:07.099321: | 14 ae d4 8d 25 e4 57 5d fb e1 c5 ab 3a 1f 0b 77 Oct 31 15:25:07.099322: | 30 a0 f9 39 3f ef e8 cf 3f ec 2e da 48 52 b2 d7 Oct 31 15:25:07.099324: | 9d 80 ae bd 69 5a 18 c6 f5 5e 76 cb d2 5d 64 3b Oct 31 15:25:07.099325: | 49 79 a2 02 a5 61 a3 bb 59 2d f7 d2 e7 97 7e 79 Oct 31 15:25:07.099326: | 16 21 5d 63 d3 ce d4 e0 65 88 4e 93 18 23 57 93 Oct 31 15:25:07.099328: | 9d d7 53 0a 60 af 06 55 dc e1 2a cc 3a ec 77 f9 Oct 31 15:25:07.099329: | ff 18 f8 f8 2c 0a b5 75 2c f3 82 68 f6 83 39 09 Oct 31 15:25:07.099330: | 02 8d 49 2f cb 0f 92 0c a3 d7 e0 ec df 63 07 31 Oct 31 15:25:07.099332: | 15 42 5a da 0e 3e ae 54 56 f8 3c 98 98 99 87 9e Oct 31 15:25:07.099333: | c8 6f 93 a8 77 d0 c1 cf 6d 5b e4 4f c3 c5 f3 8d Oct 31 15:25:07.099334: | 67 04 b1 4e af 54 64 ef 8c a2 e1 7a 69 c8 79 55 Oct 31 15:25:07.099336: | 2d Oct 31 15:25:07.099376: | sent 1 messages Oct 31 15:25:07.099380: | releasing #2's fd-fd@(nil) because IKEv2 transitions finished Oct 31 15:25:07.099382: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:07.099384: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:07.099386: | unpending #2's IKE SA #1 Oct 31 15:25:07.099389: | unpending state #1 connection "northnet-eastnet/0x2" Oct 31 15:25:07.099392: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:25:07.099394: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:07.099396: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:07.099399: | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:25:07.099402: | state #2 has no .st_event to delete Oct 31 15:25:07.099405: | event_schedule: newref EVENT_SA_REKEY-pe@0x55e8fea131b8 Oct 31 15:25:07.099408: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #2 Oct 31 15:25:07.099412: | libevent_malloc: newref ptr-libevent@0x55e8fea0f438 size 128 Oct 31 15:25:07.099418: | delref logger@0x55e8fe9f7cf8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:07.099421: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.099423: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.099426: | resume sending helper answer back to state for #1 suppresed complete_v2_state_transition(); MD.ST was switched Oct 31 15:25:07.099430: | delref mdp@0x55e8fea098b8(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.099433: | delref logger@0x55e8fea05778(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.099435: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.099438: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.099445: | #1 spent 2.79 (34.9) milliseconds in resume sending helper answer back to state Oct 31 15:25:07.099450: | stop processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:07.099454: | libevent_free: delref ptr-libevent@0x7ffb8000b578 Oct 31 15:25:07.099468: | processing signal PLUTO_SIGCHLD Oct 31 15:25:07.099473: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:07.099478: | spent 0.00528 (0.00524) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:07.099481: | processing signal PLUTO_SIGCHLD Oct 31 15:25:07.099484: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:07.099488: | spent 0.00357 (0.00357) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:07.099491: | processing signal PLUTO_SIGCHLD Oct 31 15:25:07.099494: | waitpid returned ECHILD (no child processes left) Oct 31 15:25:07.099498: | spent 0.00353 (0.00355) milliseconds in signal handler PLUTO_SIGCHLD Oct 31 15:25:07.150978: | spent 0.00269 (0.00267) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue() Oct 31 15:25:07.150998: | newref struct msg_digest@0x55e8fea098b8(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.151003: | newref alloc logger@0x55e8fea0f218(0->1) (in read_message() at demux.c:103) Oct 31 15:25:07.151010: | *received 601 bytes from 192.1.3.33:500 on eth1 192.1.2.23:500 using UDP Oct 31 15:25:07.151013: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.151029: | 2e 20 24 08 00 00 00 02 00 00 02 59 21 00 02 3d Oct 31 15:25:07.151031: | d3 d9 e1 da 63 e9 05 0f 53 44 5d 6d 71 5e d3 0f Oct 31 15:25:07.151033: | eb b3 46 cd a1 75 12 17 01 6e f9 6c 21 a2 11 ac Oct 31 15:25:07.151036: | ba 3a 12 93 cd 83 23 dd 5a 56 d3 15 90 34 c8 ba Oct 31 15:25:07.151038: | 31 8e ce 30 20 96 72 68 82 60 f0 f5 d8 51 11 a6 Oct 31 15:25:07.151040: | a9 4e e1 02 08 6e b9 26 c3 4a 82 dd 51 e3 e2 d3 Oct 31 15:25:07.151043: | ee 23 cb d7 34 27 81 27 21 8a f5 c6 ac 5b 7f 7d Oct 31 15:25:07.151045: | fc 4f 1a 78 25 8d ad 2b 19 4a 83 2a b8 b4 f4 35 Oct 31 15:25:07.151047: | 7b 52 0f e7 77 d8 6c 49 bc d9 8c f1 65 14 da d1 Oct 31 15:25:07.151050: | 1c 57 d2 76 9e a8 2b 2c 72 61 69 6f 83 2a 6d 3e Oct 31 15:25:07.151052: | 99 06 ae b6 3f d4 4d af 04 fa b7 eb 54 06 f0 1f Oct 31 15:25:07.151054: | c7 e7 3b 6b 36 c9 7f 0c 77 3b 1e 70 ab 3e 09 9a Oct 31 15:25:07.151057: | 7f 71 5e 37 86 d9 50 63 77 0b 3a c2 ef 56 b5 e0 Oct 31 15:25:07.151059: | 76 5a ac ab d5 87 2e 44 6a 76 a6 67 8e c1 9d a8 Oct 31 15:25:07.151062: | 5c 1f 48 da 4e d4 26 48 bb a0 17 63 73 6e 2a 3c Oct 31 15:25:07.151064: | 69 34 62 8f ba a0 09 f7 be 7a c5 fd c7 51 2e 0d Oct 31 15:25:07.151066: | 3f 7d e0 aa ed 25 73 9a 34 03 3e cb 05 a3 f5 1f Oct 31 15:25:07.151068: | 5f f3 ee 43 25 9c 62 4e b5 28 02 a3 39 b8 18 fe Oct 31 15:25:07.151071: | c6 0b 84 c4 ad 1c 65 98 d8 f8 3c 84 6d 35 51 ea Oct 31 15:25:07.151073: | a7 3a be d0 67 1b d0 20 8f 1c b9 99 66 6c 2e ee Oct 31 15:25:07.151076: | 74 30 ae fd 29 7c 4b fd d2 e5 b0 cf 1d 4e bd ea Oct 31 15:25:07.151084: | c7 c1 8e 6c 00 7c 63 dc 38 ff c0 bf 5e f8 ee 27 Oct 31 15:25:07.151099: | 71 6d 4f 64 f6 40 9e ce c4 4a 39 5f b7 2f 36 5f Oct 31 15:25:07.151101: | 3f c6 1c 1e c1 66 e6 41 12 0e 7b f6 ab dc 1a 39 Oct 31 15:25:07.151103: | 78 54 75 e7 40 91 26 06 8a f4 94 03 e8 da e1 e0 Oct 31 15:25:07.151106: | 0a 96 5b 9c 83 05 4f 68 f0 9f 4c 2c 70 94 c6 28 Oct 31 15:25:07.151108: | f6 11 94 53 18 65 6a 97 ed 5d f1 15 03 94 08 55 Oct 31 15:25:07.151111: | 4c 16 93 89 7e 30 9d 43 f1 ff a2 f4 b3 1a ac fe Oct 31 15:25:07.151113: | dd 7a 42 28 83 59 91 34 b1 46 67 21 7e 6e 7a c4 Oct 31 15:25:07.151115: | 00 ac 30 72 aa 88 16 c4 12 1c 16 8b ac 64 16 8a Oct 31 15:25:07.151118: | 4a 31 8c d7 e7 b5 63 67 2f 6f 77 79 79 c4 87 3d Oct 31 15:25:07.151120: | 20 04 5b d7 51 7a 17 05 03 42 9e aa 3b fe 60 cf Oct 31 15:25:07.151123: | 1a 97 6c ad 0c 88 44 bf 01 2a b7 f0 dc 9e 2e 7c Oct 31 15:25:07.151125: | d0 83 8a 84 a4 ac eb 8b 37 e0 1a f7 a5 3e 23 02 Oct 31 15:25:07.151127: | 69 d0 72 02 89 10 d8 7a d5 85 a9 a0 e3 8b 4e c6 Oct 31 15:25:07.151130: | 2c 46 3b 6c f2 f9 3f cb dc 16 09 38 78 ef 2b f8 Oct 31 15:25:07.151132: | 99 75 cf 38 46 a6 f6 da d3 Oct 31 15:25:07.151141: | **parse ISAKMP Message: Oct 31 15:25:07.151147: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.151151: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.151154: | next payload type: ISAKMP_NEXT_v2SK (0x2e) Oct 31 15:25:07.151157: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.151160: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:25:07.151163: | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) Oct 31 15:25:07.151167: | Message ID: 2 (00 00 00 02) Oct 31 15:25:07.151171: | length: 601 (00 00 02 59) Oct 31 15:25:07.151174: | processing version=2.0 packet with exchange type=ISAKMP_v2_CREATE_CHILD_SA (36) Oct 31 15:25:07.151178: | I am the IKE SA Original Responder receiving an IKEv2 CREATE_CHILD_SA request Oct 31 15:25:07.151183: | State DB: found IKEv2 state #1 in ESTABLISHED_IKE_SA (find_v2_ike_sa) Oct 31 15:25:07.151191: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1902) Oct 31 15:25:07.151194: | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 Oct 31 15:25:07.151201: | State DB: IKEv2 state not found (find_v2_sa_by_responder_wip) Oct 31 15:25:07.151207: | #1 is idle Oct 31 15:25:07.151214: | Message ID: IKE #1 not a duplicate - message request 2 is new: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744581.532072 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.151220: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ike_process_packet() at ikev2.c:1983) Oct 31 15:25:07.151223: | unpacking clear payload Oct 31 15:25:07.151226: | Now let's proceed with payload (ISAKMP_NEXT_v2SK) Oct 31 15:25:07.151229: | ***parse IKEv2 Encryption Payload: Oct 31 15:25:07.151232: | next payload type: ISAKMP_NEXT_v2SA (0x21) Oct 31 15:25:07.151235: | flags: none (0x0) Oct 31 15:25:07.151239: | length: 573 (02 3d) Oct 31 15:25:07.151242: | processing payload: ISAKMP_NEXT_v2SK (len=569) Oct 31 15:25:07.151245: | #1 in state ESTABLISHED_IKE_SA: established IKE SA Oct 31 15:25:07.151262: | #1 ikev2 ISAKMP_v2_CREATE_CHILD_SA decrypt success Oct 31 15:25:07.151265: | Now let's proceed with payload (ISAKMP_NEXT_v2SA) Oct 31 15:25:07.151268: | **parse IKEv2 Security Association Payload: Oct 31 15:25:07.151271: | next payload type: ISAKMP_NEXT_v2Ni (0x28) Oct 31 15:25:07.151273: | flags: none (0x0) Oct 31 15:25:07.151277: | length: 196 (00 c4) Oct 31 15:25:07.151279: | processing payload: ISAKMP_NEXT_v2SA (len=192) Oct 31 15:25:07.151282: | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) Oct 31 15:25:07.151285: | **parse IKEv2 Nonce Payload: Oct 31 15:25:07.151288: | next payload type: ISAKMP_NEXT_v2KE (0x22) Oct 31 15:25:07.151290: | flags: none (0x0) Oct 31 15:25:07.151293: | length: 36 (00 24) Oct 31 15:25:07.151296: | processing payload: ISAKMP_NEXT_v2Ni (len=32) Oct 31 15:25:07.151298: | Now let's proceed with payload (ISAKMP_NEXT_v2KE) Oct 31 15:25:07.151301: | **parse IKEv2 Key Exchange Payload: Oct 31 15:25:07.151304: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) Oct 31 15:25:07.151307: | flags: none (0x0) Oct 31 15:25:07.151310: | length: 264 (01 08) Oct 31 15:25:07.151313: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.151316: | processing payload: ISAKMP_NEXT_v2KE (len=256) Oct 31 15:25:07.151318: | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) Oct 31 15:25:07.151321: | **parse IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:07.151329: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) Oct 31 15:25:07.151331: | flags: none (0x0) Oct 31 15:25:07.151334: | length: 24 (00 18) Oct 31 15:25:07.151338: | number of TS: 1 (01) Oct 31 15:25:07.151340: | processing payload: ISAKMP_NEXT_v2TSi (len=16) Oct 31 15:25:07.151343: | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) Oct 31 15:25:07.151346: | **parse IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:07.151351: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.151354: | flags: none (0x0) Oct 31 15:25:07.151357: | length: 24 (00 18) Oct 31 15:25:07.151360: | number of TS: 1 (01) Oct 31 15:25:07.151362: | processing payload: ISAKMP_NEXT_v2TSr (len=16) Oct 31 15:25:07.151378: | state #1 forced to match CREATE_CHILD_SA from STATE_V2_NEW_CHILD_R0->STATE_V2_ESTABLISHED_CHILD_SA by ignoring from state Oct 31 15:25:07.151381: | selected state microcode Respond to CREATE_CHILD_SA IPsec SA Request Oct 31 15:25:07.151387: | #1 updating local interface from 192.1.2.23:500 to 192.1.2.23:500 using md->iface (in update_ike_endpoints() at state.c:2631) Oct 31 15:25:07.151392: | newref alloc logger@0x55e8fea0d9c8(0->1) (in new_state() at state.c:576) Oct 31 15:25:07.151396: | addref fd@NULL (in new_state() at state.c:577) Oct 31 15:25:07.151398: | creating state object #3 at 0x55e8fea13228 Oct 31 15:25:07.151401: | State DB: adding IKEv2 state #3 in UNDEFINED Oct 31 15:25:07.151406: | pstats #3 ikev2.child started Oct 31 15:25:07.151409: | duplicating state object #1 "northnet-eastnet/0x2" as #3 for IPSEC SA Oct 31 15:25:07.151415: | #3 setting local endpoint to 192.1.2.23:500 from #1.st_localport (in duplicate_state() at state.c:1581) Oct 31 15:25:07.151425: | Message ID: CHILD #1.#3 initializing (CHILD SA): ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744581.532072 child.wip.initiator=0->-1 child.wip.responder=0->-1 Oct 31 15:25:07.151429: | child state #3: UNDEFINED(ignore) => V2_NEW_CHILD_R0(established IKE SA) Oct 31 15:25:07.151433: | #3.st_v2_transition NULL -> V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA (in new_v2_child_state() at state.c:1666) Oct 31 15:25:07.151437: | "northnet-eastnet/0x2" #1 received Respond to CREATE_CHILD_SA IPsec SA Request CREATE_CHILD_SA Child "northnet-eastnet/0x2" #3 in STATE_V2_NEW_CHILD_R0 will process it further Oct 31 15:25:07.151439: | forcing ST #1 to CHILD #1.