FIPS Product: NO FIPS Kernel: NO FIPS Mode: NO NSS DB directory: sql:/etc/ipsec.d Initializing NSS Opening NSS database "sql:/etc/ipsec.d" read-only NSS initialized NSS crypto library initialized FIPS HMAC integrity support [enabled] FIPS mode disabled for pluto daemon FIPS HMAC integrity verification self-test FAILED libcap-ng support [enabled] Linux audit support [enabled] Linux audit activated Starting Pluto (Libreswan Version v3.27-412-g59eeed743-dirty-rsa-key-copy XFRM(netkey) FORK PTHREAD_SETSCHEDPRIO NSS (AVA copy) (IPsec profile) DNSSEC SYSTEMD_WATCHDOG FIPS_CHECK SECCOMP LIBCAP_NG LINUX_AUDIT XAUTH_PAM NETWORKMANAGER CURL(non-NSS)) pid:1384 core dump dir: /var/tmp secrets file: /etc/ipsec.secrets leak-detective disabled NSS crypto [enabled] XAUTH PAM support [enabled] | init_nat_traversal() initialized with keep_alive=0s NAT-Traversal support [enabled] Initializing libevent in pthreads mode: headers: 2.1.8-stable (2010800); library: 2.1.8-stable (2010800) | event_schedule: new EVENT_REINIT_SECRET-pe@0x55795ca65560 | inserting event EVENT_REINIT_SECRET, timeout in 3600.000 seconds | event_schedule: new EVENT_PENDING_DDNS-pe@0x55795cb86380 | inserting event EVENT_PENDING_DDNS, timeout in 60.000 seconds | event_schedule: new EVENT_PENDING_PHASE2-pe@0x55795cb87cb0 | inserting event EVENT_PENDING_PHASE2, timeout in 120.000 seconds Encryption algorithms: AES_CCM_16 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm, aes_ccm_c AES_CCM_12 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_b AES_CCM_8 IKEv1: ESP IKEv2: ESP FIPS {256,192,*128} aes_ccm_a 3DES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS [*192] 3des CAMELLIA_CTR IKEv1: ESP IKEv2: ESP {256,192,*128} CAMELLIA_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} camellia AES_GCM_16 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm, aes_gcm_c AES_GCM_12 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_b AES_GCM_8 IKEv1: ESP IKEv2: IKE ESP FIPS {256,192,*128} aes_gcm_a AES_CTR IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aesctr AES_CBC IKEv1: IKE ESP IKEv2: IKE ESP FIPS {256,192,*128} aes SERPENT_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} serpent TWOFISH_CBC IKEv1: IKE ESP IKEv2: IKE ESP {256,192,*128} twofish TWOFISH_SSH IKEv1: IKE IKEv2: IKE ESP {256,192,*128} twofish_cbc_ssh NULL_AUTH_AES_GMAC IKEv1: ESP IKEv2: ESP {256,192,*128} aes_gmac NULL IKEv1: ESP IKEv2: ESP [] CHACHA20_POLY1305 IKEv1: IKEv2: IKE ESP [*256] chacha20poly1305 Hash algorithms: MD5 IKEv1: IKE IKEv2: SHA1 IKEv1: IKE IKEv2: FIPS sha SHA2_256 IKEv1: IKE IKEv2: FIPS sha2, sha256 SHA2_384 IKEv1: IKE IKEv2: FIPS sha384 SHA2_512 IKEv1: IKE IKEv2: FIPS sha512 PRF algorithms: HMAC_MD5 IKEv1: IKE IKEv2: IKE md5 HMAC_SHA1 IKEv1: IKE IKEv2: IKE FIPS sha, sha1 HMAC_SHA2_256 IKEv1: IKE IKEv2: IKE FIPS sha2, sha256, sha2_256 HMAC_SHA2_384 IKEv1: IKE IKEv2: IKE FIPS sha384, sha2_384 HMAC_SHA2_512 IKEv1: IKE IKEv2: IKE FIPS sha512, sha2_512 AES_XCBC IKEv1: IKEv2: IKE FIPS aes128_xcbc Integrity algorithms: HMAC_MD5_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH md5, hmac_md5 HMAC_SHA1_96 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha, sha1, sha1_96, hmac_sha1 HMAC_SHA2_512_256 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha512, sha2_512, hmac_sha2_512 HMAC_SHA2_384_192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha384, sha2_384, hmac_sha2_384 HMAC_SHA2_256_128 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS sha2, sha256, sha2_256, hmac_sha2_256 HMAC_SHA2_256_TRUNCBUG IKEv1: ESP AH IKEv2: AH AES_XCBC_96 IKEv1: ESP AH IKEv2: IKE ESP AH FIPS aes_xcbc, aes128_xcbc, aes128_xcbc_96 AES_CMAC_96 IKEv1: ESP AH IKEv2: ESP AH FIPS aes_cmac NONE IKEv1: ESP IKEv2: ESP FIPS null DH algorithms: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0 MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2 MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5 MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14 MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15 MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16 MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17 MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18 DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256 DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384 DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521 DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519 starting up 2 crypto helpers started thread for crypto helper 0 started thread for crypto helper 1 | ignoring microcode for XAUTH_I1 (timeout: EVENT_RETRANSMIT flags: 0) -> MAIN_I4 (timeout: EVENT_SA_REPLACE flags: 0) with event EVENT_RETRANSMIT | MAIN_R0 (timeout: EVENT_NULL flags: 0) | MAIN_I1 (timeout: EVENT_NULL flags: 0) | MAIN_R1 (timeout: EVENT_SO_DISCARD flags: 200) | MAIN_I2 (timeout: EVENT_RETRANSMIT flags: 0) | MAIN_R2 (timeout: EVENT_RETRANSMIT flags: 0) | MAIN_I3 (timeout: EVENT_RETRANSMIT flags: 0) | MAIN_R3 (timeout: EVENT_SA_REPLACE flags: 200) | MAIN_I4 (timeout: EVENT_SA_REPLACE flags: 0) | AGGR_R0 (timeout: EVENT_NULL flags: 0) | AGGR_I1 (timeout: EVENT_NULL flags: 0) | AGGR_R1 (timeout: EVENT_SO_DISCARD flags: 200) | AGGR_I2 (timeout: EVENT_SA_REPLACE flags: 200) | AGGR_R2 (timeout: EVENT_SA_REPLACE flags: 0) | QUICK_R0 (timeout: EVENT_NULL flags: 0) | QUICK_I1 (timeout: EVENT_NULL flags: 0) | QUICK_R1 (timeout: EVENT_RETRANSMIT flags: 0) | QUICK_I2 (timeout: EVENT_SA_REPLACE flags: 200) | QUICK_R2 (timeout: EVENT_SA_REPLACE flags: 0) | INFO (timeout: EVENT_NULL flags: 0) | INFO_PROTECTED (timeout: EVENT_NULL flags: 0) | XAUTH_R0 (timeout: EVENT_NULL flags: 0) | XAUTH_R1 (timeout: EVENT_NULL flags: 0) | MODE_CFG_R0 (timeout: EVENT_NULL flags: 0) | MODE_CFG_R1 (timeout: EVENT_SA_REPLACE flags: 0) | MODE_CFG_R2 (timeout: EVENT_SA_REPLACE flags: 0) | MODE_CFG_I1 (timeout: EVENT_NULL flags: 0) | XAUTH_I0 (timeout: EVENT_NULL flags: 0) | XAUTH_I1 (timeout: EVENT_RETRANSMIT flags: 0) | Processing IKEv2 state V2_REKEY_IKE_I0 (microcode Initiate CREATE_CHILD_SA IKE Rekey) | Processing IKEv2 state V2_REKEY_CHILD_I0 (microcode Initiate CREATE_CHILD_SA IPsec Rekey SA) | Processing IKEv2 state V2_CREATE_I0 (microcode Initiate CREATE_CHILD_SA IPsec SA) | Processing IKEv2 state PARENT_I0 (microcode initiate IKE_SA_INIT) | Processing IKEv2 state PARENT_I1 (microcode Initiator: process SA_INIT reply notification) | Processing IKEv2 state PARENT_I2 (microcode Initiator: process INVALID_SYNTAX AUTH notification) | Processing IKEv2 state PARENT_R0 (microcode Respond to IKE_SA_INIT) | Processing IKEv2 state PARENT_R1 (microcode Responder: process IKE_AUTH request (no SKEYSEED)) | Processing IKEv2 state V2_REKEY_IKE_R (microcode Respond to CREATE_CHILD_SA IKE Rekey) | Processing IKEv2 state V2_REKEY_IKE_I (microcode Process CREATE_CHILD_SA IKE Rekey Response) | Processing IKEv2 state V2_CREATE_I (microcode Process CREATE_CHILD_SA IPsec SA Response) | Processing IKEv2 state V2_CREATE_R (microcode Respond to CREATE_CHILD_SA IPsec SA Request) | Processing IKEv2 state PARENT_I3 (microcode I3: INFORMATIONAL Request) | Processing IKEv2 state PARENT_R2 (microcode R2: process INFORMATIONAL Request) | Processing IKEv2 state IKESA_DEL (microcode IKE_SA_DEL: process INFORMATIONAL) | ignoring microcode for PARENT_I1 (timeout: EVENT_RETRANSMIT flags: 0) -> PARENT_I1 (timeout: EVENT_RETRANSMIT flags: 0) with event EVENT_RETAIN | ignoring microcode for PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) -> PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) with event EVENT_NULL | ignoring microcode for PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) -> PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) with event EVENT_NULL | ignoring microcode for PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) -> PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) with event EVENT_NULL | ignoring microcode for PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) -> PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) with event EVENT_NULL | ignoring microcode for PARENT_R1 (timeout: EVENT_SO_DISCARD flags: 0) -> PARENT_R1 (timeout: EVENT_SO_DISCARD flags: 0) with event EVENT_SA_REPLACE | ignoring microcode for PARENT_I3 (timeout: EVENT_SA_REPLACE flags: 0) -> PARENT_I3 (timeout: EVENT_SA_REPLACE flags: 0) with event EVENT_RETAIN | ignoring microcode for PARENT_I3 (timeout: EVENT_SA_REPLACE flags: 0) -> PARENT_I3 (timeout: EVENT_SA_REPLACE flags: 0) with event EVENT_RETAIN | ignoring microcode for PARENT_R2 (timeout: EVENT_SA_REPLACE flags: 0) -> PARENT_R2 (timeout: EVENT_SA_REPLACE flags: 0) with event EVENT_RETAIN | ignoring microcode for PARENT_R2 (timeout: EVENT_SA_REPLACE flags: 0) -> PARENT_R2 (timeout: EVENT_SA_REPLACE flags: 0) with event EVENT_RETAIN | PARENT_I0 (timeout: EVENT_NULL flags: 0) | PARENT_I1 (timeout: EVENT_RETRANSMIT flags: 0) | PARENT_I2 (timeout: EVENT_RETRANSMIT flags: 0) | PARENT_I3 (timeout: EVENT_SA_REPLACE flags: 0) | PARENT_R1 (timeout: EVENT_SO_DISCARD flags: 0) | PARENT_R2 (timeout: EVENT_SA_REPLACE flags: 0) | V2_CREATE_I0 (timeout: EVENT_NULL flags: 0) | V2_CREATE_I (timeout: EVENT_RETRANSMIT flags: 0) | V2_REKEY_IKE_I0 (timeout: EVENT_NULL flags: 0) | V2_REKEY_IKE_I (timeout: EVENT_RETRANSMIT flags: 0) | V2_REKEY_CHILD_I0 (timeout: EVENT_NULL flags: 0) | V2_REKEY_CHILD_I (timeout: EVENT_RETRANSMIT flags: 0) | V2_CREATE_R (timeout: EVENT_NULL flags: 0) | V2_REKEY_IKE_R (timeout: EVENT_NULL flags: 0) | V2_REKEY_CHILD_R (timeout: EVENT_NULL flags: 0) | V2_IPSEC_I (timeout: EVENT_SA_REPLACE flags: 0) | V2_IPSEC_R (timeout: EVENT_SA_REPLACE flags: 0) | IKESA_DEL (timeout: EVENT_RETAIN flags: 0) | CHILDSA_DEL (timeout: EVENT_NULL flags: 0) | PARENT_R0 (timeout: EVENT_NULL flags: 0) Using Linux XFRM/NETKEY IPsec interface code on 4.16.3-301.fc28.x86_64 | Hard-wiring algorithms | adding AES_CCM_16 to kernel algorithm db | adding AES_CCM_12 to kernel algorithm db | adding AES_CCM_8 to kernel algorithm db | adding 3DES_CBC to kernel algorithm db | adding CAMELLIA_CBC to kernel algorithm db | adding AES_GCM_16 to kernel algorithm db | adding AES_GCM_12 to kernel algorithm db | adding AES_GCM_8 to kernel algorithm db | adding AES_CTR to kernel algorithm db | adding AES_CBC to kernel algorithm db | adding SERPENT_CBC to kernel algorithm db | adding TWOFISH_CBC to kernel algorithm db | adding NULL_AUTH_AES_GMAC to kernel algorithm db | adding NULL to kernel algorithm db | adding CHACHA20_POLY1305 to kernel algorithm db | adding HMAC_MD5_96 to kernel algorithm db | adding HMAC_SHA1_96 to kernel algorithm db | adding HMAC_SHA2_512_256 to kernel algorithm db | adding HMAC_SHA2_384_192 to kernel algorithm db | adding HMAC_SHA2_256_128 to kernel algorithm db | adding HMAC_SHA2_256_TRUNCBUG to kernel algorithm db | adding