#3 in FSM processor Oct 31 15:25:07.151446: | Message ID: CHILD #1.#3 responder starting message request 2: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1 ike.responder.recv=1 ike.responder.last_contact=744581.532072 child.wip.initiator=-1 child.wip.responder=-1->2 Oct 31 15:25:07.151452: | calling processor Respond to CREATE_CHILD_SA IPsec SA Request Oct 31 15:25:07.151472: | create child proposal's DH changed from no-PFS to MODP2048, flushing Oct 31 15:25:07.151476: | constructing ESP/AH proposals with default DH MODP2048 for northnet-eastnet/0x2 (CREATE_CHILD_SA responder matching remote ESP/AH proposals) Oct 31 15:25:07.151485: | converting proposal AES_GCM_16_256-NONE to ikev2 ... Oct 31 15:25:07.151493: | ... ikev2_proposal: 1:ESP=AES_GCM_C_256-NONE-MODP2048-DISABLED Oct 31 15:25:07.151497: | converting proposal AES_GCM_16_128-NONE to ikev2 ... Oct 31 15:25:07.151501: | ... ikev2_proposal: 2:ESP=AES_GCM_C_128-NONE-MODP2048-DISABLED Oct 31 15:25:07.151505: | converting proposal AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:07.151510: | ... ikev2_proposal: 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048-DISABLED Oct 31 15:25:07.151514: | converting proposal AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128 to ikev2 ... Oct 31 15:25:07.151518: | ... ikev2_proposal: 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048-DISABLED Oct 31 15:25:07.151522: "northnet-eastnet/0x2": local ESP/AH proposals (CREATE_CHILD_SA responder matching remote ESP/AH proposals): Oct 31 15:25:07.151527: "northnet-eastnet/0x2": 1:ESP=AES_GCM_C_256-NONE-MODP2048-DISABLED Oct 31 15:25:07.151531: "northnet-eastnet/0x2": 2:ESP=AES_GCM_C_128-NONE-MODP2048-DISABLED Oct 31 15:25:07.151536: "northnet-eastnet/0x2": 3:ESP=AES_CBC_256-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048-DISABLED Oct 31 15:25:07.151553: "northnet-eastnet/0x2": 4:ESP=AES_CBC_128-HMAC_SHA2_512_256+HMAC_SHA2_256_128-MODP2048-DISABLED Oct 31 15:25:07.151558: | comparing remote proposals against CREATE_CHILD_SA responder matching remote ESP/AH proposals 4 local proposals Oct 31 15:25:07.151562: | local proposal 1 type ENCR has 1 transforms Oct 31 15:25:07.151565: | local proposal 1 type PRF has 0 transforms Oct 31 15:25:07.151568: | local proposal 1 type INTEG has 1 transforms Oct 31 15:25:07.151570: | local proposal 1 type DH has 1 transforms Oct 31 15:25:07.151573: | local proposal 1 type ESN has 1 transforms Oct 31 15:25:07.151576: | local proposal 1 transforms: required: ENCR+DH+ESN; optional: INTEG Oct 31 15:25:07.151579: | local proposal 2 type ENCR has 1 transforms Oct 31 15:25:07.151582: | local proposal 2 type PRF has 0 transforms Oct 31 15:25:07.151584: | local proposal 2 type INTEG has 1 transforms Oct 31 15:25:07.151586: | local proposal 2 type DH has 1 transforms Oct 31 15:25:07.151589: | local proposal 2 type ESN has 1 transforms Oct 31 15:25:07.151592: | local proposal 2 transforms: required: ENCR+DH+ESN; optional: INTEG Oct 31 15:25:07.151595: | local proposal 3 type ENCR has 1 transforms Oct 31 15:25:07.151597: | local proposal 3 type PRF has 0 transforms Oct 31 15:25:07.151600: | local proposal 3 type INTEG has 2 transforms Oct 31 15:25:07.151602: | local proposal 3 type DH has 1 transforms Oct 31 15:25:07.151605: | local proposal 3 type ESN has 1 transforms Oct 31 15:25:07.151609: | local proposal 3 transforms: required: ENCR+INTEG+DH+ESN; optional: none Oct 31 15:25:07.151611: | local proposal 4 type ENCR has 1 transforms Oct 31 15:25:07.151614: | local proposal 4 type PRF has 0 transforms Oct 31 15:25:07.151616: | local proposal 4 type INTEG has 2 transforms Oct 31 15:25:07.151619: | local proposal 4 type DH has 1 transforms Oct 31 15:25:07.151621: | local proposal 4 type ESN has 1 transforms Oct 31 15:25:07.151624: | local proposal 4 transforms: required: ENCR+INTEG+DH+ESN; optional: none Oct 31 15:25:07.151628: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.151631: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.151634: | length: 40 (00 28) Oct 31 15:25:07.151637: | prop #: 1 (01) Oct 31 15:25:07.151640: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.151643: | spi size: 4 (04) Oct 31 15:25:07.151646: | # transforms: 3 (03) Oct 31 15:25:07.151649: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.151652: | remote SPI Oct 31 15:25:07.151654: | 6f 03 cd 30 Oct 31 15:25:07.151657: | Comparing remote proposal 1 containing 3 transforms against local proposal [1..4] of 4 local proposals Oct 31 15:25:07.151660: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151663: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151666: | length: 12 (00 0c) Oct 31 15:25:07.151669: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.151672: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.151675: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.151677: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.151681: | length/value: 256 (01 00) Oct 31 15:25:07.151686: | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 Oct 31 15:25:07.151689: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151692: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151695: | length: 8 (00 08) Oct 31 15:25:07.151698: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.151700: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.151704: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 Oct 31 15:25:07.151707: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 Oct 31 15:25:07.151710: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 Oct 31 15:25:07.151713: | remote proposal 1 transform 1 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 Oct 31 15:25:07.151720: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151723: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.151726: | length: 8 (00 08) Oct 31 15:25:07.151729: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.151731: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.151735: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 Oct 31 15:25:07.151738: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 Oct 31 15:25:07.151741: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 Oct 31 15:25:07.151744: | remote proposal 1 transform 2 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 Oct 31 15:25:07.151748: | remote proposal 1 proposed transforms: ENCR+DH+ESN; matched: ENCR+DH+ESN; unmatched: none Oct 31 15:25:07.151754: | comparing remote proposal 1 containing ENCR+DH+ESN transforms to local proposal 1; required: ENCR+DH+ESN; optional: INTEG; matched: ENCR+DH+ESN Oct 31 15:25:07.151769: | remote proposal 1 matches local proposal 1 Oct 31 15:25:07.151772: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.151775: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.151778: | length: 40 (00 28) Oct 31 15:25:07.151781: | prop #: 2 (02) Oct 31 15:25:07.151784: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.151787: | spi size: 4 (04) Oct 31 15:25:07.151790: | # transforms: 3 (03) Oct 31 15:25:07.151793: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.151796: | remote SPI Oct 31 15:25:07.151798: | 6f 03 cd 30 Oct 31 15:25:07.151801: | Comparing remote proposal 2 containing 3 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.151804: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151806: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151814: | length: 12 (00 0c) Oct 31 15:25:07.151817: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.151819: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.151822: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.151825: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.151828: | length/value: 128 (00 80) Oct 31 15:25:07.151844: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151847: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151850: | length: 8 (00 08) Oct 31 15:25:07.151865: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.151868: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.151871: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151874: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.151877: | length: 8 (00 08) Oct 31 15:25:07.151880: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.151882: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.151887: | remote proposal 2 proposed transforms: ENCR+DH+ESN; matched: none; unmatched: ENCR+DH+ESN Oct 31 15:25:07.151890: | remote proposal 2 does not match; unmatched remote transforms: ENCR+DH+ESN Oct 31 15:25:07.151893: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.151896: | last proposal: v2_PROPOSAL_NON_LAST (0x2) Oct 31 15:25:07.151899: | length: 56 (00 38) Oct 31 15:25:07.151902: | prop #: 3 (03) Oct 31 15:25:07.151904: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.151907: | spi size: 4 (04) Oct 31 15:25:07.151910: | # transforms: 5 (05) Oct 31 15:25:07.151913: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.151916: | remote SPI Oct 31 15:25:07.151918: | 6f 03 cd 30 Oct 31 15:25:07.151934: | Comparing remote proposal 3 containing 5 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.151936: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151941: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151944: | length: 12 (00 0c) Oct 31 15:25:07.151947: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.151949: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.151952: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.151955: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.151958: | length/value: 256 (01 00) Oct 31 15:25:07.151961: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151964: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151967: | length: 8 (00 08) Oct 31 15:25:07.151970: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.151972: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.151975: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.151991: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.151994: | length: 8 (00 08) Oct 31 15:25:07.151997: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.151999: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.152003: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152005: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.152008: | length: 8 (00 08) Oct 31 15:25:07.152011: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.152014: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.152017: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152019: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.152022: | length: 8 (00 08) Oct 31 15:25:07.152025: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.152028: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.152032: | remote proposal 3 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Oct 31 15:25:07.152036: | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Oct 31 15:25:07.152039: | ***parse IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.152041: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.152045: | length: 56 (00 38) Oct 31 15:25:07.152048: | prop #: 4 (04) Oct 31 15:25:07.152050: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.152053: | spi size: 4 (04) Oct 31 15:25:07.152056: | # transforms: 5 (05) Oct 31 15:25:07.152060: | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI Oct 31 15:25:07.152062: | remote SPI Oct 31 15:25:07.152064: | 6f 03 cd 30 Oct 31 15:25:07.152067: | Comparing remote proposal 4 containing 5 transforms against local proposal [1..0] of 4 local proposals Oct 31 15:25:07.152070: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152072: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.152075: | length: 12 (00 0c) Oct 31 15:25:07.152078: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.152081: | IKEv2 transform ID: AES_CBC (0xc) Oct 31 15:25:07.152084: | *****parse IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.152086: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.152090: | length/value: 128 (00 80) Oct 31 15:25:07.152093: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152096: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.152099: | length: 8 (00 08) Oct 31 15:25:07.152102: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.152104: | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) Oct 31 15:25:07.152108: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152110: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.152114: | length: 8 (00 08) Oct 31 15:25:07.152116: | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) Oct 31 15:25:07.152119: | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) Oct 31 15:25:07.152122: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152125: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.152130: | length: 8 (00 08) Oct 31 15:25:07.152133: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.152135: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.152138: | ****parse IKEv2 Transform Substructure Payload: Oct 31 15:25:07.152141: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.152144: | length: 8 (00 08) Oct 31 15:25:07.152147: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.152150: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.152154: | remote proposal 4 proposed transforms: ENCR+INTEG+DH+ESN; matched: none; unmatched: ENCR+INTEG+DH+ESN Oct 31 15:25:07.152158: | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+DH+ESN Oct 31 15:25:07.152165: "northnet-eastnet/0x2" #3: proposal 1:ESP=AES_GCM_C_256-MODP2048-DISABLED SPI=6f03cd30 chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;DH=MODP2048;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;DH=MODP2048;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;DH=MODP2048;ESN=DISABLED Oct 31 15:25:07.152170: | CREATE_CHILD_SA responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP=AES_GCM_C_256-MODP2048-DISABLED SPI=6f03cd30 Oct 31 15:25:07.152173: | converting proposal to internal trans attrs Oct 31 15:25:07.152178: | updating #3's .st_oakley with preserved PRF, but why update? Oct 31 15:25:07.152182: | Child SA TS Request has child->sa == md->st; so using child connection Oct 31 15:25:07.152185: | TSi: parsing 1 traffic selectors Oct 31 15:25:07.152188: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:07.152191: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.152194: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.152197: | length: 16 (00 10) Oct 31 15:25:07.152219: | start port: 0 (00 00) Oct 31 15:25:07.152223: | end port: 65535 (ff ff) Oct 31 15:25:07.152226: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:07.152228: | TS low Oct 31 15:25:07.152231: | c0 00 03 00 Oct 31 15:25:07.152234: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:07.152236: | TS high Oct 31 15:25:07.152238: | c0 00 03 ff Oct 31 15:25:07.152241: | TSi: parsed 1 traffic selectors Oct 31 15:25:07.152244: | TSr: parsing 1 traffic selectors Oct 31 15:25:07.152247: | ***parse IKEv2 Traffic Selector: Oct 31 15:25:07.152249: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.152252: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.152255: | length: 16 (00 10) Oct 31 15:25:07.152258: | start port: 0 (00 00) Oct 31 15:25:07.152262: | end port: 65535 (ff ff) Oct 31 15:25:07.152264: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS low Oct 31 15:25:07.152267: | TS low Oct 31 15:25:07.152269: | c0 00 02 00 Oct 31 15:25:07.152272: | parsing 4 raw bytes of IKEv2 Traffic Selector into TS high Oct 31 15:25:07.152274: | TS high Oct 31 15:25:07.152276: | c0 00 02 ff Oct 31 15:25:07.152279: | TSr: parsed 1 traffic selectors Oct 31 15:25:07.152281: | looking for best SPD in current connection Oct 31 15:25:07.152289: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.152295: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152303: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.152307: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.152310: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.152313: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.152317: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152322: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152329: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.152334: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.152337: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.152340: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.152342: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152345: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.152348: | found better spd route for TSi[0],TSr[0] Oct 31 15:25:07.152350: | looking for better host pair Oct 31 15:25:07.152357: | find_host_pair: comparing 192.1.2.23:500 to 192.1.3.33:500 but ignoring ports Oct 31 15:25:07.152363: | checking hostpair 192.0.2.0/24:0 -> 192.0.3.0/24:0 is found Oct 31 15:25:07.152365: | investigating connection "northnet-eastnet/0x2" as a better match Oct 31 15:25:07.152369: | match_id a=@north Oct 31 15:25:07.152371: | b=@north Oct 31 15:25:07.152374: | results matched Oct 31 15:25:07.152380: | evaluating our conn="northnet-eastnet/0x2" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.152385: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152392: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.152396: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.152398: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.152401: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.152404: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152409: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152415: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.152418: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.152421: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.152424: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.152426: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152429: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.152432: | investigating connection "northnet-eastnet/0x1" as a better match Oct 31 15:25:07.152435: | match_id a=@north Oct 31 15:25:07.152437: | b=@north Oct 31 15:25:07.152440: | results matched Oct 31 15:25:07.152446: | evaluating our conn="northnet-eastnet/0x1" I=192.0.3.0/24:0:0/0 R=192.0.2.0/24:0:0/0 to their: Oct 31 15:25:07.152450: | TSi[0] .net=192.0.3.0-192.0.3.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152457: | match address end->client=192.0.3.0/24 == TSi[0]net=192.0.3.0-192.0.3.255: YES fitness 32 Oct 31 15:25:07.152461: | narrow port end=0..65535 == TSi[0]=0..65535: 0 Oct 31 15:25:07.152463: | TSi[0] port match: YES fitness 65536 Oct 31 15:25:07.152466: | narrow protocol end=*0 == TSi[0]=*0: 0 Oct 31 15:25:07.152469: | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152474: | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 Oct 31 15:25:07.152480: | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 Oct 31 15:25:07.152483: | narrow port end=0..65535 == TSr[0]=0..65535: 0 Oct 31 15:25:07.152486: | TSr[0] port match: YES fitness 65536 Oct 31 15:25:07.152489: | narrow protocol end=*0 == TSr[0]=*0: 0 Oct 31 15:25:07.152492: | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 Oct 31 15:25:07.152494: | best fit so far: TSi[0] TSr[0] Oct 31 15:25:07.152496: | did not find a better connection using host pair Oct 31 15:25:07.152500: | printing contents struct traffic_selector Oct 31 15:25:07.152502: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:07.152505: | ipprotoid: 0 Oct 31 15:25:07.152507: | port range: 0-65535 Oct 31 15:25:07.152512: | ip range: 192.0.2.0-192.0.2.255 Oct 31 15:25:07.152516: | printing contents struct traffic_selector Oct 31 15:25:07.152518: | ts_type: IKEv2_TS_IPV4_ADDR_RANGE Oct 31 15:25:07.152521: | ipprotoid: 0 Oct 31 15:25:07.152523: | port range: 0-65535 Oct 31 15:25:07.152527: | ip range: 192.0.3.0-192.0.3.255 Oct 31 15:25:07.152536: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:07.152539: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:07.152542: | newref clone logger@0x55e8fea0e6b8(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:07.152545: | job 3 for #3: Child Responder KE and nonce nr (build KE and nonce): adding job to queue Oct 31 15:25:07.152548: | state #3 has no .st_event to delete Oct 31 15:25:07.152551: | #3 STATE_V2_NEW_CHILD_R0: retransmits: cleared Oct 31 15:25:07.152554: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e398 Oct 31 15:25:07.152558: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Oct 31 15:25:07.152561: | libevent_malloc: newref ptr-libevent@0x7ffb8000b578 size 128 Oct 31 15:25:07.152574: | #3 spent 1.08 (1.1) milliseconds in processing: Respond to CREATE_CHILD_SA IPsec SA Request in v2_dispatch() Oct 31 15:25:07.152581: | suspend processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.152586: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.152587: | job 3 for #3: Child Responder KE and nonce nr (build KE and nonce): helper 5 starting job Oct 31 15:25:07.152590: | #3 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_SUSPEND Oct 31 15:25:07.152603: | suspending state #3 and saving MD 0x55e8fea098b8 Oct 31 15:25:07.152606: | addref md@0x55e8fea098b8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:07.152609: | #3 is busy; has suspended MD 0x55e8fea098b8 Oct 31 15:25:07.152614: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in ikev2_process_packet() at ikev2.c:1904) Oct 31 15:25:07.152620: | #1 spent 1.62 (1.65) milliseconds in ikev2_process_packet() Oct 31 15:25:07.152623: | processing: STOP state #0 (in process_md() at demux.c:287) Oct 31 15:25:07.152626: | delref mdp@0x55e8fea098b8(2->1) (in handle_packet_cb() at demux.c:318) Oct 31 15:25:07.152631: | spent 1.63 (1.66) milliseconds in handle_packet_cb() reading and processing packet Oct 31 15:25:07.154950: | "northnet-eastnet/0x2" #3: spent 1.8 (2.36) milliseconds in helper 5 processing job 3 for state #3: Child Responder KE and nonce nr (pcr) Oct 31 15:25:07.154967: | job 3 for #3: Child Responder KE and nonce nr (build KE and nonce): helper thread 5 sending result back to state Oct 31 15:25:07.154970: | scheduling resume sending helper answer back to state for #3 Oct 31 15:25:07.154975: | libevent_malloc: newref ptr-libevent@0x7ffb84006108 size 128 Oct 31 15:25:07.154980: | libevent_realloc: delref ptr-libevent@0x55e8fe9c6788 Oct 31 15:25:07.154982: | libevent_realloc: newref ptr-libevent@0x55e8fea0e408 size 128 Oct 31 15:25:07.154991: | helper thread 5 has nothing to do Oct 31 15:25:07.155004: | processing resume sending helper answer back to state for #3 Oct 31 15:25:07.155014: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:07.155018: | unsuspending #3 MD 0x55e8fea098b8 Oct 31 15:25:07.155021: | job 3 for #3: Child Responder KE and nonce nr (build KE and nonce): processing response from helper 5 Oct 31 15:25:07.155024: | job 3 for #3: Child Responder KE and nonce nr (build KE and nonce): calling continuation function 0x55e8fd611fe7 Oct 31 15:25:07.155027: | ikev2_child_inIoutR_continue() for #3 STATE_V2_NEW_CHILD_R0 Oct 31 15:25:07.155032: | DH secret MODP2048@0x7ffb84006ba8: transferring ownership from helper KE to state #3 Oct 31 15:25:07.155036: | DH secret MODP2048@0x7ffb84006ba8: transferring ownership from state #3 to helper DH Oct 31 15:25:07.155046: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:07.155049: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:07.155052: | newref clone logger@0x55e8fe9f7c88(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:07.155055: | job 4 for #3: DHv2 for child sa (dh): adding job to queue Oct 31 15:25:07.155058: | state #3 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:07.155061: | libevent_free: delref ptr-libevent@0x7ffb8000b578 Oct 31 15:25:07.155064: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e398 Oct 31 15:25:07.155067: | #3 STATE_V2_NEW_CHILD_R0: retransmits: cleared Oct 31 15:25:07.155070: | event_schedule: newref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e518 Oct 31 15:25:07.155074: | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60 seconds for #3 Oct 31 15:25:07.155076: | libevent_malloc: newref ptr-libevent@0x7ffb8000b578 size 128 Oct 31 15:25:07.155088: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.155092: | #3 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_SUSPEND Oct 31 15:25:07.155094: | suspending state #3 and saving MD 0x55e8fea098b8 Oct 31 15:25:07.155098: | addref md@0x55e8fea098b8(1->2) (in complete_v2_state_transition() at ikev2.c:3485) Oct 31 15:25:07.155100: | #3 is busy; has suspended MD 0x55e8fea098b8 Oct 31 15:25:07.155103: | delref logger@0x55e8fea0e6b8(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:07.155106: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.155108: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.155111: | resume sending helper answer back to state for #3 suppresed complete_v2_state_transition() Oct 31 15:25:07.155114: | delref mdp@0x55e8fea098b8(2->1) (in resume_handler() at server.c:743) Oct 31 15:25:07.155120: | #3 spent 0.101 (0.101) milliseconds in resume sending helper answer back to state Oct 31 15:25:07.155125: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:07.155128: | libevent_free: delref ptr-libevent@0x7ffb84006108 Oct 31 15:25:07.155258: | job 4 for #3: DHv2 for child sa (dh): helper 6 starting job Oct 31 15:25:07.156125: | "northnet-eastnet/0x2" #3: spent 0.865 (0.865) milliseconds in helper 6 processing job 4 for state #3: DHv2 for child sa (dh) Oct 31 15:25:07.156133: | job 4 for #3: DHv2 for child sa (dh): helper thread 6 sending result back to state Oct 31 15:25:07.156137: | scheduling resume sending helper answer back to state for #3 Oct 31 15:25:07.156141: | libevent_malloc: newref ptr-libevent@0x7ffb78001fb8 size 128 Oct 31 15:25:07.156150: | helper thread 6 has nothing to do Oct 31 15:25:07.156158: | processing resume sending helper answer back to state for #3 Oct 31 15:25:07.156168: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:641) Oct 31 15:25:07.156171: | unsuspending #3 MD 0x55e8fea098b8 Oct 31 15:25:07.156173: | job 4 for #3: DHv2 for child sa (dh): processing response from helper 6 Oct 31 15:25:07.156175: | job 4 for #3: DHv2 for child sa (dh): calling continuation function 0x55e8fd6137cb Oct 31 15:25:07.156177: | DH secret MODP2048@0x7ffb84006ba8: transferring ownership from helper IKEv2 DH to state #3 Oct 31 15:25:07.156180: | ikev2_child_inIoutR_continue_continue() for #3 STATE_V2_NEW_CHILD_R0 Oct 31 15:25:07.156184: | opening output PBS reply packet Oct 31 15:25:07.156187: | **emit ISAKMP Message: Oct 31 15:25:07.156190: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:07.156193: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.156195: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:07.156197: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:07.156222: | exchange type: ISAKMP_v2_CREATE_CHILD_SA (0x24) Oct 31 15:25:07.156228: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Oct 31 15:25:07.156233: | Message ID: 2 (00 00 00 02) Oct 31 15:25:07.156235: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:07.156237: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:07.156239: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156241: | flags: none (0x0) Oct 31 15:25:07.156243: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:07.156244: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156247: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:07.156279: | netlink_get_spi: allocated 0x194060e2 for esp.0@192.1.2.23 Oct 31 15:25:07.156284: | emitting ikev2_proposal ... Oct 31 15:25:07.156288: | ****emit IKEv2 Security Association Payload: Oct 31 15:25:07.156291: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156293: | flags: none (0x0) Oct 31 15:25:07.156297: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) Oct 31 15:25:07.156299: | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156304: | *****emit IKEv2 Proposal Substructure Payload: Oct 31 15:25:07.156307: | last proposal: v2_PROPOSAL_LAST (0x0) Oct 31 15:25:07.156311: | prop #: 1 (01) Oct 31 15:25:07.156314: | proto ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:07.156318: | spi size: 4 (04) Oct 31 15:25:07.156321: | # transforms: 3 (03) Oct 31 15:25:07.156324: | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' Oct 31 15:25:07.156330: | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload Oct 31 15:25:07.156338: | our spi: 19 40 60 e2 Oct 31 15:25:07.156341: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.156344: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.156346: | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) Oct 31 15:25:07.156348: | IKEv2 transform ID: AES_GCM_C (0x14) Oct 31 15:25:07.156351: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.156354: | *******emit IKEv2 Attribute Substructure Payload: Oct 31 15:25:07.156356: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) Oct 31 15:25:07.156358: | length/value: 256 (01 00) Oct 31 15:25:07.156360: | emitting length of IKEv2 Transform Substructure Payload: 12 Oct 31 15:25:07.156362: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.156364: | last transform: v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.156365: | IKEv2 transform type: TRANS_TYPE_DH (0x4) Oct 31 15:25:07.156367: | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.156369: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.156371: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.156374: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:07.156376: | ******emit IKEv2 Transform Substructure Payload: Oct 31 15:25:07.156378: | last transform: v2_TRANSFORM_LAST (0x0) Oct 31 15:25:07.156380: | IKEv2 transform type: TRANS_TYPE_ESN (0x5) Oct 31 15:25:07.156382: | IKEv2 transform ID: ESN_DISABLED (0x0) Oct 31 15:25:07.156384: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' containing v2_TRANSFORM_NON_LAST (0x3) is v2_TRANSFORM_NON_LAST (0x3) Oct 31 15:25:07.156387: | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' Oct 31 15:25:07.156391: | emitting length of IKEv2 Transform Substructure Payload: 8 Oct 31 15:25:07.156394: | emitting length of IKEv2 Proposal Substructure Payload: 40 Oct 31 15:25:07.156396: | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 Oct 31 15:25:07.156398: | emitting length of IKEv2 Security Association Payload: 44 Oct 31 15:25:07.156400: | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 Oct 31 15:25:07.156403: | ****emit IKEv2 Nonce Payload: Oct 31 15:25:07.156405: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156407: | flags: none (0x0) Oct 31 15:25:07.156410: | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) Oct 31 15:25:07.156412: | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156415: | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload Oct 31 15:25:07.156417: | IKEv2 nonce: Oct 31 15:25:07.156419: | 72 b3 a8 5e 16 f2 9c 8f c4 33 93 3c 61 70 28 7c Oct 31 15:25:07.156421: | 3a f1 57 ee 34 ac ee f5 09 29 70 37 69 e8 45 0b Oct 31 15:25:07.156423: | emitting length of IKEv2 Nonce Payload: 36 Oct 31 15:25:07.156425: | ****emit IKEv2 Key Exchange Payload: Oct 31 15:25:07.156428: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156430: | flags: none (0x0) Oct 31 15:25:07.156432: | DH group: OAKLEY_GROUP_MODP2048 (0xe) Oct 31 15:25:07.156434: | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) Oct 31 15:25:07.156436: | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156440: | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload Oct 31 15:25:07.156441: | ikev2 g^x: Oct 31 15:25:07.156444: | e5 9c 15 29 93 63 b9 45 45 1c d7 2a be 32 98 f3 Oct 31 15:25:07.156446: | 47 5e 71 06 6c 6c 58 78 a6 2b 41 bd 32 8a 8b 83 Oct 31 15:25:07.156448: | 76 ea a4 b2 ea bd a4 41 2c ef a6 67 2a de e2 5f Oct 31 15:25:07.156450: | 29 0c 18 21 91 47 9a ba 0c 0d bf e2 80 cf b9 7d Oct 31 15:25:07.156452: | 65 d8 ca aa 71 e7 3c ae 9d b4 4a 43 4c 4b b2 23 Oct 31 15:25:07.156453: | 88 93 de af 4e 9d 94 7b 3b 6f a5 10 ae 12 ab 06 Oct 31 15:25:07.156455: | 80 f1 5d 95 42 17 b0 40 ea 14 e2 aa 14 2b 29 17 Oct 31 15:25:07.156457: | 93 9d fb 21 3e 90 01 4a 82 52 4d a1 1c b2 b3 65 Oct 31 15:25:07.156459: | c2 73 e9 6e 85 14 b9 55 f1 6c 3b e4 e4 c6 b7 41 Oct 31 15:25:07.156461: | d4 6e 35 dc 3a 15 b8 09 c1 d6 68 84 44 c1 f2 59 Oct 31 15:25:07.156463: | 81 8a 72 08 e8 20 24 03 b4 a8 32 08 68 5d 66 16 Oct 31 15:25:07.156465: | 27 56 64 ed 2a 14 3d 59 75 ae 1e 30 aa a2 65 99 Oct 31 15:25:07.156467: | 7f 6e dc d0 35 5c af eb d9 e3 98 03 3c d8 cc 42 Oct 31 15:25:07.156469: | 83 c4 c8 ac 1d 40 90 71 80 00 35 e8 62 ed ef f0 Oct 31 15:25:07.156470: | 48 67 bd 83 af 5e f9 4e 52 4c e8 d4 6a a5 58 61 Oct 31 15:25:07.156472: | f1 e8 6a 22 fb 8c 06 0f 8b 9f e1 76 a0 87 33 5f Oct 31 15:25:07.156475: | emitting length of IKEv2 Key Exchange Payload: 264 Oct 31 15:25:07.156478: | ****emit IKEv2 Traffic Selector - Initiator - Payload: Oct 31 15:25:07.156480: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156482: | flags: none (0x0) Oct 31 15:25:07.156485: | number of TS: 1 (01) Oct 31 15:25:07.156487: | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) Oct 31 15:25:07.156490: | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156492: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:07.156497: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.156499: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.156502: | start port: 0 (00 00) Oct 31 15:25:07.156505: | end port: 65535 (ff ff) Oct 31 15:25:07.156508: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:07.156510: | IP start: c0 00 03 00 Oct 31 15:25:07.156513: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:07.156516: | IP end: c0 00 03 ff Oct 31 15:25:07.156518: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:07.156520: | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 Oct 31 15:25:07.156522: | ****emit IKEv2 Traffic Selector - Responder - Payload: Oct 31 15:25:07.156524: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:07.156526: | flags: none (0x0) Oct 31 15:25:07.156528: | number of TS: 1 (01) Oct 31 15:25:07.156598: | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) Oct 31 15:25:07.156604: | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' Oct 31 15:25:07.156607: | *****emit IKEv2 Traffic Selector: Oct 31 15:25:07.156610: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) Oct 31 15:25:07.156612: | IP Protocol ID: ALL (0x0) Oct 31 15:25:07.156615: | start port: 0 (00 00) Oct 31 15:25:07.156618: | end port: 65535 (ff ff) Oct 31 15:25:07.156622: | emitting 4 raw bytes of IP start into IKEv2 Traffic Selector Oct 31 15:25:07.156625: | IP start: c0 00 02 00 Oct 31 15:25:07.156628: | emitting 4 raw bytes of IP end into IKEv2 Traffic Selector Oct 31 15:25:07.156631: | IP end: c0 00 02 ff Oct 31 15:25:07.156634: | emitting length of IKEv2 Traffic Selector: 16 Oct 31 15:25:07.156636: | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 Oct 31 15:25:07.156639: | initiator child policy is compress=no, NOT sending v2N_IPCOMP_SUPPORTED Oct 31 15:25:07.156643: | integ=NONE: .key_size=0 encrypt=AES_GCM_16: .key_size=32 .salt_size=4 keymat_len=36 Oct 31 15:25:07.156735: | install_ipsec_sa() for #3: inbound and outbound Oct 31 15:25:07.156742: | could_route called for northnet-eastnet/0x2; kind=CK_PERMANENT that.has_client=yes oppo=no this.host_port=500 Oct 31 15:25:07.156745: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:07.156748: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.156751: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Oct 31 15:25:07.156754: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.156756: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Oct 31 15:25:07.156824: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Oct 31 15:25:07.156832: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:07.156836: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:07.156838: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:07.156841: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:07.156845: | setting IPsec SA replay-window to 32 Oct 31 15:25:07.156847: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Oct 31 15:25:07.156850: | netlink: enabling tunnel mode Oct 31 15:25:07.156853: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:07.156855: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:07.156858: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:07.156925: | netlink response for Add SA esp.6f03cd30@192.1.3.33 included non-error error Oct 31 15:25:07.157004: | setup_half_ipsec_sa() is installing inbound eroute? inbound=0 owner=#2 mode=1 Oct 31 15:25:07.157010: | set up outgoing SA, ref=0/0 Oct 31 15:25:07.157014: | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE Oct 31 15:25:07.157019: | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 Oct 31 15:25:07.157021: | AES_GCM_16 requires 4 salt bytes Oct 31 15:25:07.157024: | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 Oct 31 15:25:07.157028: | setting IPsec SA replay-window to 32 Oct 31 15:25:07.157031: | NIC esp-hw-offload not for connection 'northnet-eastnet/0x2' not available on interface eth1 Oct 31 15:25:07.157034: | netlink: enabling tunnel mode Oct 31 15:25:07.157036: | XFRM: adding IPsec SA with reqid 16393 Oct 31 15:25:07.157038: | netlink: setting IPsec SA replay-window to 32 using old-style req Oct 31 15:25:07.157041: | netlink: esp-hw-offload not set for IPsec SA Oct 31 15:25:07.157153: | netlink response for Add SA esp.194060e2@192.1.2.23 included non-error error Oct 31 15:25:07.157160: | setup_half_ipsec_sa() is installing inbound eroute? inbound=1 owner=#2 mode=1 Oct 31 15:25:07.157164: | set up incoming SA, ref=0/0 Oct 31 15:25:07.157166: | sr for #3: erouted Oct 31 15:25:07.157169: | route_and_eroute() for proto 0, and source port 0 dest port 0 Oct 31 15:25:07.157172: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:07.157175: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.157177: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Oct 31 15:25:07.157180: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:07.157182: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Oct 31 15:25:07.157185: | route owner of "northnet-eastnet/0x2" erouted: self; eroute owner: self Oct 31 15:25:07.157189: | route_and_eroute with c: northnet-eastnet/0x2 (next: none) ero:northnet-eastnet/0x2 esr:{(nil)} ro:northnet-eastnet/0x2 rosr:{(nil)} and state: #3 Oct 31 15:25:07.157191: | we are replacing an eroute Oct 31 15:25:07.157194: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:07.157209: | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.3.0/24:0 => tun.0@192.1.3.33>tun.0@192.1.3.33 using reqid 16393 (raw_eroute) proto=50 Oct 31 15:25:07.157216: | IPsec SA SPD priority set to 2084814 Oct 31 15:25:07.157236: | raw_eroute result=success Oct 31 15:25:07.157275: | route_and_eroute: firewall_notified: true Oct 31 15:25:07.157281: | route_and_eroute: instance "northnet-eastnet/0x2", setting eroute_owner {spd=0x55e8fea07e58,sr=0x55e8fea07e58} to #3 (was #2) (newest_ipsec_sa=#2) Oct 31 15:25:07.157369: | ISAKMP_v2_CREATE_CHILD_SA: instance northnet-eastnet/0x2[0], setting IKEv2 newest_ipsec_sa to #3 (was #2) (spd.eroute=#3) cloned from #1 Oct 31 15:25:07.157375: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:07.157379: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:07.157381: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:07.157384: | emitting length of IKEv2 Encryption Payload: 421 Oct 31 15:25:07.157386: | emitting length of ISAKMP Message: 449 Oct 31 15:25:07.157409: "northnet-eastnet/0x2" #3: negotiated new IPsec SA [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Oct 31 15:25:07.157414: | delref logger@0x55e8fe9f7c88(1->0) (in handle_helper_answer() at pluto_crypt.c:658) Oct 31 15:25:07.157416: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.157418: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.157425: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in complete_v2_state_transition() at ikev2.c:3364) Oct 31 15:25:07.157430: | #3 complete_v2_state_transition() V2_NEW_CHILD_R0->ESTABLISHED_CHILD_SA with status STF_OK Oct 31 15:25:07.157432: | transitioning from state STATE_V2_NEW_CHILD_R0 to state STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:07.157434: | Message ID: updating counters for #3 Oct 31 15:25:07.157443: | Message ID: CHILD #1.#3 updating responder received message request 2: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1 ike.responder.recv=1->2 ike.responder.last_contact=744581.532072->744581.590233 child.wip.initiator=-1 child.wip.responder=2->-1 Oct 31 15:25:07.157452: | Message ID: CHILD #1.#3 updating responder sent message response 2: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=1->2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 child.wip.initiator=-1 child.wip.responder=-1 Oct 31 15:25:07.157458: | Message ID: IKE #1 no pending message initiators to schedule: ike.initiator.sent=-1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=-1 ike.wip.responder=-1 Oct 31 15:25:07.157462: | child state #3: V2_NEW_CHILD_R0(established IKE SA) => ESTABLISHED_CHILD_SA(established CHILD SA) Oct 31 15:25:07.157465: | pstats #3 ikev2.child established Oct 31 15:25:07.157467: | announcing the state transition Oct 31 15:25:07.157474: "northnet-eastnet/0x2" #3: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.3.0-192.0.3.255:0-65535 0] Oct 31 15:25:07.157478: | NAT-T: encaps is 'auto' Oct 31 15:25:07.157483: "northnet-eastnet/0x2" #3: IPsec SA established tunnel mode {ESP=>0x6f03cd30 <0x194060e2 xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} Oct 31 15:25:07.157490: | sending 449 bytes for STATE_V2_NEW_CHILD_R0 through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:07.157492: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:07.157494: | 2e 20 24 20 00 00 00 02 00 00 01 c1 21 00 01 a5 Oct 31 15:25:07.157496: | 04 db 65 da 77 ba ed 99 f7 c3 f6 ea d1 a3 96 b5 Oct 31 15:25:07.157498: | de 28 42 a9 8f 6a a7 90 7f eb 1f 89 4e 89 70 7a Oct 31 15:25:07.157500: | 5a 1d b5 46 c2 2b 3b 0f 74 a3 b3 5d 61 88 b6 d9 Oct 31 15:25:07.157502: | 3f a3 2c 38 10 6a 73 00 42 cf 8a a1 38 04 8e f3 Oct 31 15:25:07.157504: | 47 76 9f de 48 67 1a 6b 78 a5 c4 8c 0a fe cb 0e Oct 31 15:25:07.157506: | f6 fd 94 81 c2 90 59 ec 89 b2 f1 0f d2 77 a6 9a Oct 31 15:25:07.157508: | 02 c8 f9 54 06 62 ce 71 c0 ef e9 e8 39 fb 2f dd Oct 31 15:25:07.157510: | a1 b2 26 4d b8 47 09 a2 bf 53 d9 60 56 b9 4c c6 Oct 31 15:25:07.157512: | df 76 e6 10 93 17 af 0e ff 0d f4 15 01 80 10 f8 Oct 31 15:25:07.157514: | d0 2c 47 af 2a 91 43 06 7e 38 80 5c fb 72 0c f6 Oct 31 15:25:07.157516: | e2 7b fd f2 4b d3 a3 56 24 1a 42 c7 e6 0c 30 c6 Oct 31 15:25:07.157518: | 4d 69 c0 d8 21 49 88 e1 ba ba 0c 93 a6 da 1c db Oct 31 15:25:07.157520: | e4 26 66 47 e6 ff 8e b5 05 37 bc c7 23 03 a7 b6 Oct 31 15:25:07.157522: | 7b 0f 50 a2 61 60 1c e2 ec fb 00 6c de 79 f5 0e Oct 31 15:25:07.157523: | 23 6f 82 9a 10 f8 a0 eb 58 c5 de 64 67 99 df 3a Oct 31 15:25:07.157525: | 7d 37 34 ad 3c 91 db 35 41 2f a6 26 f2 42 f5 10 Oct 31 15:25:07.157527: | 09 d6 33 0e 74 24 63 2f 45 5d fb 19 62 cb 79 cf Oct 31 15:25:07.157529: | 18 f0 3c c4 a0 a8 26 ce ea d2 05 a8 56 1b d0 87 Oct 31 15:25:07.157531: | ce fb 00 60 fc 13 23 83 8e 98 21 ef 19 91 7f 97 Oct 31 15:25:07.157533: | 0f a8 dd 81 12 0f c0 07 dd 6e a0 f8 15 d8 8b 24 Oct 31 15:25:07.157535: | ce 79 c9 74 cc 7d 31 67 2c 26 55 4c 74 2c 7e 40 Oct 31 15:25:07.157536: | c8 b7 97 92 55 71 3a 86 87 72 10 9a 96 d4 40 73 Oct 31 15:25:07.157538: | 6a 88 d0 86 a3 73 d3 0f 04 9e 66 7a 4a 12 bb 13 Oct 31 15:25:07.157540: | 90 7a 21 e7 39 66 83 65 50 74 cd f3 62 ad 26 5f Oct 31 15:25:07.157543: | 3e 70 fe d1 49 85 fe e1 b7 d5 17 b8 d9 4c 57 90 Oct 31 15:25:07.157545: | 10 da 1b f7 70 c5 b2 9b de ed 53 87 98 f3 03 9d Oct 31 15:25:07.157547: | a4 Oct 31 15:25:07.157608: | sent 1 messages Oct 31 15:25:07.157613: | releasing #3's fd-fd@(nil) because IKEv2 transitions finished Oct 31 15:25:07.157616: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:07.157619: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3189) Oct 31 15:25:07.157624: | unpending #3's IKE SA #1 Oct 31 15:25:07.157627: | unpending state #1 connection "northnet-eastnet/0x2" Oct 31 15:25:07.157630: | releasing #1's fd-fd@(nil) because IKEv2 transitions finished so releaseing IKE SA Oct 31 15:25:07.157633: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:07.157636: | delref fd@NULL (in success_v2_state_transition() at ikev2.c:3222) Oct 31 15:25:07.157639: | #3 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) Oct 31 15:25:07.157642: | state #3 deleting .st_event EVENT_CRYPTO_TIMEOUT Oct 31 15:25:07.157648: | libevent_free: delref ptr-libevent@0x7ffb8000b578 Oct 31 15:25:07.157651: | free_event_entry: delref EVENT_CRYPTO_TIMEOUT-pe@0x55e8fea0e518 Oct 31 15:25:07.157655: | event_schedule: newref EVENT_SA_REKEY-pe@0x55e8fea0e518 Oct 31 15:25:07.157658: | inserting event EVENT_SA_REKEY, timeout in 28530 seconds for #3 Oct 31 15:25:07.157662: | libevent_malloc: newref ptr-libevent@0x7ffb84006108 size 128 Oct 31 15:25:07.157667: | delref mdp@0x55e8fea098b8(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.157670: | delref logger@0x55e8fea0f218(1->0) (in resume_handler() at server.c:743) Oct 31 15:25:07.157674: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:07.157676: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:07.157684: | #3 spent 1.11 (1.51) milliseconds in resume sending helper answer back to state Oct 31 15:25:07.157690: | stop processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in resume_handler() at server.c:745) Oct 31 15:25:07.157693: | libevent_free: delref ptr-libevent@0x7ffb78001fb8 Oct 31 15:25:09.544159: | newref struct fd@0x55e8fea157a8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:09.544178: | fd_accept: new fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:09.544191: | whack: traffic_status Oct 31 15:25:09.544195: | FOR_EACH_STATE_... in show_traffic_status (sort_states) Oct 31 15:25:09.544219: | FOR_EACH_STATE_... in sort_states Oct 31 15:25:09.544231: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:09.544584: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:09.544606: | get_sa_info esp.194060e2@192.1.2.23 Oct 31 15:25:09.544615: | get_sa_info esp.6f03cd30@192.1.3.33 Oct 31 15:25:09.544627: | delref fd@0x55e8fea157a8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:09.544636: | freeref fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:09.544644: | spent 0.475 (0.493) milliseconds in whack Oct 31 15:25:09.817944: | newref struct fd@0x55e8fea157a8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:09.817963: | fd_accept: new fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:09.818014: | whack: status Oct 31 15:25:09.818252: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:09.818260: | FOR_EACH_CONNECTION_... in show_connections_status Oct 31 15:25:09.818513: | FOR_EACH_STATE_... in show_states (sort_states) Oct 31 15:25:09.818520: | FOR_EACH_STATE_... in sort_states Oct 31 15:25:09.818538: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:09.818556: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:09.818577: | get_sa_info esp.194060e2@192.1.2.23 Oct 31 15:25:09.818589: | get_sa_info esp.6f03cd30@192.1.3.33 Oct 31 15:25:09.818627: | delref fd@0x55e8fea157a8(1->0) (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:09.818636: | freeref fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:903) Oct 31 15:25:09.818645: | spent 0.51 (0.71) milliseconds in whack Oct 31 15:25:11.151048: | newref struct fd@0x55e8fea157a8(0->1) (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:11.151067: | fd_accept: new fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:869) Oct 31 15:25:11.151087: shutting down Oct 31 15:25:11.151099: | leaking fd-fd@0x55e8fea157a8's FD; will be closed when pluto exits (in whack_handle_cb() at rcv_whack.c:889) Oct 31 15:25:11.151104: | delref fd@0x55e8fea157a8(1->0) (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:25:11.151111: | freeref fd-fd@0x55e8fea157a8 (in whack_handle_cb() at rcv_whack.c:895) Oct 31 15:25:11.151131: | shutting down helper thread 7 Oct 31 15:25:11.151144: | helper thread 7 exited Oct 31 15:25:11.151163: | shutting down helper thread 2 Oct 31 15:25:11.151172: | helper thread 2 exited Oct 31 15:25:11.151184: | shutting down helper thread 1 Oct 31 15:25:11.151192: | helper thread 1 exited Oct 31 15:25:11.151204: | shutting down helper thread 3 Oct 31 15:25:11.151217: | helper thread 3 exited Oct 31 15:25:11.151228: | shutting down helper thread 4 Oct 31 15:25:11.151237: | helper thread 4 exited Oct 31 15:25:11.151245: | shutting down helper thread 5 Oct 31 15:25:11.151252: | helper thread 5 exited Oct 31 15:25:11.151261: | shutting down helper thread 6 Oct 31 15:25:11.151269: | helper thread 6 exited Oct 31 15:25:11.151272: 7 helper threads shutdown Oct 31 15:25:11.151275: | delref root_certs@NULL (in free_root_certs() at root_certs.c:127) Oct 31 15:25:11.151277: | certs and keys locked by 'free_preshared_secrets' Oct 31 15:25:11.151279: forgetting secrets Oct 31 15:25:11.151282: | certs and keys unlocked by 'free_preshared_secrets' Oct 31 15:25:11.151285: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:25:11.151287: | pass 0 Oct 31 15:25:11.151288: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:11.151290: | state #3 Oct 31 15:25:11.151296: | start processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:25:11.151298: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:25:11.151299: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:25:11.151301: | pstats #3 ikev2.child deleted completed Oct 31 15:25:11.151305: | #3 main thread spent 2.3 (2.71) milliseconds helper thread spent 2.67 (3.22) milliseconds in total Oct 31 15:25:11.151308: | [RE]START processing: state #3 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:935) Oct 31 15:25:11.151311: | should_send_delete: yes Oct 31 15:25:11.151314: "northnet-eastnet/0x2" #3: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 3.999921s and sending notification Oct 31 15:25:11.151316: | child state #3: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:25:11.151320: | get_sa_info esp.6f03cd30@192.1.3.33 Oct 31 15:25:11.151617: | get_sa_info esp.194060e2@192.1.2.23 Oct 31 15:25:11.151626: "northnet-eastnet/0x2" #3: ESP traffic information: in=336B out=336B Oct 31 15:25:11.151629: | unsuspending #3 MD (nil) Oct 31 15:25:11.151631: | should_send_delete: yes Oct 31 15:25:11.151633: | #3 send IKEv2 delete notification for STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:11.151636: | opening output PBS informational exchange delete request Oct 31 15:25:11.151638: | **emit ISAKMP Message: Oct 31 15:25:11.151642: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:11.151650: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.151656: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:11.151659: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:11.151661: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:25:11.151664: | flags: none (0x0) Oct 31 15:25:11.151669: | Message ID: 0 (00 00 00 00) Oct 31 15:25:11.151672: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:11.151675: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:11.151678: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.151682: | flags: none (0x0) Oct 31 15:25:11.151685: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:11.151688: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.151694: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:11.151703: | ****emit IKEv2 Delete Payload: Oct 31 15:25:11.151706: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.151707: | flags: none (0x0) Oct 31 15:25:11.151709: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:11.151711: | SPI size: 4 (04) Oct 31 15:25:11.151713: | number of SPIs: 1 (00 01) Oct 31 15:25:11.151715: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:25:11.151716: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.151718: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Oct 31 15:25:11.151720: | local spis: 19 40 60 e2 Oct 31 15:25:11.151722: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:25:11.151724: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:11.151725: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:11.151727: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:11.151729: | emitting length of IKEv2 Encryption Payload: 41 Oct 31 15:25:11.151730: | emitting length of ISAKMP Message: 69 Oct 31 15:25:11.151747: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:11.151749: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.151751: | 2e 20 25 00 00 00 00 00 00 00 00 45 2a 00 00 29 Oct 31 15:25:11.151752: | af bc 75 ba 34 d7 2d da 0b fa 3a b4 e6 f4 14 5b Oct 31 15:25:11.151753: | 87 c5 16 81 d3 53 6d de 3b 34 3b c9 70 e4 96 c9 Oct 31 15:25:11.151755: | f1 81 e6 4a e6 Oct 31 15:25:11.151795: | sent 1 messages Oct 31 15:25:11.151800: | Message ID: IKE #1 sender #3 in send_delete hacking around record 'n' send Oct 31 15:25:11.151807: | Message ID: IKE #1 scheduling EVENT_RETRANSMIT: ike.initiator.sent=0 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=0 ike.wip.responder=-1 Oct 31 15:25:11.151812: "northnet-eastnet/0x2" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds Oct 31 15:25:11.151816: | event_schedule: newref EVENT_RETRANSMIT-pe@0x55e8fea07038 Oct 31 15:25:11.151819: | inserting event EVENT_RETRANSMIT, timeout in 60 seconds for #1 Oct 31 15:25:11.151822: | libevent_malloc: newref ptr-libevent@0x7ffb78001fb8 size 128 Oct 31 15:25:11.151828: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 744585.584611 Oct 31 15:25:11.151835: | Message ID: IKE #1 updating initiator sent message request 0: ike.initiator.sent=-1->0 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=-1->0 ike.wip.responder=-1 Oct 31 15:25:11.151838: | state #3 deleting .st_event EVENT_SA_REKEY Oct 31 15:25:11.151843: | libevent_free: delref ptr-libevent@0x7ffb84006108 Oct 31 15:25:11.151845: | free_event_entry: delref EVENT_SA_REKEY-pe@0x55e8fea0e518 Oct 31 15:25:11.151849: | #3 STATE_V2_ESTABLISHED_CHILD_SA: retransmits: cleared Oct 31 15:25:11.154249: | running updown command "ipsec _updown" for verb down Oct 31 15:25:11.154261: | command executing down-client Oct 31 15:25:11.154270: | get_sa_info esp.6f03cd30@192.1.3.33 Oct 31 15:25:11.154285: | get_sa_info esp.194060e2@192.1.2.23 Oct 31 15:25:11.154319: | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUT... Oct 31 15:25:11.154326: | popen cmd is 1134 chars long Oct 31 15:25:11.154328: | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/: Oct 31 15:25:11.154331: | cmd( 80):0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLU: Oct 31 15:25:11.154333: | cmd( 160):TO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIE: Oct 31 15:25:11.154336: | cmd( 240):NT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.: Oct 31 15:25:11.154338: | cmd( 320):255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_T: Oct 31 15:25:11.154341: | cmd( 400):YPE='ESP' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.: Oct 31 15:25:11.154343: | cmd( 480):0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.: Oct 31 15:25:11.154346: | cmd( 560):0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfr: Oct 31 15:25:11.154348: | cmd( 640):m' PLUTO_ADDTIME='1604157907' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPI: Oct 31 15:25:11.154351: | cmd( 720):P+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_A: Oct 31 15:25:11.154353: | cmd( 800):DDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' P: Oct 31 15:25:11.154356: | cmd( 880):LUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLI: Oct 31 15:25:11.154358: | cmd( 960):ENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTES='336' PLUTO_OUTBYTES='336' VTI_IFA: Oct 31 15:25:11.154360: | cmd(1040):CE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x6f03cd30 SPI_OUT=0x194060e2 ipse: Oct 31 15:25:11.154363: | cmd(1120):c _updown 2>&1: Oct 31 15:25:11.168515: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Oct 31 15:25:11.168539: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Oct 31 15:25:11.168544: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:11.168549: | IPsec SA SPD priority set to 2084814 Oct 31 15:25:11.168594: | delete esp.6f03cd30@192.1.3.33 Oct 31 15:25:11.168598: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:11.168621: | netlink response for Del SA esp.6f03cd30@192.1.3.33 included non-error error Oct 31 15:25:11.168626: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:11.168635: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk.10000@192.1.2.23 using reqid 0 (raw_eroute) proto=50 Oct 31 15:25:11.168659: | raw_eroute result=success Oct 31 15:25:11.168665: | delete esp.194060e2@192.1.2.23 Oct 31 15:25:11.168668: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:11.168684: | netlink response for Del SA esp.194060e2@192.1.2.23 included non-error error Oct 31 15:25:11.168692: | in connection_discard for connection northnet-eastnet/0x2 Oct 31 15:25:11.168696: | State DB: deleting IKEv2 state #3 in ESTABLISHED_CHILD_SA Oct 31 15:25:11.168701: | child state #3: ESTABLISHED_CHILD_SA(established CHILD SA) => UNDEFINED(ignore) Oct 31 15:25:11.168705: | releasing #3's fd-fd@(nil) because deleting state Oct 31 15:25:11.168708: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.168714: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.168724: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:25:11.168753: | stop processing: state #3 from 192.1.3.33:500 (in delete_state() at state.c:1239) Oct 31 15:25:11.168763: | delref logger@0x55e8fea0d9c8(1->0) (in delete_state() at state.c:1306) Oct 31 15:25:11.168767: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:11.168769: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:11.168773: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:25:11.168776: | state #2 Oct 31 15:25:11.168781: | start processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:25:11.168784: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:25:11.168787: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:25:11.168790: | pstats #2 ikev2.child deleted completed Oct 31 15:25:11.168796: | #2 main thread spent 0 (0) milliseconds helper thread spent 0 (0) milliseconds in total Oct 31 15:25:11.168801: | [RE]START processing: state #2 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:935) Oct 31 15:25:11.168804: | should_send_delete: yes Oct 31 15:25:11.168809: "northnet-eastnet/0x2" #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) aged 4.103668s and sending notification Oct 31 15:25:11.168813: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => delete Oct 31 15:25:11.168817: | get_sa_info esp.8430c847@192.1.3.33 Oct 31 15:25:11.168828: | get_sa_info esp.298ff425@192.1.2.23 Oct 31 15:25:11.168837: "northnet-eastnet/0x2" #2: ESP traffic information: in=0B out=0B Oct 31 15:25:11.168841: | unsuspending #2 MD (nil) Oct 31 15:25:11.168844: | should_send_delete: yes Oct 31 15:25:11.168847: | #2 send IKEv2 delete notification for STATE_V2_ESTABLISHED_CHILD_SA Oct 31 15:25:11.168850: | opening output PBS informational exchange delete request Oct 31 15:25:11.168853: | **emit ISAKMP Message: Oct 31 15:25:11.168859: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:11.168864: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.168867: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:11.168869: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:11.168872: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:25:11.168876: | flags: none (0x0) Oct 31 15:25:11.168880: | Message ID: 1 (00 00 00 01) Oct 31 15:25:11.168883: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:11.168887: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:11.168890: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.168892: | flags: none (0x0) Oct 31 