AES_XCBC_96 to kernel algorithm db | adding AES_CMAC_96 to kernel algorithm db | adding NONE to kernel algorithm db | net.ipv6.conf.all.disable_ipv6=1 ignore ipv6 holes | event_schedule: new EVENT_SHUNT_SCAN-pe@0x55795c9a8610 | inserting event EVENT_SHUNT_SCAN, timeout in 20.000 seconds | setup kernel fd callback | starting up helper thread 0 | status value returned by setting the priority of this thread (crypto helper 0) 22 | crypto helper 0 waiting (nothing to do) | starting up helper thread 1 | status value returned by setting the priority of this thread (crypto helper 1) 22 | crypto helper 1 waiting (nothing to do) systemd watchdog not enabled - not sending watchdog keepalives | unbound context created - setting debug level to 5 | /etc/hosts lookups activated | /etc/resolv.conf usage activated | Loading dnssec root key from:/var/lib/unbound/root.key | No additional dnssec trust anchors defined via dnssec-trusted= option | Setting up events, loop start | created addconn helper (pid:1393) using fork+execve | forked child 1393 | pid table: inserting object 0x55795cb86e20 (addconn pid 1393) entry 0x55795cb86e28 into list 0x55795bd262e0 (older 0x55795bd262e0 newer 0x55795bd262e0) | pid table: inserted object 0x55795cb86e20 (addconn pid 1393) entry 0x55795cb86e28 (older 0x55795bd262e0 newer 0x55795bd262e0) | pid table: list entry 0x55795bd262e0 is HEAD (older 0x55795cb86e28 newer 0x55795cb86e28) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:700) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | Inspecting interface eth2 | found eth2 with address 192.9.2.23 adding interface eth2/eth2 192.9.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth2/eth2 192.9.2.23:4500 adding interface eth1/eth1 192.1.2.23:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 192.0.2.254:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo 127.0.0.1:500 | NAT-Traversal: Trying sockopt style NAT-T | NAT-Traversal: ESPINUDP(2) setup succeeded for sockopt style NAT-T family IPv4 adding interface lo/lo 127.0.0.1:4500 | setup callback for interface lo:4500 fd 24 | setup callback for interface lo:500 fd 23 | setup callback for interface eth0:4500 fd 22 | setup callback for interface eth0:500 fd 21 | setup callback for interface eth1:4500 fd 20 | setup callback for interface eth1:500 fd 19 | setup callback for interface eth2:4500 fd 18 | setup callback for interface eth2:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:680) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:700) | pluto_sd: executing action action: reloading(4), status 0 listening for IKE messages | Inspecting interface lo | found lo with address 127.0.0.1 | Inspecting interface eth0 | found eth0 with address 192.0.2.254 | Inspecting interface eth1 | found eth1 with address 192.1.2.23 | Inspecting interface eth2 | found eth2 with address 192.9.2.23 | free_event_entry: release EVENT_NULL-pe@0x55795c6624d0 | setup callback for interface lo:4500 fd 24 | free_event_entry: release EVENT_NULL-pe@0x55795c662c70 | setup callback for interface lo:500 fd 23 | free_event_entry: release EVENT_NULL-pe@0x55795c68d460 | setup callback for interface eth0:4500 fd 22 | free_event_entry: release EVENT_NULL-pe@0x55795c68d190 | setup callback for interface eth0:500 fd 21 | free_event_entry: release EVENT_NULL-pe@0x55795c6615a0 | setup callback for interface eth1:4500 fd 20 | free_event_entry: release EVENT_NULL-pe@0x55795c661070 | setup callback for interface eth1:500 fd 19 | free_event_entry: release EVENT_NULL-pe@0x55795c6609e0 | setup callback for interface eth2:4500 fd 18 | free_event_entry: release EVENT_NULL-pe@0x55795c65f3d0 | setup callback for interface eth2:500 fd 17 | certs and keys locked by 'free_preshared_secrets' | certs and keys unlocked by 'free_preshared_secrets' loading secrets from "/etc/ipsec.secrets" | pluto_sd: executing action action: ready(5), status 0 | close_any(fd@16) (in whack_process() at rcv_whack.c:680) | waitpid returned pid 1393 (exited with status 0) | serialno table: hash serialno #0 to head 0x55795bd21c20 | reaped addconn helper child (status 0) | pid table: removing object 0x55795cb86e20 (addconn pid 1393) entry 0x55795cb86e28 (older 0x55795bd262e0 newer 0x55795bd262e0) | pid table: empty | waitpid returned ECHILD (no child processes left) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:700) | preload cert/secret for connection: east | adding RSA secret for certificate: east | extracting the RSA private key for east | copying key using reference slot | certs and keys locked by 'lsw_add_rsa_secret' | certs and keys unlocked by 'lsw_add_rsa_secret' | Added new connection ikev2-westnet-eastnet-x509-cr with policy RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | counting wild cards for %fromcert is 0 | setting ID to ID_DER_ASN1_DN: 'E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' | loaded right certificate 'east' | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c68bd90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c8d8e30 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65ba90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65af50 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65e6c0 | unreference key: 0x55795cb7ecd0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | counting wild cards for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org is 0 | connect_to_host_pair: 192.1.2.23:500 192.1.2.45:500 -> hp:none added connection description "ikev2-westnet-eastnet-x509-cr" | 192.0.2.0/24===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.0/24 | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; replay_window: 32; policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO | close_any(fd@16) (in whack_process() at rcv_whack.c:680) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 6f 62 88 2e 65 0d 79 68 | ef 51 17 c9 72 cf cf 51 a1 36 43 bd 39 78 e6 69 | 55 cd 98 58 e4 a4 eb a1 03 d7 51 87 99 20 00 06 | b2 0a e1 2f 3d d1 74 d0 13 5b 32 bd e7 b5 ec e0 | 45 fc 73 37 49 1a b7 ce fd 47 26 9d 66 7f f7 86 | be 73 68 cf 8c c9 ec 85 3e dc e5 f1 de 55 ff c6 | c3 5a 06 07 08 1d a8 63 81 6e 32 c9 6b ac 57 42 | b0 25 72 de 7f d4 6b 79 d4 df bb f9 ab 3b c1 cd | e0 1b 13 ef 76 cb 08 14 1c 8b 6c 00 80 08 a2 59 | 9e fd 86 c0 85 a1 5f d3 d3 3a 9a 59 38 07 c3 bc | da 9b 92 1f 5c 36 a5 f2 2d 17 28 b8 74 a8 f2 7e | ba a9 66 3f 09 88 86 bb 19 94 8f ba be 97 76 d3 | ad 90 0b f6 97 9a 46 d3 b2 b1 b9 21 0a 5c 73 88 | 16 71 b3 18 5d 10 f9 7b 52 88 74 af 14 e0 bc 08 | b8 e4 c4 5a 38 62 5a ef b9 ae 60 a4 71 be c0 a5 | b9 02 db 0f b6 29 4a d1 e1 ce 82 fe de bf d7 58 | a1 3a 6b e1 d2 ae e5 25 29 00 00 24 2e 0b 89 5b | 96 39 ce 11 e8 42 69 82 5c 5a b6 2a f6 69 bc 48 | 5a 05 69 15 64 a7 cb 0b 74 32 85 f6 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 35 f6 d8 64 | 3d e1 bb 9c 2f 15 22 69 3a fe 9a 4c e4 10 4b 98 | 00 00 00 1c 00 00 40 05 82 80 f2 47 90 6a 88 e4 | d9 9a 48 61 0c d5 f6 a0 a9 50 93 2a | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 to 1411686059802530981 slot 0x55795bd218c0 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #1 at 0x55795cba6b40 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #1 | serialno list: inserting object 0x55795cba6b40 (state #1) entry 0x55795cba7310 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cba6b40 (state #1) entry 0x55795cba7310 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cba7310 newer 0x55795cba7310) | serialno table: inserting object 0x55795cba6b40 (state #1) entry 0x55795cba7330 into list 0x55795bd21c40 (older 0x55795bd21c40 newer 0x55795bd21c40) | serialno table: inserted object 0x55795cba6b40 (state #1) entry 0x55795cba7330 (older 0x55795bd21c40 newer 0x55795bd21c40) | serialno table: list entry 0x55795bd21c40 is HEAD (older 0x55795cba7330 newer 0x55795cba7330) | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #1: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | selecting default constructed local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals) | constructed local IKE proposals for ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 (default) | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #1: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 16 7b 67 e6 7e e8 c8 c3 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 82 80 f2 47 90 6a 88 e4 d9 9a 48 61 0c d5 f6 a0 | natd_hash: hash= a9 50 93 2a | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 16 7b 67 e6 7e e8 c8 c3 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 35 f6 d8 64 3d e1 bb 9c 2f 15 22 69 3a fe 9a 4c | natd_hash: hash= e4 10 4b 98 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 1 for state #1 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795c631460 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #1 | backlog: inserting object 0x55795cba7510 (work-order 1 state #1) entry 0x55795cba7518 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cba7510 (work-order 1 state #1) entry 0x55795cba7518 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cba7518 newer 0x55795cba7518) | crypto helper 0 resuming | backlog: removing object 0x55795cba7510 (work-order 1 state #1) entry 0x55795cba7518 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 1 for state #1 | crypto helper 0 doing build KE and nonce; request ID 1 | crypto helper 0 finished build KE and nonce; request ID 1 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 1 for state #1 to event queue | scheduling now-event sending helper answer for #1 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #1 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #1 and saving MD | #1 is busy; has a suspended MD | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #1 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 1 | serialno table: hash serialno #1 to head 0x55795bd21c40 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 1 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #1: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x 75 60 ef 5f 06 9a 64 0d 92 53 0d 47 87 e1 b0 29 | ikev2 g^x 2a 87 c3 c3 1a 13 c5 c4 3e 4e 6e 20 69 73 75 64 | ikev2 g^x d3 35 13 60 0c 7a e5 3c 20 b2 e5 ed 0e 76 90 bd | ikev2 g^x 34 ab 00 97 19 47 21 86 18 7f 3a 9b 63 4f 03 1c | ikev2 g^x a2 16 08 0a de 85 c0 5f 2c 63 a0 05 22 30 10 36 | ikev2 g^x 1d 22 a4 c1 ab a0 c7 f4 2c 0d b6 a6 79 ad 71 6f | ikev2 g^x ac 5c 30 de 43 0c f3 00 82 1d 7a dc 5f 59 0a 95 | ikev2 g^x 7c b2 ff 6e 21 9f ff 6d 7c c6 6e 7e 07 6d 62 2d | ikev2 g^x 7f 60 41 4a 2c 38 20 dc 97 3b 6d b5 2c 52 58 6c | ikev2 g^x 84 c8 f7 5d 29 51 b3 c8 4f 4e b2 39 c7 e3 65 2c | ikev2 g^x 8e 6c e7 9b 3e 12 65 1e 2e dd f3 35 9a 03 db 71 | ikev2 g^x b2 33 d4 06 4e fe 86 b6 5d fd 56 54 c1 ed b5 8a | ikev2 g^x 16 5e 7c 03 fe 03 7a ce 7c 73 3b 87 76 69 ab 03 | ikev2 g^x e0 25 ba 72 a7 41 3d cb d6 42 67 0a 82 28 