15:25:11.168896: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:11.168899: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.168902: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:11.168912: | ****emit IKEv2 Delete Payload: Oct 31 15:25:11.168916: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.168918: | flags: none (0x0) Oct 31 15:25:11.168921: | protocol ID: IKEv2_SEC_PROTO_ESP (0x3) Oct 31 15:25:11.168924: | SPI size: 4 (04) Oct 31 15:25:11.168928: | number of SPIs: 1 (00 01) Oct 31 15:25:11.168931: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:25:11.168933: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.168937: | emitting 4 raw bytes of local spis into IKEv2 Delete Payload Oct 31 15:25:11.168941: | local spis: 29 8f f4 25 Oct 31 15:25:11.168947: | emitting length of IKEv2 Delete Payload: 12 Oct 31 15:25:11.168950: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:11.168954: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:11.168957: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:11.168959: | emitting length of IKEv2 Encryption Payload: 41 Oct 31 15:25:11.168962: | emitting length of ISAKMP Message: 69 Oct 31 15:25:11.168984: | sending 69 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:11.168988: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.168990: | 2e 20 25 00 00 00 00 01 00 00 00 45 2a 00 00 29 Oct 31 15:25:11.168992: | 35 3e 4c e5 45 7d 2f be 30 c3 f7 6c e0 95 1c 4b Oct 31 15:25:11.168995: | 8c 5a 83 a2 98 cb 64 e5 dc 81 41 a2 84 31 40 ed Oct 31 15:25:11.168997: | 14 a9 23 f1 af Oct 31 15:25:11.169042: | sent 1 messages Oct 31 15:25:11.169046: | Message ID: IKE #1 sender #2 in send_delete hacking around record 'n' send Oct 31 15:25:11.169054: | Message ID: IKE #1 XXX: expecting sender.wip.initiator 0 == -1 - suspect record'n'send out-of-order?): ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:25:11.169061: | Message ID: IKE #1 XXX: EVENT_RETRANSMIT already scheduled -- suspect record'n'send: ike.initiator.sent=1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=1 ike.wip.responder=-1 Oct 31 15:25:11.169068: | Message ID: IKE #1 updating initiator sent message request 1: ike.initiator.sent=0->1 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=0->1 ike.wip.responder=-1 Oct 31 15:25:11.169072: | state #2 deleting .st_event EVENT_SA_REKEY Oct 31 15:25:11.169077: | libevent_free: delref ptr-libevent@0x55e8fea0f438 Oct 31 15:25:11.169080: | free_event_entry: delref EVENT_SA_REKEY-pe@0x55e8fea131b8 Oct 31 15:25:11.169084: | #2 STATE_V2_ESTABLISHED_CHILD_SA: retransmits: cleared Oct 31 15:25:11.169133: | delete esp.8430c847@192.1.3.33 Oct 31 15:25:11.169137: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:11.169150: | netlink response for Del SA esp.8430c847@192.1.3.33 included non-error error Oct 31 15:25:11.169154: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:11.169162: | delete inbound eroute 192.0.3.0/24:0 --0-> 192.0.2.0/24:0 => unk.10000@192.1.2.23 using reqid 0 (raw_eroute) proto=50 Oct 31 15:25:11.169173: | raw_eroute result=success Oct 31 15:25:11.169177: | delete esp.298ff425@192.1.2.23 Oct 31 15:25:11.169180: | XFRM: deleting IPsec SA with reqid 0 Oct 31 15:25:11.169190: | netlink response for Del SA esp.298ff425@192.1.2.23 included non-error error Oct 31 15:25:11.169195: | in connection_discard for connection northnet-eastnet/0x2 Oct 31 15:25:11.169197: | State DB: deleting IKEv2 state #2 in ESTABLISHED_CHILD_SA Oct 31 15:25:11.169231: | child state #2: ESTABLISHED_CHILD_SA(established CHILD SA) => UNDEFINED(ignore) Oct 31 15:25:11.169235: | releasing #2's fd-fd@(nil) because deleting state Oct 31 15:25:11.169238: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.169240: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.169243: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:25:11.169250: | stop processing: state #2 from 192.1.3.33:500 (in delete_state() at state.c:1239) Oct 31 15:25:11.169255: | delref logger@0x55e8fea0eb98(1->0) (in delete_state() at state.c:1306) Oct 31 15:25:11.169258: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:11.169261: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:11.169266: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:25:11.169269: | state #1 Oct 31 15:25:11.169271: | pass 1 Oct 31 15:25:11.169274: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:11.169276: | state #1 Oct 31 15:25:11.169281: | start processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in foreach_state_by_connection_func_delete() at state.c:1406) Oct 31 15:25:11.169284: | delref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1408) Oct 31 15:25:11.169287: | addref fd@NULL (in foreach_state_by_connection_func_delete() at state.c:1409) Oct 31 15:25:11.169289: | pstats #1 ikev2.ike deleted completed Oct 31 15:25:11.169295: | #1 main thread spent 7 (40.7) milliseconds helper thread spent 2.79 (2.85) milliseconds in total Oct 31 15:25:11.169300: | [RE]START processing: state #1 connection "northnet-eastnet/0x2" from 192.1.3.33:500 (in delete_state() at state.c:935) Oct 31 15:25:11.169303: | should_send_delete: yes Oct 31 15:25:11.169308: "northnet-eastnet/0x2" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) aged 4.112651s and sending notification Oct 31 15:25:11.169311: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => delete Oct 31 15:25:11.169409: | unsuspending #1 MD (nil) Oct 31 15:25:11.169414: | should_send_delete: yes Oct 31 15:25:11.169423: | #1 send IKEv2 delete notification for STATE_V2_ESTABLISHED_IKE_SA Oct 31 15:25:11.169427: | opening output PBS informational exchange delete request Oct 31 15:25:11.169430: | **emit ISAKMP Message: Oct 31 15:25:11.169435: | initiator SPI: be 24 bd 7a a6 09 d5 ef Oct 31 15:25:11.169439: | responder SPI: 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.169442: | next payload type: ISAKMP_NEXT_NONE (0x0) Oct 31 15:25:11.169445: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Oct 31 15:25:11.169448: | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) Oct 31 15:25:11.169451: | flags: none (0x0) Oct 31 15:25:11.169454: | Message ID: 2 (00 00 00 02) Oct 31 15:25:11.169458: | next payload chain: saving message location 'ISAKMP Message'.'next payload type' Oct 31 15:25:11.169461: | ***emit IKEv2 Encryption Payload: Oct 31 15:25:11.169464: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.169466: | flags: none (0x0) Oct 31 15:25:11.169469: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) Oct 31 15:25:11.169472: | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.169476: | emitting 8 zero bytes of IV into IKEv2 Encryption Payload Oct 31 15:25:11.169482: | ****emit IKEv2 Delete Payload: Oct 31 15:25:11.169485: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Oct 31 15:25:11.169488: | flags: none (0x0) Oct 31 15:25:11.169491: | protocol ID: IKEv2_SEC_PROTO_IKE (0x1) Oct 31 15:25:11.169494: | SPI size: 0 (00) Oct 31 15:25:11.169497: | number of SPIs: 0 (00 00) Oct 31 15:25:11.169500: | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) Oct 31 15:25:11.169503: | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'informational exchange delete request' Oct 31 15:25:11.169506: | emitting length of IKEv2 Delete Payload: 8 Oct 31 15:25:11.169508: | adding 1 bytes of padding (including 1 byte padding-length) Oct 31 15:25:11.169511: | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload Oct 31 15:25:11.169514: | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload Oct 31 15:25:11.169517: | emitting length of IKEv2 Encryption Payload: 37 Oct 31 15:25:11.169519: | emitting length of ISAKMP Message: 65 Oct 31 15:25:11.169535: | sending 65 bytes for delete notification through eth1 from 192.1.2.23:500 to 192.1.3.33:500 using UDP (for #1) Oct 31 15:25:11.169540: | be 24 bd 7a a6 09 d5 ef 3a 8b c5 ff b6 fd 49 a9 Oct 31 15:25:11.169543: | 2e 20 25 00 00 00 00 02 00 00 00 41 2a 00 00 25 Oct 31 15:25:11.169545: | a1 ea d7 ba 5f 7b 1b a0 f2 e0 ad 4c de de c2 e8 Oct 31 15:25:11.169548: | 6d a7 39 17 1c 8f 0b 5d 87 bc 38 6c 05 00 52 d6 Oct 31 15:25:11.169550: | 24 Oct 31 15:25:11.169573: | sent 1 messages Oct 31 15:25:11.169577: | Message ID: IKE #1 sender #1 in send_delete hacking around record 'n' send Oct 31 15:25:11.169584: | Message ID: IKE #1 XXX: expecting sender.wip.initiator 1 == -1 - suspect record'n'send out-of-order?): ike.initiator.sent=2 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=2 ike.wip.responder=-1 Oct 31 15:25:11.169591: | Message ID: IKE #1 XXX: EVENT_RETRANSMIT already scheduled -- suspect record'n'send: ike.initiator.sent=2 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=2 ike.wip.responder=-1 Oct 31 15:25:11.169598: | Message ID: IKE #1 updating initiator sent message request 2: ike.initiator.sent=1->2 ike.initiator.recv=-1 ike.initiator.last_contact=744581.489487 ike.responder.sent=2 ike.responder.recv=2 ike.responder.last_contact=744581.590233 ike.wip.initiator=1->2 ike.wip.responder=-1 Oct 31 15:25:11.169601: | state #1 deleting .st_event EVENT_SA_REKEY Oct 31 15:25:11.169605: | libevent_free: delref ptr-libevent@0x55e8fea0ee98 Oct 31 15:25:11.169608: | free_event_entry: delref EVENT_SA_REKEY-pe@0x55e8fea0f088 Oct 31 15:25:11.169611: | #1 requesting EVENT_RETRANSMIT-pe@0x55e8fea07038 be deleted Oct 31 15:25:11.169614: | libevent_free: delref ptr-libevent@0x7ffb78001fb8 Oct 31 15:25:11.169618: | free_event_entry: delref EVENT_RETRANSMIT-pe@0x55e8fea07038 Oct 31 15:25:11.169620: | #1 STATE_V2_ESTABLISHED_IKE_SA: retransmits: cleared Oct 31 15:25:11.169624: | State DB: IKEv2 state not found (flush_incomplete_children) Oct 31 15:25:11.169627: | in connection_discard for connection northnet-eastnet/0x2 Oct 31 15:25:11.169630: | State DB: deleting IKEv2 state #1 in ESTABLISHED_IKE_SA Oct 31 15:25:11.169634: | parent state #1: ESTABLISHED_IKE_SA(established IKE SA) => UNDEFINED(ignore) Oct 31 15:25:11.169637: | releasing #1's fd-fd@(nil) because deleting state Oct 31 15:25:11.169639: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.169642: | delref fd@NULL (in delete_state() at state.c:1195) Oct 31 15:25:11.169644: | delref pkp@NULL (in delete_state() at state.c:1202) Oct 31 15:25:11.169659: | stop processing: state #1 from 192.1.3.33:500 (in delete_state() at state.c:1239) Oct 31 15:25:11.169677: | delref logger@0x55e8fe9f79e8(1->0) (in delete_state() at state.c:1306) Oct 31 15:25:11.169680: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:11.169683: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:11.169686: | processing: STOP state #0 (in foreach_state_by_connection_func_delete() at state.c:1411) Oct 31 15:25:11.169693: | shunt_eroute() called for connection 'northnet-eastnet/0x2' to 'delete' for rt_kind 'unrouted' using protoports 192.0.2.0/24:0 --0->- 192.0.3.0/24:0 Oct 31 15:25:11.169699: | netlink_shunt_eroute for proto 0, and source 192.0.2.0/24:0 dest 192.0.3.0/24:0 Oct 31 15:25:11.169702: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:11.169723: | priority calculation of connection "northnet-eastnet/0x2" is 2084814 (0x1fcfce) Oct 31 15:25:11.169735: | FOR_EACH_CONNECTION_... in route_owner Oct 31 15:25:11.169739: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:11.169742: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 Oct 31 15:25:11.169745: | conn northnet-eastnet/0x2 mark 0/00000000, 0/00000000 vs Oct 31 15:25:11.169747: | conn northnet-eastnet/0x1 mark 0/00000000, 0/00000000 Oct 31 15:25:11.169751: | route owner of "northnet-eastnet/0x2" unrouted: NULL Oct 31 15:25:11.169755: | running updown command "ipsec _updown" for verb unroute Oct 31 15:25:11.169758: | command executing unroute-client Oct 31 15:25:11.169790: | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastnet/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT='192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IF... Oct 31 15:25:11.169793: | popen cmd is 1074 chars long Oct 31 15:25:11.169796: | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='northnet-eastn: Oct 31 15:25:11.169799: | cmd( 80):et/0x2' PLUTO_VIRT_INTERFACE='NULL' PLUTO_INTERFACE='eth1' PLUTO_XFRMI_ROUTE='' : Oct 31 15:25:11.169802: | cmd( 160):PLUTO_NEXT_HOP='192.1.3.33' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_C: Oct 31 15:25:11.169804: | cmd( 240):LIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.2: Oct 31 15:25:11.169806: | cmd( 320):55.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16392' PLUTO_S: Oct 31 15:25:11.169809: | cmd( 400):A_TYPE='none' PLUTO_PEER='192.1.3.33' PLUTO_PEER_ID='@north' PLUTO_PEER_CLIENT=': Oct 31 15:25:11.169812: | cmd( 480):192.0.3.0/24' PLUTO_PEER_CLIENT_NET='192.0.3.0' PLUTO_PEER_CLIENT_MASK='255.255.: Oct 31 15:25:11.169814: | cmd( 560):255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=: Oct 31 15:25:11.169816: | cmd( 640):'xfrm' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKE: Oct 31 15:25:11.169819: | cmd( 720):V2_ALLOW+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFA: Oct 31 15:25:11.169821: | cmd( 800):MILY='ipv4' XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_: Oct 31 15:25:11.169823: | cmd( 880):PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT=': Oct 31 15:25:11.169826: | cmd( 960):0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: Oct 31 15:25:11.169828: | cmd(1040):0x0 SPI_OUT=0x0 ipsec _updown 2>&1: Oct 31 15:25:11.194044: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194088: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194099: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194114: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194128: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194153: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194168: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194181: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194195: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194231: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194244: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194262: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194276: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194291: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194361: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194366: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194369: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194372: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194374: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194377: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194380: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194389: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194403: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194416: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194484: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194489: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194492: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194494: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194497: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194500: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194502: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.194514: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195062: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195097: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195109: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195128: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195157: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195186: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195203: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195236: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195249: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.195265: unroute-client output: Error: Peer netns reference is invalid. Oct 31 15:25:11.203863: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:11.203877: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:11.203881: | newref clone logger@0x55e8fe9f7c88(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:11.203884: | flush revival: connection 'northnet-eastnet/0x2' wasn't on the list Oct 31 15:25:11.203887: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:25:11.203888: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:25:11.203896: | Connection DB: deleting connection $2 Oct 31 15:25:11.203899: | delref logger@0x55e8fe9f7c88(1->0) (in delete_connection() at connections.c:214) Oct 31 15:25:11.203900: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:11.203902: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:11.203904: | deleting states for connection - including all other IPsec SA's of this IKE SA Oct 31 15:25:11.203906: | pass 0 Oct 31 15:25:11.203907: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:11.203909: | pass 1 Oct 31 15:25:11.203910: | FOR_EACH_STATE_... in foreach_state_by_connection_func_delete Oct 31 15:25:11.203912: | addref fd@NULL (in clone_logger() at log.c:809) Oct 31 15:25:11.203913: | addref fd@NULL (in clone_logger() at log.c:810) Oct 31 15:25:11.203915: | newref clone logger@0x55e8fe9f7c88(0->1) (in clone_logger() at log.c:817) Oct 31 15:25:11.203918: | delref hp@0x55e8fea077d8(1->0) (in delete_oriented_hp() at hostpair.c:360) Oct 31 15:25:11.203919: | flush revival: connection 'northnet-eastnet/0x1' wasn't on the list Oct 31 15:25:11.203921: | delref vip@NULL (in discard_connection() at connections.c:262) Oct 31 15:25:11.203925: | delref vip@NULL (in discard_connection() at connections.c:263) Oct 31 15:25:11.203930: | Connection DB: deleting connection $1 Oct 31 15:25:11.203932: | delref logger@0x55e8fe9f7c88(1->0) (in delete_connection() at connections.c:214) Oct 31 15:25:11.203933: | delref fd@NULL (in free_logger() at log.c:853) Oct 31 15:25:11.203935: | delref fd@NULL (in free_logger() at log.c:854) Oct 31 15:25:11.203937: | crl fetch request list locked by 'free_crl_fetch' Oct 31 15:25:11.203938: | crl fetch request list unlocked by 'free_crl_fetch' Oct 31 15:25:11.203944: | iface: marking eth1 dead Oct 31 15:25:11.203946: | iface: marking eth0 dead Oct 31 15:25:11.203947: | iface: marking lo dead Oct 31 15:25:11.203949: | updating interfaces - listing interfaces that are going down Oct 31 15:25:11.203953: shutting down interface lo 127.0.0.1:4500 Oct 31 15:25:11.203956: shutting down interface lo 127.0.0.1:500 Oct 31 15:25:11.203959: shutting down interface eth0 192.0.2.254:4500 Oct 31 15:25:11.203962: shutting down interface eth0 192.0.2.254:500 Oct 31 15:25:11.203968: shutting down interface eth1 192.1.2.23:4500 Oct 31 15:25:11.203973: shutting down interface eth1 192.1.2.23:500 Oct 31 15:25:11.203975: | updating interfaces - deleting the dead Oct 31 15:25:11.203981: | FOR_EACH_STATE_... in delete_states_dead_interfaces Oct 31 15:25:11.203993: | libevent_free: delref ptr-libevent@0x55e8fea00a38 Oct 31 15:25:11.203997: | delref id@0x55e8fea04b38(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204009: | libevent_free: delref ptr-libevent@0x55e8fe9c40c8 Oct 31 15:25:11.204014: | delref id@0x55e8fea04b38(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204021: | libevent_free: delref ptr-libevent@0x55e8fe9b9388 Oct 31 15:25:11.204023: | delref id@0x55e8fea04a68(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204028: | libevent_free: delref ptr-libevent@0x55e8fe9c41c8 Oct 31 15:25:11.204030: | delref id@0x55e8fea04a68(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204035: | libevent_free: delref ptr-libevent@0x55e8fe9c0be8 Oct 31 15:25:11.204036: | delref id@0x55e8fea04938(3->2) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204040: | libevent_free: delref ptr-libevent@0x55e8fe9c0b38 Oct 31 15:25:11.204042: | delref id@0x55e8fea04938(2->1) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204046: | delref id@0x55e8fea04938(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204047: | delref id@0x55e8fea04a68(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204049: | delref id@0x55e8fea04b38(1->0) (in release_iface_dev() at iface.c:125) Oct 31 15:25:11.204051: | updating interfaces - checking orientation Oct 31 15:25:11.204052: | FOR_EACH_UNORIENTED_CONNECTION_... in check_orientations Oct 31 15:25:11.207073: | libevent_free: delref ptr-libevent@0x55e8fea00ae8 Oct 31 15:25:11.207089: | free_event_entry: delref EVENT_NULL-pe@0x55e8fea03f28 Oct 31 15:25:11.207096: | libevent_free: delref ptr-libevent@0x55e8fe9c3fc8 Oct 31 15:25:11.207099: | free_event_entry: delref EVENT_NULL-pe@0x55e8fea009c8 Oct 31 15:25:11.207102: | libevent_free: delref ptr-libevent@0x55e8fe9c3f18 Oct 31 15:25:11.207105: | free_event_entry: delref EVENT_NULL-pe@0x55e8fe9fcfb8 Oct 31 15:25:11.207108: | global timer EVENT_REINIT_SECRET uninitialized Oct 31 15:25:11.207111: | global timer EVENT_SHUNT_SCAN uninitialized Oct 31 15:25:11.207113: | global timer EVENT_PENDING_DDNS uninitialized Oct 31 15:25:11.207121: | global timer EVENT_PENDING_PHASE2 uninitialized Oct 31 15:25:11.207124: | global timer EVENT_CHECK_CRLS uninitialized Oct 31 15:25:11.207126: | global timer EVENT_REVIVE_CONNS uninitialized Oct 31 15:25:11.207128: | global timer EVENT_FREE_ROOT_CERTS uninitialized Oct 31 15:25:11.207130: | global timer EVENT_RESET_LOG_RATE_LIMIT uninitialized Oct 31 15:25:11.207133: | global timer EVENT_NAT_T_KEEPALIVE uninitialized Oct 31 15:25:11.207137: | libevent_free: delref ptr-libevent@0x55e8fe9ba378 Oct 31 15:25:11.207143: | signal event handler PLUTO_SIGCHLD uninstalled Oct 31 15:25:11.207146: | libevent_free: delref ptr-libevent@0x55e8fe9569d8 Oct 31 15:25:11.207148: | signal event handler PLUTO_SIGTERM uninstalled Oct 31 15:25:11.207151: | libevent_free: delref ptr-libevent@0x55e8fe956738 Oct 31 15:25:11.207153: | signal event handler PLUTO_SIGHUP uninstalled Oct 31 15:25:11.207156: | libevent_free: delref ptr-libevent@0x55e8fea042b8 Oct 31 15:25:11.207159: | signal event handler PLUTO_SIGSYS uninstalled Oct 31 15:25:11.207161: | releasing event base Oct 31 15:25:11.207175: | libevent_free: delref ptr-libevent@0x55e8fea04188 Oct 31 15:25:11.207178: | libevent_free: delref ptr-libevent@0x55e8fe9f34a8 Oct 31 15:25:11.207182: | libevent_free: delref ptr-libevent@0x55e8fe9f3458 Oct 31 15:25:11.207184: | libevent_free: delref ptr-libevent@0x55e8fea0e408 Oct 31 15:25:11.207187: | libevent_free: delref ptr-libevent@0x55e8fe9f3658 Oct 31 15:25:11.207189: | libevent_free: delref ptr-libevent@0x55e8fe9f79a8 Oct 31 15:25:11.207192: | libevent_free: delref ptr-libevent@0x55e8fe9f77b8 Oct 31 15:25:11.207194: | libevent_free: delref ptr-libevent@0x55e8fe9f37c8 Oct 31 15:25:11.207196: | libevent_free: delref ptr-libevent@0x55e8fe9f75c8 Oct 31 15:25:11.207233: | libevent_free: delref ptr-libevent@0x55e8fe9f6f88 Oct 31 15:25:11.207238: | libevent_free: delref ptr-libevent@0x55e8fea05618 Oct 31 15:25:11.207245: | libevent_free: delref ptr-libevent@0x55e8fea055d8 Oct 31 15:25:11.207248: | libevent_free: delref ptr-libevent@0x55e8fea05598 Oct 31 15:25:11.207250: | libevent_free: delref ptr-libevent@0x55e8fea05558 Oct 31 15:25:11.207252: | libevent_free: delref ptr-libevent@0x55e8fea05518 Oct 31 15:25:11.207254: | libevent_free: delref ptr-libevent@0x55e8fea04e78 Oct 31 15:25:11.207256: | libevent_free: delref ptr-libevent@0x55e8fe9f3698 Oct 31 15:25:11.207258: | libevent_free: delref ptr-libevent@0x55e8fea04108 Oct 31 15:25:11.207260: | libevent_free: delref ptr-libevent@0x55e8fea040c8 Oct 31 15:25:11.207262: | libevent_free: delref ptr-libevent@0x55e8fe9f7608 Oct 31 15:25:11.207264: | libevent_free: delref ptr-libevent@0x55e8fea04148 Oct 31 15:25:11.207267: | libevent_free: delref ptr-libevent@0x55e8fea03f98 Oct 31 15:25:11.207269: | libevent_free: delref ptr-libevent@0x55e8fe9c6408 Oct 31 15:25:11.207272: | libevent_free: delref ptr-libevent@0x55e8fe9c5c68 Oct 31 15:25:11.207274: | libevent_free: delref ptr-libevent@0x55e8fe9bcbd8 Oct 31 15:25:11.207276: | releasing global libevent data Oct 31 15:25:11.207279: | libevent_free: delref ptr-libevent@0x55e8fe9c5fa8 Oct 31 15:25:11.207282: | libevent_free: delref ptr-libevent@0x55e8fe9ba0b8 Oct 31 15:25:11.207284: | libevent_free: delref ptr-libevent@0x55e8fe9c6488 Oct 31 15:25:11.207329: leak detective found no leaks