27 fc | ikev2 g^x e3 0f 42 e9 c9 8c 18 b6 f4 50 1e a3 29 d9 4b c6 | ikev2 g^x 49 ef bd 4c ee a5 9b f9 13 36 92 76 7d 22 5c 56 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 69 41 87 d1 c3 cc 06 25 2f a3 86 52 20 75 9f 38 | IKEv2 nonce f3 88 2f b8 51 95 87 61 c2 f5 7c 8d 20 46 3a 03 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 16 7b 67 e6 7e e8 c8 c3 | natd_hash: rcookie= d0 3a 97 d7 3a 79 d7 8c | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= ad e7 ca 77 d6 62 e4 86 1f 01 0b 3e ac 01 bb 41 | natd_hash: hash= b0 cd 86 51 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data ad e7 ca 77 d6 62 e4 86 1f 01 0b 3e ac 01 bb 41 | Notify data b0 cd 86 51 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 16 7b 67 e6 7e e8 c8 c3 | natd_hash: rcookie= d0 3a 97 d7 3a 79 d7 8c | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= e7 c5 41 a6 6a 24 f1 62 46 b7 88 48 18 fc cd 89 | natd_hash: hash= a8 0e 23 9e | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data e7 c5 41 a6 6a 24 f1 62 46 b7 88 48 18 fc cd 89 | Notify data a8 0e 23 9e | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #1 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #1: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #1 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #1 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 75 60 ef 5f | 06 9a 64 0d 92 53 0d 47 87 e1 b0 29 2a 87 c3 c3 | 1a 13 c5 c4 3e 4e 6e 20 69 73 75 64 d3 35 13 60 | 0c 7a e5 3c 20 b2 e5 ed 0e 76 90 bd 34 ab 00 97 | 19 47 21 86 18 7f 3a 9b 63 4f 03 1c a2 16 08 0a | de 85 c0 5f 2c 63 a0 05 22 30 10 36 1d 22 a4 c1 | ab a0 c7 f4 2c 0d b6 a6 79 ad 71 6f ac 5c 30 de | 43 0c f3 00 82 1d 7a dc 5f 59 0a 95 7c b2 ff 6e | 21 9f ff 6d 7c c6 6e 7e 07 6d 62 2d 7f 60 41 4a | 2c 38 20 dc 97 3b 6d b5 2c 52 58 6c 84 c8 f7 5d | 29 51 b3 c8 4f 4e b2 39 c7 e3 65 2c 8e 6c e7 9b | 3e 12 65 1e 2e dd f3 35 9a 03 db 71 b2 33 d4 06 | 4e fe 86 b6 5d fd 56 54 c1 ed b5 8a 16 5e 7c 03 | fe 03 7a ce 7c 73 3b 87 76 69 ab 03 e0 25 ba 72 | a7 41 3d cb d6 42 67 0a 82 28 27 fc e3 0f 42 e9 | c9 8c 18 b6 f4 50 1e a3 29 d9 4b c6 49 ef bd 4c | ee a5 9b f9 13 36 92 76 7d 22 5c 56 29 00 00 24 | 69 41 87 d1 c3 cc 06 25 2f a3 86 52 20 75 9f 38 | f3 88 2f b8 51 95 87 61 c2 f5 7c 8d 20 46 3a 03 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | ad e7 ca 77 d6 62 e4 86 1f 01 0b 3e ac 01 bb 41 | b0 cd 86 51 26 00 00 1c 00 00 40 05 e7 c5 41 a6 | 6a 24 f1 62 46 b7 88 48 18 fc cd 89 a8 0e 23 9e | 00 00 00 05 04 | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795c631460 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cba4950 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #1 | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 d6 ab e3 26 61 18 e0 60 65 b1 f9 81 | 05 18 e1 8e b6 bd c1 59 94 cc 4a 65 6a 91 62 dd | a4 eb 2a a4 a3 f7 81 7e 80 4b ce 1c 5b 17 51 69 | 24 4e 5b b5 9c 1c 2f f9 d3 a6 d3 10 d4 f1 4a 22 | 88 82 81 d2 e4 83 2f 49 0a e6 2a 0e ce 0b b4 da | 84 cf 0f 11 95 1d 8c 1a 3b e0 e1 ab 06 85 d4 df | d0 87 56 2c 00 2b aa f6 65 05 8f ae 17 95 d6 a2 | 2c eb 7c b3 21 a8 fe 60 29 d4 7c 74 96 71 6e 88 | 21 60 e5 c4 92 0c a2 57 8d 39 d2 a3 6b 40 17 cf | f1 ca 11 20 de ae bb 99 be fa 0b 7d 7e b7 fa e6 | 2b 12 e1 cf 97 a9 f4 41 9a 16 1d 45 64 bd 19 7d | 5f 31 48 b2 52 9a 29 92 e6 08 13 b1 f1 4f 6b 02 | f0 d0 a5 9b 97 1e ef dc a3 64 a0 3e 15 f7 81 d7 | 3d b6 e0 fe 8b 01 97 ce 95 d2 bb 1b f0 85 22 79 | 0b 42 c9 b3 ac 87 b4 68 ef 6d d6 11 10 0d aa 49 | 97 b5 34 cc 22 42 6a a8 35 e2 8f 3c ce 4a 81 47 | 34 2e 8e dd 7a 42 22 e9 73 33 9c ad 14 c2 53 5b | de 4f 99 3e f5 67 39 7f c5 cb 04 b8 30 64 16 c0 | 55 f2 72 1f 1d df 01 dc ac 66 6c 67 ef 8a d4 0f | b0 67 17 67 32 ea 11 d9 a2 9e 90 49 53 68 82 09 | fa 81 ac ed 78 6a 25 0c 3c 88 34 ad 1a 19 7c 56 | a6 e1 46 ec bb 67 01 fb 81 4d ff 92 b3 29 fb 82 | 50 b9 96 5f df d4 27 c9 e5 30 4c 04 b5 41 6d ea | 36 68 3a f8 11 f6 33 3f 9c 8a 37 65 e2 9b 8c d8 | aa e1 14 32 c8 b6 4e 69 50 e2 35 ce 62 4b 30 b0 | fe 86 45 ca 2d 76 6d c0 21 a5 b8 96 f2 7c 02 d5 | 0f c9 94 a4 24 04 a2 3c 17 b9 e6 28 de 98 eb 9f | 7c dd 5a 9c 81 1d 20 aa 9c f9 44 4c 76 d9 79 76 | ed 43 63 d6 ac 6a b7 c6 6b 8c a3 10 68 34 49 07 | 85 62 0d 24 e5 f9 93 50 42 17 b9 5b 03 7d 29 0f | 0c c7 77 36 64 66 13 6b 8d 31 40 f6 59 6e 51 ea | 07 95 67 65 70 cc 8e f9 4d 4f a4 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R1 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 27 a6 38 5b 63 78 49 2b 33 fa e5 3e | 56 22 4b e9 b2 1a 67 85 3f 56 99 ec 75 ac 4d 8d | fa 30 b2 0c 8b bc 68 bd 6f dd d0 04 76 5a e6 b8 | 65 0a f0 03 bb d4 f0 e1 81 9b c7 f1 f8 de 7f d5 | 8a c6 2c f0 d5 89 85 8e 72 3b f7 07 74 de 5b ba | e5 5a 62 bc 60 d6 62 60 27 08 49 06 e9 1c 45 44 | 0b 4d 4b 10 3e b5 18 8b 4e a2 28 b7 74 7f 3e 28 | de b7 60 1a 72 32 e2 67 72 dd 45 d9 f1 f5 83 47 | 50 7a 45 f7 f2 cd 15 7b 4d 99 7c 1f c2 83 05 2b | 18 9e f3 55 d8 c5 be 97 8f 53 e8 a6 d7 0d 93 01 | e9 67 df 42 8e ce dd f0 3b 6c 8e 74 2b d1 29 50 | 1e 5f a5 5b 20 b7 62 da 7b 9f f2 23 1c c2 4a 10 | 60 a1 c3 2e 64 4f 2c 2f e7 01 f3 42 96 0e 86 2e | a6 59 d8 5b b5 7c 5d 08 91 e3 a7 07 fb 86 f8 c3 | e5 a5 ba 0f d4 c5 f4 7d ec e4 c7 77 75 fb c9 6c | 12 69 de 91 8b c1 80 77 3f e4 49 11 31 a1 ff 3a | f8 dc d0 ef 05 bc f2 8d 23 17 1a ba b5 f3 c1 a0 | 18 57 1d 03 f2 fa e4 19 0a b4 05 2b 61 f6 52 59 | 58 8e 59 10 97 4c 45 c2 82 d8 3a 79 ec 92 d5 e4 | 8b 17 6e 88 dc 04 92 10 53 24 81 9b ea 71 71 47 | 0f a5 7a 21 e9 c6 b6 cf 6f 09 98 cd 08 af 72 96 | 14 1e ab 7a 5d 18 49 fe c4 47 b6 a8 cb be bf d5 | ce d6 57 e9 d2 76 c2 9a af 99 b3 9e eb 10 1a c5 | 03 df c9 d2 71 01 45 e1 b6 00 dc 39 9d 9c f0 f9 | 4f 4b de 58 a9 12 b4 a9 cf 34 3c 2d e8 76 be cd | 17 66 63 82 6b 8b 44 e3 72 f9 a8 a1 7f 7d 4c 4a | d4 f0 15 26 69 68 37 c3 2d 87 31 76 ab 62 ec 1d | c0 ae 84 7c 8f 8d 21 a8 0b 99 14 41 40 59 db 3b | 2f 04 ff 3d e2 69 ba 69 23 c5 3f bb 00 09 59 7a | 49 d5 8e d1 58 64 ba c3 a1 02 02 93 33 8f 81 e4 | ab f6 1b 2b c2 84 4b c3 e0 b2 2f bb 6f 0c 51 05 | 64 83 f5 b1 c5 9c 07 59 57 10 30 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R1 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 37 ce 5a 98 96 fe d6 61 b3 69 56 10 | 9b 51 03 6a d5 88 5d 62 eb 79 9b cb 9c de c1 c1 | a0 c6 9d f6 ff c5 a4 49 04 6c 8e b1 79 3f 83 e5 | a3 ba 7d 9e 10 4a 77 d9 c5 5c fa bd cb fc 24 9d | 14 f0 bf d1 5f 1b aa 5f 0c 6f 5c 0f ad 0c 3f d5 | 3e 53 14 4b 93 e7 42 ea c1 dd 21 bd 4f a8 89 5d | 6d bc e0 8a 9e f9 1b 39 78 38 81 ea 74 12 96 de | 50 a3 0b bd 37 9b fe e5 2f 03 f1 4c 9f be 92 03 | 7b 8b 5d 30 a4 92 38 7d 61 c2 14 52 dc 49 7d 59 | 01 b1 7a 3c 97 ec 57 10 33 aa 43 79 c0 ec 6e 9c | 7c f3 6c 1a 26 04 cf bb a2 eb 15 0d f3 81 ff 1b | cf ca 60 b2 38 da 85 87 c1 4d 0a 91 a5 d8 3b a0 | 1e f0 ed 62 3f e4 70 71 b1 cb 3b 09 6d 46 ea 48 | aa 31 49 08 59 27 d3 0d 90 c3 d5 f3 fb 3a ff 4a | e1 2d 2a 68 67 dc c4 5f ce 1f 62 e9 fa 28 69 5d | 91 e7 2a 03 d2 fd 29 04 e6 d6 ca 8b 09 40 79 65 | fb df 9c 41 5a d8 ec ad d6 71 6d 0b ce c3 e2 3f | 9c 82 0e 4f 60 1f aa 7f d5 55 38 e8 bd c2 0b 7d | b2 4b ff 57 07 e3 4e 93 f6 f3 cf a5 67 3a db 44 | 63 18 50 c0 f9 72 7b ed 85 0e 7f d2 5c 06 8b 37 | 7f 9b 94 53 09 35 ad c2 55 1e 1e 4e 49 fd af cc | ff c9 20 cd 50 da a8 c0 0b af 9e cf 2b 16 99 aa | 1a da 97 84 12 76 20 48 ac 7e a2 e8 31 4f d1 7f | b1 2d 4f f1 88 b0 10 fe cd a8 e7 e8 7a dc 3f a7 | 8b db 5d f2 a0 49 15 97 15 d6 20 38 b9 56 a2 4f | 15 e4 06 50 61 8f d3 d8 27 6b bc 4c 50 26 8b 1a | e2 58 05 b3 fc ae 2c 71 7b 47 39 a3 16 50 48 01 | 79 b8 8f 40 8a 1b 74 13 a6 cd d1 5b f1 c3 a7 ac | af ef 70 47 e0 00 bf 22 b4 69 1f ef 7c 6b e9 24 | 9c 10 64 46 35 31 7b e6 bb c5 28 07 15 f1 ee b6 | 79 43 c6 18 3d f0 eb 61 c5 b5 09 40 93 a6 22 c3 | ab fa 54 91 42 24 bd 3b b7 8b 03 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R1 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 f8 90 38 b8 37 d2 a1 7c 87 e0 11 1d | e7 6d 78 30 a5 00 d2 e3 a7 d4 05 d1 ca 13 b5 69 | 41 1f db b4 f8 62 d2 e5 fa dd 8e 4a 1a e7 09 c6 | bf bb c3 f5 ed 37 b2 78 8b 46 19 bb ad e1 79 fe | e7 44 ce c1 45 a5 14 ad 7e 0f 2c a0 cd 4d 4a 7d | cd e5 ea 9e e5 7d d0 65 3a 1b 8e 8d f7 63 e3 5c | be d0 a1 98 66 98 cc e1 06 46 32 38 a0 7a 7c e8 | 9c a1 87 27 17 e3 4f 81 12 38 37 1b 38 86 99 f4 | 36 8c 01 dd cf ff 3e fa ce 46 dd 77 a2 11 06 6d | 62 2e cd 0d 6c 25 b4 42 7d 15 9b 74 db 3f 0b 0a | de f0 41 e8 97 1c 44 9a aa c3 ae 46 2b e7 3a 8d | 90 30 4b 86 be 1b a0 a1 94 cd 6e db 9f 1e b7 95 | ea 5d af e0 e9 57 a1 2e 1d 06 85 f8 f7 c3 8e 34 | 8e a0 ec c4 8c 41 58 2c 3c 6b 3e 58 de b7 07 82 | cb 8b 9d 66 f0 d1 0a 60 76 9e ed 14 69 57 02 c2 | 1d d4 47 bd ef ff 5b 57 bf 78 c8 5e cb 3d d2 0f | 96 57 a0 a2 b2 96 4e 18 bb 42 e8 d6 8a f1 29 1b | c8 a2 b7 88 4e f6 82 4d 7b a4 db e0 f7 e5 7e 18 | b2 a8 25 14 87 9c 8d c3 d6 fa a6 64 b7 b8 f2 e5 | 73 56 ef 03 59 df e0 6a 13 22 4d 14 f7 e2 f2 73 | ed a6 9a 10 a6 69 48 68 ac 0b 4c 09 54 47 bc 62 | 89 44 9a 95 64 9c 8e 72 9d c3 14 39 9f 8f 3e 84 | ee 56 af 78 49 27 46 60 09 01 5d 35 35 11 bc b1 | 0b 1b 82 42 cc f0 2b 52 f0 6c d0 f0 12 c7 50 53 | c0 9d ae a2 ee d8 92 30 3f e9 f7 30 fd f0 71 70 | 24 d6 09 eb 61 0e 50 9b 0e 9c 3e d6 87 45 7a 4a | d8 22 0e d5 f2 39 0d 18 14 72 f1 27 33 0f df 7b | 9e 56 26 7f 37 75 87 d3 e8 d0 4a 9e 41 a7 54 65 | 4a 8f 0a 6b 00 99 71 31 35 bc 78 80 a9 b9 b9 78 | 23 0c 7c 0e 01 f9 35 e9 3a e5 92 98 0c a1 c4 3d | 00 03 52 a2 89 0e 60 b6 e2 43 99 fd 78 5d 32 c3 | fb 41 65 03 8d 67 c7 12 dd f3 a1 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R1 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 216 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 08 00 00 00 01 00 00 00 d8 00 00 00 bc | 00 05 00 05 65 78 61 b0 b6 4b d0 03 ad 16 68 1f | 71 b8 24 75 e4 32 7d 34 50 96 59 67 27 25 01 bb | 02 42 87 2f 6d d0 96 ef 11 52 4d 02 22 95 03 31 | 21 bc 02 ad ac 36 6b 3a 45 1f b6 f3 0c 14 c9 fc | 1b 1c 26 11 52 ef a4 2d ec 03 7d 3e f4 fd f4 19 | a1 95 8a 71 46 ba 04 e4 45 fd 62 51 17 e2 7a 97 | 58 e0 a3 ce 2f b3 4b e4 f7 f2 09 ad 5d e7 c4 9d | cb d0 84 79 88 15 fe 8b b5 f1 d5 e7 1c 41 3d 6d | 4b 39 f3 99 b6 b8 61 95 66 03 58 dd 22 8a e2 8b | cc 55 fd 74 a3 af a3 1f 45 a4 0c 01 94 90 2c 96 | a1 11 67 5b 16 8b 60 af 6a e8 0e e3 d8 92 43 a4 | a9 13 3e 14 59 18 1f 3f | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 216 (0xd8) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R1 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #1 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 188 (0xbc) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=180) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 2 for state #1 | state #1 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cba4950 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #1 | backlog: inserting object 0x55795cba7510 (work-order 2 state #1) entry 0x55795cba7518 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cba7510 (work-order 2 state #1) entry 0x55795cba7518 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cba7518 newer 0x55795cba7518) | crypto helper 1 resuming | backlog: removing object 0x55795cba7510 (work-order 2 state #1) entry 0x55795cba7518 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 2 for state #1 | crypto helper 1 doing compute dh (V2); request ID 2 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 1 finished compute dh (V2); request ID 2 time elapsed 0.005 seconds | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #1 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #1 and saving MD | #1 is busy; has a suspended MD | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #1 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 sending results from work-order 2 for state #1 to event queue | scheduling now-event sending helper answer for #1 | executing now-event sending helper answer for 1 | serialno table: hash serialno #1 to head 0x55795bd21c40 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 2 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #1: calculating g^{xy}, sending R2 | #1 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #1 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #1: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65f3f0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c630d10 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c632130 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65af50 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c64f740 | unreference key: 0x55795cbbb640 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN '%fromcert' does not need further ID verification | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | No IDr payload received from peer | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #1: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #1: Authenticated using RSA | parent state #1: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #1 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #1 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cba4950 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #1 | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 87 41 35 05 b9 e1 f0 3b 03 ef 58 5b 0a c7 13 fa | rsa signature 6f 60 e6 09 15 46 a9 61 b3 29 13 63 2a 06 46 04 | rsa signature 93 b6 c0 8e be 03 4f 7c 03 43 aa 6a 58 18 fd f6 | rsa signature 73 21 37 29 3a c5 66 4a be 98 10 d1 33 70 23 0c | rsa signature 60 7a c6 9a bb 3e 50 33 79 33 7d e6 82 40 29 9e | rsa signature 12 c1 2d 09 a7 02 58 6d 2b 73 c4 e5 43 2f 3e 0a | rsa signature 0f ce 53 f7 83 a4 e2 89 53 32 14 e6 0f 85 27 86 | rsa signature bb f0 b6 7e 65 6d 58 ac a1 b5 1d 11 25 26 49 c8 | rsa signature 3d 18 18 ed be 27 22 03 7a 06 6b c4 87 5e 4f 6a | rsa signature c5 d5 b1 a2 d6 b8 42 26 92 bd d6 55 ab 60 2e 27 | rsa signature f2 fa 7c 13 e6 8c d6 cb 4e d4 d1 92 17 dd 11 5d | rsa signature 7f 08 9b e5 71 f4 eb 12 10 4b cd 2f f3 20 40 cf | rsa signature 7a 39 b5 86 62 57 d1 c9 59 ba 95 60 1d a1 3a 97 | rsa signature 8a 1e 8e 1d c9 38 41 2d 0c 2b 8d d9 74 d6 cb 9a | rsa signature 6b b2 15 6b 30 85 27 d6 1c 1b ed c2 ea 31 a1 1d | rsa signature 2a d1 c6 84 b7 b2 ac 9b 96 4d 17 88 de 01 3f da | rsa signature 17 c4 32 6a 5f 47 41 17 54 cb 0b f0 7b 70 e3 7a | rsa signature 08 94 df 4d 59 3a e4 5c f9 28 8b 55 8a 56 83 f9 | rsa signature 23 80 3d 65 b1 ad eb ab ce 65 c2 6d cd f4 08 41 | rsa signature b9 8c 80 e6 85 a5 5d ea 21 6a dc 00 a2 f9 1f 6d | rsa signature 84 c8 f1 39 52 c9 01 4f ff 84 86 c0 82 04 90 65 | rsa signature 8d 65 5a 68 d0 1a 4d 90 ee ee 58 56 95 51 f9 45 | rsa signature 65 68 4b 72 0e dd 35 e3 5c c3 4a 9c b7 02 b3 8e | rsa signature c8 33 d0 d3 a5 99 95 ee eb 17 72 96 59 97 c0 a3 | emitting length of IKEv2 Authentication Payload: 392 | creating state object #2 at 0x55795cbacdc0 | duplicating state object #1 "ikev2-westnet-eastnet-x509-cr" as #2 for IPSEC SA | inserting state object #2 | serialno list: inserting object 0x55795cbacdc0 (state #2) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795cba7310 newer 0x55795cba7310) | serialno list: inserted object 0x55795cbacdc0 (state #2) entry 0x55795cbad590 (older 0x55795cba7310 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cba7310) | serialno table: inserting object 0x55795cbacdc0 (state #2) entry 0x55795cbad5b0 into list 0x55795bd21c60 (older 0x55795bd21c60 newer 0x55795bd21c60) | serialno table: inserted object 0x55795cbacdc0 (state #2) entry 0x55795cbad5b0 (older 0x55795bd21c60 newer 0x55795bd21c60) | serialno table: list entry 0x55795bd21c60 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | serialno table: hash serialno #1 to head 0x55795bd21c40 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #1 to head 0x55795bd21c40 | selecting default local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals) | constructed local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED (default) | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 4f 33 55 64 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 4f 33 55 64 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 4f 33 55 64 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 4f 33 55 64 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 4f 33 55 64 | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #1: proposal 1:ESP:SPI=4f335564;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=4f335564;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0x884d4de4 for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 88 4d 4d e4 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #2: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" unrouted: NULL; eroute owner: NULL | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.4f335564@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.884d4de4@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #2: unrouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: #2 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.4f335564@192.1.2.45 | get_sa_info esp.884d4de4@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332907' PLUTO_C | popen cmd is 1486 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332907' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):4f335564 SPI_OUT=0x884d4de4 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | running updown command "ipsec _updown" for verb prepare | command executing prepare-client | get_sa_info esp.4f335564@192.1.2.45 | get_sa_info esp.884d4de4@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing prepare-client: PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='154533290 | popen cmd is 1491 chars long | cmd( 0):PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-: | cmd( 80):eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='19: | cmd( 160):2.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 240):ent, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_: | cmd( 320):CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.: | cmd( 400):255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_: | cmd( 480):SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto: | cmd( 560):, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@te: | cmd( 640):sting.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192: | cmd( 720):.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PR: | cmd( 800):OTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depa: | cmd( 880):rtment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='n: | cmd( 960):etkey' PLUTO_ADDTIME='1545332907' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+I: | cmd(1040):KEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLU: | cmd(1120):TO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_I: | cmd(1200):S_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BAN: | cmd(1280):NER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_I: | cmd(1360):NBYTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_: | cmd(1440):IN=0x4f335564 SPI_OUT=0x884d4de4 ipsec _updown 2>&1: | running updown command "ipsec _updown" for verb route | command executing route-client | get_sa_info esp.4f335564@192.1.2.45 | get_sa_info esp.884d4de4@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing route-client: PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332907' P | popen cmd is 1489 chars long | cmd( 0):PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-ea: | cmd( 80):stnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.: | cmd( 160):1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 240):t, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CL: | cmd( 320):IENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.25: | cmd( 400):5.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA: | cmd( 480):_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, : | cmd( 560):O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@test: | cmd( 640):ing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0: | cmd( 720):.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROT: | cmd( 800):OCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Depart: | cmd( 880):ment, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='net: | cmd( 960):key' PLUTO_ADDTIME='1545332907' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKE: | cmd(1040):V2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO: | cmd(1120):_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_: | cmd(1200):PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNE: | cmd(1280):R='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INB: | cmd(1360):YTES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN: | cmd(1440):=0x4f335564 SPI_OUT=0x884d4de4 ipsec _updown 2>&1: | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #2 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) cloned from #1 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 87 41 35 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 05 b9 e1 f0 3b 03 ef 58 5b 0a c7 13 fa 6f 60 e6 | cleartext fragment 09 15 46 a9 61 b3 29 13 63 2a 06 46 04 93 b6 c0 | cleartext fragment 8e be 03 4f 7c 03 43 aa 6a 58 18 fd f6 73 21 37 | cleartext fragment 29 3a c5 66 4a be 98 10 d1 33 70 23 0c 60 7a c6 | cleartext fragment 9a bb 3e 50 33 79 33 7d e6 82 40 29 9e 12 c1 2d | cleartext fragment 09 a7 02 58 6d 2b 73 c4 e5 43 2f 3e 0a 0f ce 53 | cleartext fragment f7 83 a4 e2 89 53 32 14 e6 0f 85 27 86 bb f0 b6 | cleartext fragment 7e 65 6d 58 ac a1 b5 1d 11 25 26 49 c8 3d 18 18 | cleartext fragment ed be 27 22 03 7a 06 6b c4 87 5e 4f 6a c5 d5 b1 | cleartext fragment a2 d6 b8 42 26 92 bd d6 55 ab 60 2e 27 f2 fa 7c | cleartext fragment 13 e6 8c d6 cb 4e d4 d1 92 17 dd 11 5d 7f 08 9b | cleartext fragment e5 71 f4 eb 12 10 4b cd 2f f3 20 40 cf 7a 39 b5 | cleartext fragment 86 62 57 d1 c9 59 ba 95 60 1d a1 3a 97 8a 1e 8e | cleartext fragment 1d c9 38 41 2d 0c 2b 8d d9 74 d6 cb 9a 6b b2 15 | cleartext fragment 6b 30 85 27 d6 1c 1b ed c2 ea 31 a1 1d 2a d1 c6 | cleartext fragment 84 b7 b2 ac 9b 96 4d 17 88 de 01 3f da 17 c4 32 | cleartext fragment 6a 5f 47 41 17 54 cb 0b f0 7b 70 e3 7a 08 94 df | cleartext fragment 4d 59 3a e4 5c f9 28 8b 55 8a 56 83 f9 23 80 3d | cleartext fragment 65 b1 ad eb ab ce 65 c2 6d cd f4 08 41 b9 8c 80 | cleartext fragment e6 85 a5 5d ea 21 6a dc 00 a2 f9 1f 6d 84 c8 f1 | cleartext fragment 39 52 c9 01 4f ff 84 86 c0 82 04 90 65 8d 65 5a | cleartext fragment 68 d0 1a 4d 90 ee ee 58 56 95 51 f9 45 65 68 4b | cleartext fragment 72 0e dd 35 e3 5c c3 4a 9c b7 02 b3 8e c8 33 d0 | cleartext fragment d3 a5 99 95 ee eb 17 72 96 59 97 c0 a3 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 88 4d 4d e4 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #2 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #2 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #1 to head 0x55795bd21c40 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #2: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #2 after switching state | serialno table: hash serialno #1 to head 0x55795bd21c40 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #1 PARENT_R2; CHILD #2 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #2: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #2: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x4f335564 <0x884d4de4 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 0f 8a 34 70 27 d8 50 a5 c5 a3 57 61 | f7 83 ad bd 65 f5 c8 bc 24 b2 6f 5d a5 a8 ca 28 | f2 28 81 bf 6a 91 9b 29 47 b0 4b d6 23 a0 4c 62 | b1 5c 4c 3b 3a 21 91 1f 46 5e c2 9c 56 6b 11 36 | 52 c3 71 6a 01 fe 3b b4 44 5e 31 2e 75 e1 dd 5b | 24 49 c2 9a 25 5f 07 bd 0d 61 4b 23 e7 de 9e a0 | 7c 47 5b 59 b6 4b b9 1a 05 8c 31 c9 04 24 9a 20 | be 04 83 08 2e 25 0c 2d 9d 3c f2 94 8a 91 e1 94 | 4f 9b c4 da 18 54 83 77 00 b7 9d 13 2b 43 c4 44 | 3d d0 1a 26 1b 73 cd c9 f5 a8 b2 76 31 14 54 74 | 5d d3 58 a0 b9 e8 f6 90 6a 74 39 58 37 d3 1b f4 | f1 a9 28 0c 23 6b 16 5f b0 81 a4 98 9e 47 37 f6 | 75 92 e3 94 8b 3b 37 5d 85 4a b2 0c 2d 3f 8a 79 | e8 d4 d4 29 ca 2b d7 1c 0c 73 54 b8 d4 a2 46 5f | 98 60 f7 b6 58 82 65 a6 be fa 6c 50 10 31 3c d2 | 62 b2 1a 27 c1 68 45 0e de e3 bf 46 15 32 a7 5a | 44 9a 6b 30 1d 16 eb 61 3c 88 16 f1 36 b2 18 69 | 73 40 c3 83 cb f6 25 e4 da cd 87 88 a8 63 10 b2 | 9d 03 6e f8 34 9f fd 8a 84 c6 aa 69 4d 77 bf 04 | 6d f4 92 f3 85 1e e6 a2 1e 61 b9 b1 69 a7 cb c1 | ec a6 e5 30 d3 0f 44 44 c6 53 ea 6c 79 a9 c6 ed | 81 e1 eb 73 eb 71 5e 60 66 f0 cf a8 f8 2b fd 6f | 9f 22 f5 7d bb af 59 ee 2e d5 5c 2b c2 28 fe fb | 44 7b 3e 6a 77 95 f4 cb a4 bd aa 91 26 75 2b 88 | 53 92 77 b9 1c 2b a8 22 9d d6 f4 f5 91 99 b2 9c | a3 39 5e a9 47 26 11 08 a8 a9 85 db 50 8c 2a 64 | a6 b1 1e 0f 56 d4 be ce b8 db 32 d0 57 1b 6a 9c | a8 e7 43 cd 1f 34 21 f2 aa 58 93 eb e2 bc 76 62 | 6a e3 32 d6 e6 b3 7a ad 44 43 9a 6c 95 20 f4 66 | e5 34 e8 5c ec 27 f3 b1 66 21 53 f1 53 8a e9 c2 | d7 55 f9 bc 68 32 bf 4d ad 5f 44 68 0d 26 83 fc | 74 aa 83 9c 65 58 a8 72 74 8c 60 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 57 21 e6 e4 42 89 a8 3a e7 1b 8c 67 | 01 88 1f f9 e2 e6 9a dc 02 07 1f 68 0e 26 e7 61 | 12 ab 3b 90 7a 6a d1 78 28 ee 29 30 a8 b8 6e 94 | 20 e0 ca db ad c2 97 2f aa 16 e1 a4 bf ad 41 d1 | e3 a5 52 39 0e 72 64 f1 d9 a1 73 13 2f 7a c8 b9 | a9 f4 bb a4 77 90 86 b2 07 10 f2 a1 d4 15 a4 70 | 53 97 58 c8 be ec 8f a7 6c 12 f9 00 db 7f c3 75 | af ae e3 ac 8a f3 61 f4 03 76 ed ec 56 93 b1 b5 | 33 e2 66 a0 8b ec 55 49 8a 29 cb 55 77 1b 6e 5b | 95 11 21 1a 2a ac 08 45 c2 52 da 81 25 f3 f6 17 | e6 e2 07 06 ce 2c 49 e4 dd f8 82 c5 3f c1 76 87 | fe 21 8b 5d ba b0 4a f4 74 27 2a 8e e4 6d dc 05 | 15 56 a6 9c fc 17 a4 69 76 4d 37 37 68 d7 70 aa | 08 13 f2 c9 86 44 a9 c8 6d 87 5a 5c a2 a8 c7 c9 | 7a 86 a8 bc 6c e7 2e c4 ea 6e 99 e1 90 20 56 3f | ae 72 b2 68 d1 95 95 00 24 1a 81 b2 24 9c 89 48 | 30 e6 ec 77 a1 90 9c 23 a1 d6 2d 88 44 73 c4 2b | b6 d1 fe c2 d6 bc 68 d5 f9 eb b1 aa e2 79 3f 75 | ec 9f 8b c1 76 f6 45 71 ea 65 e5 ae 54 85 e2 c0 | 45 be 86 96 d2 b1 0b 5b 23 94 60 f6 cf fa d1 cd | fd 00 2b 47 fb c1 c7 38 24 e0 6d 2e 23 fe 9d fd | e8 98 fe b9 b0 ad 86 e7 bf 6e 0a 8c 36 09 de 44 | 3b 71 1b 59 29 5c 1b 2d b5 06 f6 ff c2 68 9d 47 | c8 ab d8 4a b6 16 07 8f ba b2 e8 cb 89 8f b0 f5 | ba 99 6f 61 35 44 d3 03 79 ec a9 2a 05 c2 fc 6b | dc 8e b3 98 6f 0f 33 ca 9f 4c 6c a5 f2 2d 45 34 | e0 1c c9 b4 63 2d 73 19 c8 ba 56 c9 37 9a f5 85 | 98 17 64 a2 7a c5 d4 62 39 44 dd 99 53 ec ea d1 | 01 c7 2f ed 48 88 86 d3 09 bb 0f 19 54 f8 e9 5f | 2a 6c 63 58 06 e7 70 3d fa 31 08 d0 2d 75 92 fa | 9e f2 b1 4f 11 52 5c 9f fe ef 9a d3 a8 75 41 5f | b8 41 37 0a 7a ae cc 76 ac 7b 7e | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 fc 5b fc 0e 57 62 b7 de 03 07 13 d9 | d3 a5 25 bf e9 44 2e 8b 3d 1d ec ef b6 56 6d 33 | 44 8b 9a 73 c3 db f2 92 83 ac 4b 70 e8 8f 21 18 | 02 26 d6 d3 84 4c 27 4a eb 6b ef 7f cd 9b 63 a3 | a2 d0 01 5e b3 c0 2e 85 9a ca e1 00 e5 60 2e 72 | 22 b6 4b 8c 06 a3 bf e0 dd 21 bb c4 c6 fa e1 3c | 2a d1 bb e8 8a 71 2f 7e 5a 5d 9a 73 e1 57 c1 0f | d9 97 36 21 f4 5c b0 d1 8a 71 9d 4b 0b 85 15 48 | 7d d8 d8 cf 58 b3 b1 6b ad 0b fe d2 db aa e8 f3 | e6 3d 2a 38 1e 21 f4 2d f3 ad 46 de e2 d1 51 e6 | 5c e2 78 32 63 97 9f 53 97 35 2d dc 8a db 4c f5 | 79 fc fd 65 39 fb cf 24 d6 d8 6a 32 a1 fa 2d 62 | e9 72 4d b5 c3 0e 8b 65 5c 00 7a 0d b3 82 82 91 | 34 34 cb 1b dc 2c ce 8c b8 ba 8f 85 4d 16 df 0e | ea 59 06 d9 7d 00 1b 30 43 94 a1 1f 77 bc 39 e9 | e9 ee f2 bf 9f c5 b4 22 80 5d 5b 36 9f 23 7f 58 | 0b 5d 99 ef 1f fb aa e0 40 24 56 6f 5f 0b 90 97 | 8e 68 d4 a1 50 0e c6 32 b5 53 33 47 30 fe 2c 92 | b7 fd 6b 17 65 7c 25 3c 65 5a 82 77 79 69 81 13 | e7 44 aa e2 61 39 b4 f9 0e bc 3b d8 ee 7b 9b 8d | e3 d1 4a 41 da 4d ad 81 44 13 b7 1c bd c0 45 87 | 2b 90 16 42 60 1b 03 95 89 13 22 80 5a a6 ab 95 | ff 91 9c 1a 89 7a 71 f4 a0 3c 0a 7f 38 6a 29 c3 | 3a 7f 70 e2 39 b6 66 8a 53 2a 0c 79 68 d8 43 eb | c1 7c b4 e4 a0 61 59 3c d8 f4 6f dc a3 63 56 70 | 55 91 69 0b a4 da e0 14 f0 f1 9c 38 2f 4a b7 f2 | d6 e5 b5 c1 1b 3d 27 37 9f b0 5b 77 9c ac 1d 72 | 08 8b 0f c3 9d 71 64 f8 2c 30 87 da 30 84 e2 3b | 92 4f 8e 9e 16 82 7e cc 59 20 02 85 5b 17 06 e2 | c1 a0 b8 86 a3 08 f7 95 1f 19 14 b7 8d 23 a9 0e | 72 62 70 07 07 61 0c 5c c5 2b 71 77 fe d5 98 c4 | 02 8a 73 61 9c 5a 95 14 63 0a ff | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 2a b6 ff de 69 5b dc de 37 13 c0 08 | 71 21 ef 8d ef e2 de 0f ab e5 9a a6 70 af 1f 80 | b4 57 19 e0 e2 3e f4 e2 09 08 e5 cb 82 ce 69 08 | b0 67 18 88 92 54 3c af 6e 86 91 5a cd 7a fc 9b | 2b 6c 66 35 50 4b c5 28 eb bf 39 d7 65 bb ae 78 | d8 94 82 c6 7c 7a b8 d9 dc 83 a3 26 57 13 9f 43 | 3f 43 d7 9f cb 15 ae f4 a9 ad 0d e8 db 0e 4d b6 | 9a 06 71 fd b5 bc 18 34 30 78 78 a7 2e 05 f1 5e | cb 6b c2 ac 35 a2 7a 20 fa 33 25 0a 07 8e 19 e1 | 0d 4a f3 08 66 b2 a8 77 65 01 f3 fe b6 fe 97 ab | 9a c0 ed d7 8a 22 7a f8 c9 0f 3f d3 1d 0e 79 77 | 08 bd ca 05 11 b9 d5 f8 dd bc ec fc 17 63 8b a2 | 4d c7 34 8b 3a 6e 35 46 4e 59 1b 0e 41 6b b3 4a | 1e d1 4a 60 ee 5a 4c 75 02 e1 ba 1a fe 9d 78 cb | 27 37 1d 7c 24 fd af 89 cb 87 e1 82 77 99 da 89 | e1 27 78 b6 52 cd 09 56 f1 29 11 4b 12 f5 35 a3 | 3b e5 28 6c de 79 44 dd 10 0f 17 8f 38 dc e6 93 | b7 fd 77 4e 7a 7a 4f 71 f5 fa 79 2f ce 0e bf 6b | 68 ce b3 2d 2d 03 9f c6 f2 94 95 c2 3d 99 d5 86 | 58 49 de 3d ff 1d e4 57 bd b3 06 85 65 35 1b 41 | da 43 18 e3 3b 3c 78 88 63 f8 1e 02 f8 73 25 dd | 6e ea b9 b4 02 6b a2 c3 5d bc cd 38 e6 81 8c b1 | 39 0e b1 62 c6 25 c8 b1 73 18 85 89 9d 0a 01 7c | ed bf 71 9e 53 2e e7 7f 94 5e 37 51 4f 12 ec ee | 30 15 77 0d 85 68 0c 7e 7a 71 67 0f 22 90 39 04 | 4f 88 78 39 1e 21 9e 6c 17 ec 8c d3 3f ea 97 76 | 03 10 96 06 99 96 5e 51 7d 1a 03 ab 8f dc c2 9e | d1 d3 59 0f 4d a0 a1 8e 9f a5 94 8f 5c 3d 99 74 | 86 48 75 8b 72 39 1a 1f 26 35 e5 fe a4 92 97 fc | e3 d4 aa 2b 0d f2 54 9e 3f a7 4c 9b 44 97 6b 46 | 2b 5b f4 06 df 76 a6 42 01 83 e8 cf 96 5a | sent 4 fragments | releasing whack for #2 (sock=fd@-1) | serialno table: hash serialno #1 to head 0x55795bd21c40 | releasing whack and unpending for parent #1 | unpending state #1 connection "ikev2-westnet-eastnet-x509-cr" | #2 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbbcb30 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #2 | processing: stop state #2 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | kernel_process_msg_cb process netlink message | netlink_get: XFRM_MSG_EXPIRE message | waitpid returned ECHILD (no child processes left) | waitpid returned ECHILD (no child processes left) | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | c5 72 20 f0 86 2b 57 fb 01 5f 5b df f6 1c 40 b0 | 77 1e d0 54 0f f9 69 fd 46 4d 65 51 42 55 47 8c | 21 3a 9b 66 c9 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R2 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #1 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 4f 33 55 64 | delete PROTO_v2_ESP SA(0x4f335564) | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 CHILD SA #2 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x4f335564) "ikev2-westnet-eastnet-x509-cr" #1: received Delete SA payload: delete IPSEC State #2 now | processing: suspend state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #2 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #1 to head 0x55795bd21c40 "ikev2-westnet-eastnet-x509-cr" #2: deleting other state #2 (STATE_V2_IPSEC_R) aged 3.456s and NOT sending notification | child state #2: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.4f335564@192.1.2.45 | get_sa_info esp.884d4de4@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #2: ESP traffic information: in=336B out=336B | child state #2: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #2 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbbcb30 | serialno list: removing object 0x55795cbacdc0 (state #2) entry 0x55795cbad590 (older 0x55795cba7310 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cba6b40 (state #1) entry 0x55795cba7310 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cba7310 newer 0x55795cba7310) | serialno table: removing object 0x55795cbacdc0 (state #2) entry 0x55795cbad5b0 (older 0x55795bd21c60 newer 0x55795bd21c60) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.4f335564@192.1.2.45 | get_sa_info esp.884d4de4@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332907' PLU | popen cmd is 1492 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332907' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='336' PLUTO_OUTBYTES='336' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI: | cmd(1440):_IN=0x4f335564 SPI_OUT=0x884d4de4 ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.4f335564@192.1.2.45 | netlink response for Del SA esp.4f335564@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.884d4de4@192.1.2.23 | netlink response for Del SA esp.884d4de4@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #2: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #2 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #1 to head 0x55795bd21c40 | processing: resume state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs 88 4d 4d e4 | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | 4b b0 c1 52 49 d1 70 43 a2 9e 5c af d6 70 1e 21 | 2f 88 57 01 0c 32 42 72 84 fc d7 11 d2 c3 af 32 | 90 ce 45 40 e1 | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #1 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #1 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #1 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #1 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #1: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | 82 49 41 dc 26 95 58 87 60 e0 05 97 86 99 20 8a | 26 52 a8 e9 bf ee ec fa 39 16 cb 8c a7 c4 29 85 | 96 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | v2 IKE SA #1 found, in state STATE_PARENT_R2 | found state #1 | processing: start state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #1 is idle | #1 idle | #1 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #1 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #1 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 16 7b 67 e6 7e e8 c8 c3 | responder cookie: | d0 3a 97 d7 3a 79 d7 8c | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #1) | 16 7b 67 e6 7e e8 c8 c3 d0 3a 97 d7 3a 79 d7 8c | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | 1c 08 35 c8 76 6e 9a 56 27 b3 77 74 9a d9 01 59 | fb b8 f6 e7 45 c8 c5 c5 6c | IKE SPIi:SPIr table: hash IKE SPIi 16 7b 67 e6 7e e8 c8 c3 SPIr d0 3a 97 d7 3a 79 d7 8c to 6844075529012030771 slot 0x55795bd1c120 | parent state #1: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #1 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #1 to head 0x55795bd21c40 "ikev2-westnet-eastnet-x509-cr" #1: deleting state (STATE_IKESA_DEL) aged 3.643s and NOT sending notification | parent state #1: IKESA_DEL(established IKE SA) => delete | state #1 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cba4950 | serialno list: removing object 0x55795cba6b40 (state #1) entry 0x55795cba7310 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cba6b40 (state #1) entry 0x55795cba7330 (older 0x55795bd21c40 newer 0x55795bd21c40) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #1: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbb8e80 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #1 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #1 to head 0x55795bd21c40 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 b3 7b 3f 8e fc c6 9e 38 | 0e 6b 7e ff c7 82 df e2 74 a6 4e a8 7c a0 2d d6 | ba c4 47 c6 0c 85 f9 43 46 1c 6d b6 96 18 9f 37 | 2e 60 e4 c2 bb 40 4c 5e 60 8f 38 81 16 e7 94 93 | 8a 99 85 46 ff a9 dd e7 28 ff 69 c1 f5 ac 98 55 | f6 d2 3f fd 9d c3 66 ff ac 94 1c 45 37 88 a3 3d | 7a 2d 39 cb 08 96 bb 77 5c bd 3c 52 88 e7 c3 48 | c7 d1 a1 80 21 5d 0b e3 23 38 f9 ff 58 c2 68 23 | 47 6d 1a a0 fa 24 7e fc f7 23 56 63 f1 d3 fb 83 | 16 78 7a 4d f5 81 dd 17 e4 67 19 f8 c8 fb aa 56 | ae bd b0 52 53 d3 71 f9 0e 01 f1 58 6b 1d ff 84 | 78 d2 1f 83 39 b4 8a eb fd 14 69 e0 ac 9e aa 93 | 2f a5 39 11 7f d0 d6 d0 81 96 f1 68 60 1d 3b 01 | 2c bc c9 be 57 a1 43 9b 13 63 9f f5 20 75 ab 54 | 01 1c 88 f8 7c 66 31 d9 60 63 4f 59 1f 14 49 63 | f2 1c 91 62 0d 82 ee 4d 5b 38 2e d9 0f b4 26 63 | 9c af 72 81 51 f7 5f 43 29 00 00 24 5a a6 0f ea | fd b0 1f af 98 92 89 f1 ff 7f b2 12 85 26 68 ee | 44 ed 29 48 58 35 5f f4 ea 49 b7 d3 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 d0 6e 72 be | 8e 13 ed 23 de c0 31 e1 2e 99 02 ac 36 03 01 56 | 00 00 00 1c 00 00 40 05 a9 4f 34 6d e5 7c a5 d6 | 4b 17 3b 8d d1 2d 10 c3 0f bf 62 d5 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d to 10625565819904824235 slot 0x55795bd20500 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #3 at 0x55795cbacdc0 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #3 | serialno list: inserting object 0x55795cbacdc0 (state #3) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cbacdc0 (state #3) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbacdc0 (state #3) entry 0x55795cbad5b0 into list 0x55795bd21c80 (older 0x55795bd21c80 newer 0x55795bd21c80) | serialno table: inserted object 0x55795cbacdc0 (state #3) entry 0x55795cbad5b0 (older 0x55795bd21c80 newer 0x55795bd21c80) | serialno table: list entry 0x55795bd21c80 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #3: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | using existing local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #3: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= a9 49 3e f3 e3 3b 5b 3d | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= a9 4f 34 6d e5 7c a5 d6 4b 17 3b 8d d1 2d 10 c3 | natd_hash: hash= 0f bf 62 d5 | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= a9 49 3e f3 e3 3b 5b 3d | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= d0 6e 72 be 8e 13 ed 23 de c0 31 e1 2e 99 02 ac | natd_hash: hash= 36 03 01 56 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 3 for state #3 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #3 | backlog: inserting object 0x55795cbb2bc0 (work-order 3 state #3) entry 0x55795cbb2bc8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb2bc0 (work-order 3 state #3) entry 0x55795cbb2bc8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb2bc8 newer 0x55795cbb2bc8) | crypto helper 0 resuming | backlog: removing object 0x55795cbb2bc0 (work-order 3 state #3) entry 0x55795cbb2bc8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 3 for state #3 | crypto helper 0 doing build KE and nonce; request ID 3 | crypto helper 0 finished build KE and nonce; request ID 3 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 3 for state #3 to event queue | scheduling now-event sending helper answer for #3 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #3 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #3 and saving MD | #3 is busy; has a suspended MD | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #3 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 3 | serialno table: hash serialno #3 to head 0x55795bd21c80 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 3 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #3: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x f8 b1 79 66 8d 54 a9 37 9f b4 a8 b1 0e ff 9e c0 | ikev2 g^x a7 04 65 50 2c b5 c1 36 09 53 26 75 0d 65 4b 86 | ikev2 g^x 4a f8 fd 14 4b bc 1a 01 81 ef c2 02 75 31 84 20 | ikev2 g^x f2 32 36 68 64 a5 5d 11 f2 50 f1 7f 9e 2b a4 d3 | ikev2 g^x 91 72 12 42 e4 8b b5 82 fa 97 78 08 b5 3b ec 12 | ikev2 g^x db de b2 24 67 27 8c 8d 12 80 8b 50 38 b4 ae d0 | ikev2 g^x e0 15 b1 f1 79 1d 90 6f c5 7e 0e ac df ce 6e 1d | ikev2 g^x 3b a6 50 3f 09 6b e7 1b c7 c3 31 5e d0 25 7c 28 | ikev2 g^x f9 b7 67 f4 19 a7 84 72 02 64 4f 47 69 c9 79 e7 | ikev2 g^x c3 7c 15 63 2c c7 6e ca f3 30 c3 c5 f4 f0 2a 8f | ikev2 g^x 14 f9 72 23 b6 dc 94 f9 21 55 f0 22 7d b8 05 78 | ikev2 g^x 5e 27 b4 03 c8 14 51 e7 4a 34 f1 41 f7 53 81 6b | ikev2 g^x 64 6a db 08 e2 bb e9 a0 39 bc ea da 59 03 04 fb | ikev2 g^x 0d 4c 13 c3 a3 c0 dc 91 83 a4 b1 13 31 f0 01 6e | ikev2 g^x 13 f4 79 6c da c6 3f 4b d3 fe 8e c4 9c 14 7d 64 | ikev2 g^x 5a 4e 36 bb 53 d7 48 1b 70 b9 6f 02 1b 96 1a 4b | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce fd 78 e8 39 fb f7 99 5e 54 53 39 c1 62 09 b0 79 | IKEv2 nonce a8 a9 4e c9 be 55 f2 c7 3a e8 42 6d e5 cc 23 26 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= a9 49 3e f3 e3 3b 5b 3d | natd_hash: rcookie= ef 8e b3 18 d0 5e 6e ef | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 38 9b 79 49 f7 26 3c c1 1d 80 ff b4 cb 66 4c 50 | natd_hash: hash= e0 15 c8 f1 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 38 9b 79 49 f7 26 3c c1 1d 80 ff b4 cb 66 4c 50 | Notify data e0 15 c8 f1 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= a9 49 3e f3 e3 3b 5b 3d | natd_hash: rcookie= ef 8e b3 18 d0 5e 6e ef | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= f6 0b 43 6e ba 3c 6d 82 55 cd 84 42 22 8b f2 d6 | natd_hash: hash= 2f af c6 93 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data f6 0b 43 6e ba 3c 6d 82 55 cd 84 42 22 8b f2 d6 | Notify data 2f af c6 93 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #3 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #3: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #3 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #3 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #3: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 f8 b1 79 66 | 8d 54 a9 37 9f b4 a8 b1 0e ff 9e c0 a7 04 65 50 | 2c b5 c1 36 09 53 26 75 0d 65 4b 86 4a f8 fd 14 | 4b bc 1a 01 81 ef c2 02 75 31 84 20 f2 32 36 68 | 64 a5 5d 11 f2 50 f1 7f 9e 2b a4 d3 91 72 12 42 | e4 8b b5 82 fa 97 78 08 b5 3b ec 12 db de b2 24 | 67 27 8c 8d 12 80 8b 50 38 b4 ae d0 e0 15 b1 f1 | 79 1d 90 6f c5 7e 0e ac df ce 6e 1d 3b a6 50 3f | 09 6b e7 1b c7 c3 31 5e d0 25 7c 28 f9 b7 67 f4 | 19 a7 84 72 02 64 4f 47 69 c9 79 e7 c3 7c 15 63 | 2c c7 6e ca f3 30 c3 c5 f4 f0 2a 8f 14 f9 72 23 | b6 dc 94 f9 21 55 f0 22 7d b8 05 78 5e 27 b4 03 | c8 14 51 e7 4a 34 f1 41 f7 53 81 6b 64 6a db 08 | e2 bb e9 a0 39 bc ea da 59 03 04 fb 0d 4c 13 c3 | a3 c0 dc 91 83 a4 b1 13 31 f0 01 6e 13 f4 79 6c | da c6 3f 4b d3 fe 8e c4 9c 14 7d 64 5a 4e 36 bb | 53 d7 48 1b 70 b9 6f 02 1b 96 1a 4b 29 00 00 24 | fd 78 e8 39 fb f7 99 5e 54 53 39 c1 62 09 b0 79 | a8 a9 4e c9 be 55 f2 c7 3a e8 42 6d e5 cc 23 26 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 38 9b 79 49 f7 26 3c c1 1d 80 ff b4 cb 66 4c 50 | e0 15 c8 f1 26 00 00 1c 00 00 40 05 f6 0b 43 6e | ba 3c 6d 82 55 cd 84 42 22 8b f2 d6 2f af c6 93 | 00 00 00 05 04 | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cba4950 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #3 | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 e9 3a 58 80 80 1c 35 cb 8d b3 82 3b | cb 3f a1 db cb d9 4d ec 06 7c 93 b8 46 d5 30 fd | 39 58 66 01 47 bc ba 38 f9 4e e5 0d 55 2a 99 7a | 42 60 0c 86 9f d0 0a 37 96 b4 84 8a e1 7a b4 7c | 6b 4e 5d 0d 48 df 67 d3 b3 c6 3a b6 89 ed 18 f9 | 81 ba 6b 6f 97 d9 d7 c5 b3 40 50 2a 3a 9b 7f 25 | 23 d8 85 d5 ca 76 1c 0c fd 0d 2d 9e ed a9 15 2a | 5c d5 04 7a 0e c8 b5 36 3d b5 71 58 ba 19 6d f3 | d4 6d 87 0b 89 18 4e 7e 89 e0 8a f3 c6 a5 05 bc | bb 9b 3f 48 bc 4f 1b 75 73 a6 55 c4 c9 a4 99 f7 | 3f 51 78 eb 25 f1 c2 74 b8 bb fd 43 ed 42 0b 1e | 47 cb f4 0a 06 00 b8 95 f3 30 3d 37 8a 6a 96 9f | bd 7b 29 25 b6 75 7a e7 df f9 6d ab e9 75 aa 96 | 4c 38 1e ef e1 f0 7a 07 65 34 e2 df 51 61 86 3d | 26 c9 53 0d f8 de dc 8d c4 29 9f 88 6c b7 da 4d | 2b cb 15 b2 74 6b 32 c7 4d 14 55 1b 6d 41 9a db | 71 dc d7 1e ab 77 10 a6 df 37 4c 4b 78 09 22 3b | 38 4f 20 b2 0a f9 21 4d ad bd 19 02 fa 86 15 dd | 41 73 10 14 1c e1 a8 8e 4c 8e 7f 6b 1f ea 02 d4 | c5 08 0f 6b 76 ca 21 bd dc d4 4d a9 95 25 6b 85 | eb f9 4c 44 a0 cc 93 b3 44 bd fd 20 5f e6 95 f2 | 6a d6 7c 42 78 e3 58 7c a0 0d c7 12 2f b9 b0 99 | d2 5e fd 49 7f d9 86 9b eb 56 54 5d 43 3a 1d 21 | fb aa c8 4c 13 35 e9 a8 c6 b2 af 24 f1 fd b3 23 | d0 b4 f5 12 7e 6c 12 c6 41 40 c4 2e 3f 1e 6c a3 | bb 02 1b da 79 f4 fa 0b 15 cc 38 9f ab 84 e7 5a | 95 c6 3a 47 cb c8 03 5b 48 77 92 57 7e 48 a9 b0 | 42 cc 84 6f c4 5f ee 00 dc b7 f2 94 71 78 18 58 | b5 a9 96 a8 27 43 bd 6f cb c4 e3 f6 ad 86 86 98 | 2d 9d 07 bf d8 55 36 f4 ff 2b 24 b7 0f 15 53 de | ff 27 00 db fa 2a c2 54 0d 37 5e 20 f2 f9 19 15 | 79 fa e8 01 e0 2e 01 96 ee 80 40 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R1 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #3 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 16 90 47 8e f0 bb 43 40 11 31 64 d9 | 91 51 d7 48 f7 d7 4b f4 95 68 be 36 95 13 c4 79 | a5 a4 c8 d1 86 89 5c c8 86 b9 a6 ad 8a 29 52 4e | 5c 6b bf d8 2e 84 18 86 99 44 52 df c0 14 e5 60 | 86 d7 5b f6 62 ef 94 0e 70 b7 5f 9a fb 2b 34 33 | b1 15 3f d7 93 34 61 8e 75 74 d2 53 a0 08 be 57 | a2 d1 29 59 7f f1 ab e9 6d fc d9 57 cd 68 3e a4 | a6 d1 a9 10 9f 82 16 fd 32 49 ce 03 57 90 70 82 | 93 10 f9 62 8a 78 cf b4 86 5d 98 33 a1 25 ef b1 | a5 90 6d 7f 56 ba 3a 32 f4 29 df 5e 23 86 cc ad | 67 2e 20 76 ae 99 37 9b fe e2 89 f1 ec a8 56 ad | 91 ca a0 97 e6 1c eb 19 5f 93 f3 a1 68 1e db 4f | 5a 24 33 9f 6d df d7 dc 52 95 4d 90 c0 5d c1 65 | b5 67 57 d8 b8 63 fe f1 31 b9 e9 6f 19 15 5c 1d | 3c 8e 71 dd e6 95 03 2e 24 c1 80 25 f2 ea 8e f5 | 2d c8 d2 f5 11 95 86 f0 dd c1 9a 55 79 76 eb 73 | 2c 1e 3d 01 f1 22 4a 86 0f e8 4a 3b c4 d6 fe 6c | ce 0f a8 66 19 7d 31 a4 16 d7 52 3e 8a 05 21 89 | bd 95 7f a3 c8 27 fe a4 25 19 bb d1 17 9e 3d 21 | 67 e9 6b 11 06 68 ab f4 25 7f d8 c6 7d a5 2d d0 | 1e 1e eb f3 14 4c 61 c8 9f a3 88 bf 91 88 f3 75 | 36 2f db 48 f1 43 9e f0 36 74 d3 36 10 0e c1 01 | f9 41 03 cb 3c e2 15 72 16 2b e9 27 5f 33 f8 9c | 8c 7b 03 6b 47 c0 3c e7 cc 50 0b 7d 4e 6d 4b 28 | 47 3c e6 bd 9b 1b 99 15 46 37 93 a5 3f fc 82 a4 | ab 2c e7 d1 ba 0d 0e ed cc 3f 06 f4 fa 6a ca d4 | da 2d 23 98 31 e6 cb 70 4e 81 38 77 2d 20 a6 d5 | e0 88 27 7a 56 3f e7 bc df e3 96 26 70 0a 04 d7 | c5 38 eb 76 ab 0e 56 36 27 ab 6e d3 14 f3 7a 34 | 63 70 f5 e1 63 fa 82 3b af 26 2e 38 7c 24 1e e7 | bd e9 cf 14 d9 4a 47 d2 be 39 fe 13 54 ea 15 05 | 33 38 25 ea 33 2c 3f b5 97 de 8f | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R1 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #3 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 f0 b7 31 03 ec 2f 05 fc 2b 21 12 fd | 22 59 a3 ec 2b ed 68 62 aa fb 10 71 90 a7 55 eb | 70 5a af 64 8f 95 57 34 35 aa ef 3d 94 cc da c4 | 72 eb 93 94 9f 24 ef 8f e0 4f 8d b4 22 72 1a 3c | 38 2c 1d 96 37 74 c1 e7 fd e4 ac ec 92 e7 8a f9 | 56 b3 c1 12 19 dd 39 23 c4 b6 13 4c 98 e8 32 e2 | c4 88 21 10 ff ee eb 73 33 dc b2 05 18 1e 40 dc | b8 5a f4 e2 08 a0 30 ce ae 74 a6 24 13 66 71 d6 | 85 f6 30 fc e6 db 7a a4 6a c3 21 90 10 55 09 6c | b7 fd ad a6 b8 92 1c 42 9b 57 7f 86 62 ae 8f a0 | 6c 22 25 23 b7 42 f8 e9 10 f3 6e 12 9c ce d6 83 | 39 00 7c 47 f3 5f 57 7d 4e fa b7 30 47 e3 15 fa | af 2c 96 ff ea 4f 7c d1 e8 a1 09 6d 11 ab 19 54 | 8e 61 b6 7f 50 19 4a cb a9 a4 a4 61 4a b9 56 51 | 94 d7 17 8f 4b b5 1c 0f 19 71 95 6c ff d8 56 98 | 93 46 5c 35 49 54 08 dc 98 68 81 7c a7 b4 ec 53 | de 9c 0f ae 29 92 28 96 8f d2 31 a1 5c b9 b2 b5 | 0a 8e 21 79 73 62 94 b5 92 c4 45 bd bc 74 b7 cf | 8b f7 58 d1 4c dd 07 f4 31 01 9a c2 4a 88 f7 80 | bf 9c 13 9b 8f 08 10 15 b8 0c 61 bc 78 05 3e cf | cf a3 67 bb 6a 28 ad f9 70 4b 54 c4 6d 4b 0e 75 | 7f 63 0d 92 8a 32 79 04 90 4b ff 5f 93 a2 40 6a | a5 87 7e 09 98 22 29 cc dd 09 72 c2 de 91 76 62 | e8 c0 14 b6 a1 b2 9f ed 9e f6 a6 68 43 e8 32 bd | 6a a7 0d 22 47 92 83 b4 97 c8 f0 2e 51 53 cb 39 | 20 d9 40 0d f9 f8 08 b9 99 04 88 74 65 88 77 24 | c2 fa c8 b3 35 23 63 8d 11 13 a4 f0 f8 af 35 2d | 01 35 bd d3 df 85 28 f3 ef 54 1a b8 36 11 12 18 | 5d 74 03 11 b1 84 4e 49 c8 17 d2 b5 8d 89 03 47 | 21 c4 31 db 08 52 e1 25 c9 39 80 e1 df 67 13 d9 | 15 fd 6b ab 85 99 09 a9 89 a5 e8 15 b0 eb 15 cb | 25 d3 16 77 05 a2 92 08 1f 61 6e | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R1 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #3 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 89 36 fc 67 a6 ef 2a 4c 19 89 23 f2 | 3b 4b 5f 03 58 fd 47 08 82 a4 95 16 ed 23 fe 02 | 64 11 5b 4d 03 52 89 7c e8 2f 77 b0 47 13 dd db | 66 af 7c 4b 81 bd 07 7c 78 20 a4 35 07 c2 e5 de | f8 35 bc 7e 97 32 44 ef bf ec 22 fd bd 4c ff 00 | bd 69 38 1c f3 0f fa a5 6c 18 6c 09 cc 78 cf f9 | 2b 21 e3 9e 9b 1d b6 04 4b df 9b 29 e9 7b c2 67 | 79 07 e2 ba b7 f2 2c bb 27 71 8b 7e 43 11 6c f4 | 5a 3f 09 66 15 d5 4f 46 14 4d b7 d2 86 27 1a b3 | 28 d3 47 e8 0a d0 7e 79 a4 ea 63 2b 06 b8 2d 29 | 23 91 b8 c0 46 32 cd 48 f2 ef 62 62 0d 42 57 79 | 00 ea bc 37 44 12 00 99 95 53 1a bb 49 dd ff f0 | d4 f0 f1 f0 e6 3f f4 c6 9b 30 c8 88 bd 6e 65 df | 3f 18 e2 10 c4 d4 b9 a4 5e e2 50 ee 47 53 bd e2 | 91 49 d5 a1 4d 31 5c 82 b6 a3 10 7f b6 8d 9f 6b | 5e 03 3d 01 cd 4d ff 10 0f 97 aa 6e 86 77 48 b9 | ee 10 a8 86 ff 1f 7e 42 8e 66 0c 99 4e 40 58 21 | 65 cc 5e ed 26 2d 57 8b 85 16 1e 65 56 59 93 0c | 48 30 91 e0 8b cb 1d f8 31 ef d5 8f 77 31 88 28 | 6c a1 fa f2 80 aa cc be ce b0 a3 4c ab 96 42 d7 | 57 55 53 0c b1 12 05 58 cc 4d c2 99 9b bf d3 63 | a9 72 02 e2 bd 35 85 8d c2 53 7b 2a 78 b0 9a ec | 33 09 6b b9 bb 48 cd 65 a8 17 17 f2 90 df 9a 10 | bc db 3c ea cf 0b 14 ee ed 2f 1d bf 30 52 10 75 | 8c c7 73 5f 0f 19 d3 e5 f9 16 34 5f de b7 e4 b2 | af 3f 65 88 91 83 d6 af 4e 7b d5 ca f6 2e b4 46 | 3f 65 28 c1 99 67 99 d6 47 2e 74 0c 92 2f 5c 1d | 2b a1 32 e8 f4 8d 30 e9 ca 5a 0e bd 8a 74 8f 87 | 40 96 73 46 84 fc 6c 92 92 19 a4 91 85 7a a6 92 | 7c 58 51 30 00 b0 54 d8 2b 84 9c e7 53 e4 27 2c | 7e 8b 84 99 66 c5 89 1c 58 1d 6e d4 98 b1 86 f6 | 38 15 43 ea 01 07 51 86 b9 51 da | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R1 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #3 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 407 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 08 00 00 00 01 00 00 01 97 00 00 01 7b | 00 05 00 05 c1 50 6b 54 03 4c 5b c3 6a 51 04 fe | ec b7 6c 5f d1 03 5b c4 20 4c 11 e8 f3 06 1a 99 | 38 6d fe 6d ac 8e 95 1c 7d 80 6c 4c 7d 40 72 b1 | de 1c 27 ff b2 f7 fa 1c 96 75 1a e4 34 b2 bc 1a | 0e 2f 60 12 40 6d 12 4b dd e6 2f 1c 70 6f 77 d0 | b5 6e dc 21 d4 22 ec 11 60 a8 ed 93 d7 85 9f 35 | a2 80 8e c3 1a e5 40 77 7e 7a 8b ca 3c f5 8e fb | e0 7c 90 29 e1 80 48 44 33 54 b1 2d 28 7d 66 7e | d2 4d 0e 33 7c fb 73 c6 9c c9 a7 89 fe 32 1b f2 | 29 5a 14 ec be 99 6a a0 94 dd cc a3 14 9d 59 4e | df c2 9d c6 a8 d1 00 a8 46 f3 26 f4 14 4d f4 84 | c4 71 2f 34 e3 3a 6b d1 fc 10 97 d7 b5 fa 7e 0b | 4b 73 f0 ef a7 b7 d1 c3 65 4e 0c bd 92 7f 2b a3 | 59 4e 71 c4 4b ff a5 a3 f6 38 70 4e 25 4f a4 a7 | d7 19 20 c6 f5 3b 5d fb 15 72 c6 11 26 07 a3 1b | dc a9 a1 8f 28 86 0d ec 07 d9 8e 19 8a 6e 1e 85 | d8 f8 8e c0 3c 03 39 f5 d7 7c 77 e8 10 ff 36 fb | 95 0b 8a e5 12 f1 5f 28 09 cc 93 fe aa d1 67 1f | df ec 6d 80 4b 8a 35 29 3f 0d 4b 48 54 04 c6 1b | 9c a6 3c 6a 1b 41 8f 54 4c 1f a2 0e e5 6e 3f fc | 82 d4 bd 76 60 35 2e 0e 44 e3 33 29 91 61 38 0a | 07 53 d9 74 c1 23 10 0c 0b 95 49 32 e4 3b 10 f4 | b4 68 ed 40 1b 8e f8 e3 bd 99 30 58 a6 7d ce 27 | dc 1e 69 46 5c fb 9e | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 407 (0x197) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R1 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #3 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 379 (0x17b) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=371) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 4 for state #3 | state #3 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cba4950 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #3 | backlog: inserting object 0x55795cbb2bc0 (work-order 4 state #3) entry 0x55795cbb2bc8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb2bc0 (work-order 4 state #3) entry 0x55795cbb2bc8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb2bc8 newer 0x55795cbb2bc8) | crypto helper 1 resuming | backlog: removing object 0x55795cbb2bc0 (work-order 4 state #3) entry 0x55795cbb2bc8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 4 for state #3 | crypto helper 1 doing compute dh (V2); request ID 4 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 1 finished compute dh (V2); request ID 4 time elapsed 0.005 seconds | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #3 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #3 and saving MD | #3 is busy; has a suspended MD | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #3 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 sending results from work-order 4 for state #3 to event queue | scheduling now-event sending helper answer for #3 | executing now-event sending helper answer for 3 | serialno table: hash serialno #3 to head 0x55795bd21c80 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 4 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #3: calculating g^{xy}, sending R2 | #3 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #3 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #3: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | unreference key: 0x55795cbb8e80 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65f3f0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c683c90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c655510 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c64de90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c68db90 | unreference key: 0x55795cbaf9d0 192.1.2.45 cnt 1-- | unreference key: 0x55795cbbacd0 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbf720 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbb79e0 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbba710 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "ikev2-westnet-eastnet-x509-cr" #3: No matching subjectAltName found | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #3: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #3: Authenticated using RSA | parent state #3: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #3 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #3 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbbea80 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #3 | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 59 37 ee 47 e9 6b 43 a9 0d 9e 08 27 ae da 8d a7 | rsa signature e1 c2 68 36 7a 44 db 0c 0b ea 29 36 2b 02 73 8c | rsa signature 13 a4 ed df dd 9b e5 b8 59 68 ce ff 12 ca f4 32 | rsa signature fe d6 42 31 88 c9 e1 66 af b2 57 5b f5 fd 94 1c | rsa signature 1f 6e 04 89 b1 78 98 8b 4d 25 36 02 04 9c 2a a1 | rsa signature 95 0d c4 60 a2 cd 3e e9 cf b2 a4 ed d0 f7 ec ac | rsa signature 9e c4 fc b1 78 14 f4 38 27 8f 9c 71 cb 2d fb d2 | rsa signature 4a 25 60 46 89 ff ca 65 a6 6f 12 cb 44 cd 0a 03 | rsa signature 23 b2 5e bb 28 e0 13 e2 b8 75 52 3c 97 50 f8 ac | rsa signature e3 28 5a 87 71 80 43 12 a7 d0 a3 1b 6d 02 01 58 | rsa signature 0a 5d ed 02 0f 2e ac 77 4d f9 9c 03 b3 d3 6a 56 | rsa signature 44 60 e3 70 35 6b ee 5b 39 9a 47 ce 43 8d cd e7 | rsa signature 01 2e a0 16 96 96 b4 04 f0 39 da 1f 23 6e 09 90 | rsa signature cf b9 00 5b 3c da 27 3f 91 c4 36 57 54 76 7c 3e | rsa signature 00 67 01 a0 52 02 b3 6b 49 d7 16 05 44 12 4b 41 | rsa signature 50 e9 83 07 d0 05 e1 f5 1a 39 ec 5c e6 05 c9 a4 | rsa signature b4 8e de 90 18 7c 0e 51 30 5c 63 e5 67 b5 84 ab | rsa signature be 85 16 d7 1e 01 95 24 15 64 a3 f7 69 f2 b8 2d | rsa signature ed a8 9c d7 45 db 8d 73 ec 27 a3 29 8d 84 b5 62 | rsa signature 22 b7 f1 2b 4a 74 f0 a6 c7 50 a4 82 9a ed 4b 0c | rsa signature 0e 9f 42 dc 07 0a 5a 8a a9 5f 3d c3 bd d3 bc 8d | rsa signature cb 70 92 e0 ca f7 22 17 7e 3b db a4 31 5a 82 89 | rsa signature 1f 37 30 33 ab 1f 70 54 28 c9 02 d4 9a 57 b1 ab | rsa signature 46 15 76 35 dc c8 a2 90 2a 37 ae 17 e3 02 a7 77 | emitting length of IKEv2 Authentication Payload: 392 | creating state object #4 at 0x55795cbb0300 | duplicating state object #3 "ikev2-westnet-eastnet-x509-cr" as #4 for IPSEC SA | inserting state object #4 | serialno list: inserting object 0x55795cbb0300 (state #4) entry 0x55795cbb0ad0 into list 0x55795bd2c860 (older 0x55795cbad590 newer 0x55795cbad590) | serialno list: inserted object 0x55795cbb0300 (state #4) entry 0x55795cbb0ad0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbb0ad0 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbb0300 (state #4) entry 0x55795cbb0af0 into list 0x55795bd21ca0 (older 0x55795bd21ca0 newer 0x55795bd21ca0) | serialno table: inserted object 0x55795cbb0300 (state #4) entry 0x55795cbb0af0 (older 0x55795bd21ca0 newer 0x55795bd21ca0) | serialno table: list entry 0x55795bd21ca0 is HEAD (older 0x55795cbb0af0 newer 0x55795cbb0af0) | serialno table: hash serialno #3 to head 0x55795bd21c80 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #3 to head 0x55795bd21c80 | using existing local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 04 80 b2 76 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 04 80 b2 76 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 04 80 b2 76 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 04 80 b2 76 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 04 80 b2 76 | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #3: proposal 1:ESP:SPI=0480b276;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=0480b276;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0x8c727a80 for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 8c 72 7a 80 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #4: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.480b276@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.8c727a80@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #4: prospective erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:ikev2-westnet-eastnet-x509-cr esr:{(nil)} ro:ikev2-westnet-eastnet-x509-cr rosr:{(nil)} and state: #4 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.480b276@192.1.2.45 | get_sa_info esp.8c727a80@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332911' PLUTO_C | popen cmd is 1485 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332911' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):480b276 SPI_OUT=0x8c727a80 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #4 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #4 (was #0) (spd.eroute=#4) cloned from #3 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 59 37 ee | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 47 e9 6b 43 a9 0d 9e 08 27 ae da 8d a7 e1 c2 68 | cleartext fragment 36 7a 44 db 0c 0b ea 29 36 2b 02 73 8c 13 a4 ed | cleartext fragment df dd 9b e5 b8 59 68 ce ff 12 ca f4 32 fe d6 42 | cleartext fragment 31 88 c9 e1 66 af b2 57 5b f5 fd 94 1c 1f 6e 04 | cleartext fragment 89 b1 78 98 8b 4d 25 36 02 04 9c 2a a1 95 0d c4 | cleartext fragment 60 a2 cd 3e e9 cf b2 a4 ed d0 f7 ec ac 9e c4 fc | cleartext fragment b1 78 14 f4 38 27 8f 9c 71 cb 2d fb d2 4a 25 60 | cleartext fragment 46 89 ff ca 65 a6 6f 12 cb 44 cd 0a 03 23 b2 5e | cleartext fragment bb 28 e0 13 e2 b8 75 52 3c 97 50 f8 ac e3 28 5a | cleartext fragment 87 71 80 43 12 a7 d0 a3 1b 6d 02 01 58 0a 5d ed | cleartext fragment 02 0f 2e ac 77 4d f9 9c 03 b3 d3 6a 56 44 60 e3 | cleartext fragment 70 35 6b ee 5b 39 9a 47 ce 43 8d cd e7 01 2e a0 | cleartext fragment 16 96 96 b4 04 f0 39 da 1f 23 6e 09 90 cf b9 00 | cleartext fragment 5b 3c da 27 3f 91 c4 36 57 54 76 7c 3e 00 67 01 | cleartext fragment a0 52 02 b3 6b 49 d7 16 05 44 12 4b 41 50 e9 83 | cleartext fragment 07 d0 05 e1 f5 1a 39 ec 5c e6 05 c9 a4 b4 8e de | cleartext fragment 90 18 7c 0e 51 30 5c 63 e5 67 b5 84 ab be 85 16 | cleartext fragment d7 1e 01 95 24 15 64 a3 f7 69 f2 b8 2d ed a8 9c | cleartext fragment d7 45 db 8d 73 ec 27 a3 29 8d 84 b5 62 22 b7 f1 | cleartext fragment 2b 4a 74 f0 a6 c7 50 a4 82 9a ed 4b 0c 0e 9f 42 | cleartext fragment dc 07 0a 5a 8a a9 5f 3d c3 bd d3 bc 8d cb 70 92 | cleartext fragment e0 ca f7 22 17 7e 3b db a4 31 5a 82 89 1f 37 30 | cleartext fragment 33 ab 1f 70 54 28 c9 02 d4 9a 57 b1 ab 46 15 76 | cleartext fragment 35 dc c8 a2 90 2a 37 ae 17 e3 02 a7 77 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 8c 72 7a 80 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #4 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #4 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #3 to head 0x55795bd21c80 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #4: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #4 after switching state | serialno table: hash serialno #3 to head 0x55795bd21c80 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #3 PARENT_R2; CHILD #4 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #4: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #4: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x0480b276 <0x8c727a80 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 67 4a 94 9d 60 d5 d0 f0 70 9a 85 c8 | a8 bb 39 ed 62 07 40 22 6b 5e b5 9b 7b 76 ed 50 | e7 40 58 0b 67 80 1b e8 bb 46 7c f9 73 bb 7c 11 | e1 dc 6c 2b af 6e 49 7c e8 95 53 22 4a bb ff 38 | 8a c1 3c 20 a3 b7 d9 ae b3 5a 4b d8 48 ad a3 63 | ef f0 d9 8f 46 4b ce fd 80 c3 d0 da 50 b3 1d e5 | 72 16 dc 57 6b 64 f5 3b 1c 76 ab 8e ba b9 d0 26 | bc df 10 8c 38 2f 44 f9 e7 91 fa fe 2e b5 74 69 | 3d ee 3d 0f b0 de 7e 27 72 9d 06 ec 47 bd 33 36 | 69 7c 29 45 af 1c b5 e9 4c f4 3c 75 a3 50 20 c5 | c2 cf 88 95 99 b2 02 69 21 a1 49 ac ba a4 24 52 | d2 b7 58 1d dc e7 a9 ee 19 e9 0c 34 ec 1e d1 2e | ab fc 36 0d 9e fa 6a 6b 71 21 54 bd fb cd 30 56 | 7a fe 18 d9 a7 16 a5 9b 07 fa ba e0 ab 10 fd 5a | 90 77 25 04 05 3a b9 d9 87 cf f4 59 3e a7 ec 45 | 93 10 1f 1a a2 da be 53 e5 0a 56 12 d2 e6 59 d5 | 15 ca 07 97 c6 4c 55 b4 dd 75 04 15 04 8a f6 3f | 9a be 6d 1d 44 5c 3c d3 56 f9 15 83 74 82 ce fb | 75 47 33 af 39 8f 84 d1 0d 3a ac 89 8c 85 b5 da | cf b9 45 e3 81 3e dc e4 75 b2 31 4e 71 d7 22 ac | 99 a7 6b bb 86 ab 74 38 9b 21 5f 18 51 6e c2 2d | 5d 9d ce 36 22 cc 7e b2 77 6a c1 d6 7c eb 65 9c | 84 77 6b 8b b3 d0 da df 75 e8 34 f7 30 06 9f a8 | db 84 8d 7d 5b ad 2f 01 bd 11 61 4c 52 1c a3 e8 | 56 23 6c ab 41 ec 96 2c 02 25 36 3f 5f cc 9e 71 | aa 2c 65 d8 5f 31 c7 6d 21 ee 5a 6e b8 9a f7 68 | d7 c9 06 3e 1e 42 5c 4b d5 b5 76 5b f8 8b 18 84 | 78 6b a7 62 46 a6 8f 7c 1d 0e 39 5c b2 ac 0d ff | c1 d8 2f 3d 5c db 65 b5 5f 27 5e 4c 7c 51 ae de | 8a 68 f0 4d a4 fe 65 a2 10 5e f1 a7 20 e1 0e d2 | 82 3a 5d 19 72 b0 f5 e2 1d 9e 09 3f 30 27 4d 5c | 04 9b 84 f6 29 26 8e a8 79 7c 64 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 58 32 67 39 bd 4e ff ee ca c8 1c 06 | 5f 5e f2 94 32 5f 4b aa 1e 22 0d d0 37 54 b4 75 | d2 e1 ef ab eb a2 3a 51 2f fa 7f 4f 54 f4 d0 29 | aa 6e 92 60 af 98 b7 8b c0 6c 49 c4 79 40 6b 30 | 9c 9d fb 4f 02 ce 18 b5 7c c7 4f 60 f7 3c 3b 8c | c4 44 8d 4e 5b 6a 0e cf a1 35 2b d6 83 70 97 9a | c3 9a 4a 18 43 09 d8 65 11 83 68 b6 02 29 9f 95 | 74 95 b2 69 6e 3b 9c 30 5b 58 4a 27 2f d7 07 f3 | 0a 83 d3 88 fe 44 f9 15 4a 60 8b 95 9d 8b f7 0c | ca e5 a9 d7 95 83 d3 4c 4e 61 04 6d e2 3e 83 14 | 15 8d d1 5f 5f 8d 4d 45 f9 76 69 bd 15 21 76 1a | 45 81 26 e9 52 d2 f2 89 c7 2b 84 9c 7f de 5b 55 | b1 5d 30 b5 a3 0e 20 9d b6 77 b2 92 e4 2d 4a 06 | 0a e3 bd 03 ee c2 57 83 5d 26 96 bb 2f e3 f5 00 | f5 af 5f 44 6b fa 25 79 6b 44 61 5f 4a 64 71 6e | f8 db d1 64 a6 51 ba 9c bf 9a 91 9a 59 b8 59 77 | 36 ed e1 96 bb 7e 7c f8 5c 48 94 a8 a4 07 a4 3a | 18 19 11 18 d3 7a 29 9f da 45 69 1d a6 6b da 98 | 18 a4 d1 98 78 e3 2e 7f 01 24 4d 5d c4 b2 23 14 | fe 6e b3 e3 d0 5f a3 8a 12 b9 c5 a3 7c 1d 12 80 | 00 be cd 11 3e 0f 52 49 90 ed 0c bd 62 ed e6 a6 | ab e4 fb 11 5d d7 82 04 3d c3 82 bd d1 cc 31 1b | 3d 44 70 7d b8 40 c5 f8 30 e5 af 6c bf 4e a3 3a | 0a 69 52 01 4c 1e 51 8d 9d 8c f7 73 07 6d 7a 88 | e3 5a 57 96 c1 e9 2e 1f 22 52 91 6e a0 ff ae 29 | 03 f3 50 a4 f2 f6 41 36 7b 40 cf 62 19 52 a3 49 | c0 12 6f 9d 7d 24 e9 9f ef 66 24 e3 e8 e6 19 06 | a5 76 f0 93 b8 ac 37 86 06 53 f4 b6 60 be c2 d8 | b7 6f b5 f3 5c c4 1a 0d 83 92 fe 26 01 57 28 6b | 18 e3 fd e2 89 41 d7 b4 bc fd 94 c8 84 f7 da f6 | 8a 67 ed a4 2b 90 c1 61 67 5a 86 71 46 5d 71 56 | 72 bf 2c 43 75 3c 1d d2 4b a9 15 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 d4 a5 79 10 bf 9c 2b d7 6b c2 2f 47 | 03 20 0c 07 0c d8 5e 02 9f dc c9 c7 ee d4 e2 54 | bf 7c 97 d6 e4 39 1b 80 9a 42 89 a9 a1 cc 77 32 | 99 d4 6a ab b5 58 8c c8 48 61 01 32 5f ee fd 9c | ba 8a 43 e7 8a d5 60 b8 55 c0 a8 d3 23 d9 12 88 | 4a 31 85 d9 b7 ad d5 30 2a e2 36 c9 15 36 e4 ff | bf c2 6e 19 3d df 6f c0 1c be e8 48 98 dc e9 77 | 07 5d c0 f5 d8 46 44 4a be ff 21 46 f2 25 9b ff | cf c9 e5 34 9f 97 88 df 77 75 1f 30 1a e6 ff 22 | 09 56 c1 a2 ed a4 bc f6 a4 28 88 c2 80 56 6c 52 | 60 3f 3c be 52 b9 af 9d 8b 1e 12 81 a7 0f 32 9f | 3a 3c c4 88 e0 39 44 1b cb 4c fa 28 dd ff 43 50 | 84 99 2b 35 17 ee 10 dd b1 e4 78 b6 df a3 cf 71 | 7d 0d c4 dc c5 16 c8 8f dc e1 38 dc 98 00 aa 8a | 59 97 bf ed 1c c9 1f 8e 74 6e 3b 25 52 74 ab 0d | ce 67 c6 23 45 1d 2d 47 d7 5c f7 8c bb 42 e8 71 | 4e 34 e8 7c 5f e6 b1 a5 ca 4a c6 4b 76 4c 2b ac | dd 58 ee fe a7 57 a9 42 6d 10 04 12 16 1f 3d 50 | af b1 2e 9f 53 8f 9b ca 78 7d 16 f8 7b 08 73 d7 | de 9a a1 9c 33 c8 fa 97 62 24 93 a2 61 7d 2e c8 | 0b ff 02 1a e0 2c e3 f1 3b a7 9e ec 13 e0 22 29 | 38 08 c5 1d 5f c9 72 36 24 a7 1f 24 eb d0 cc 02 | de 0d d9 da 72 11 8a be 14 b4 ee f3 19 de 17 31 | f8 78 05 ef c2 48 f8 71 f1 87 9e f9 d2 09 7a 7c | d7 13 7b ab 81 3f c7 b1 69 7c 50 a0 b5 5f 12 2b | 40 87 40 f4 33 a6 be ef 2e f2 04 80 d3 5e e9 84 | df bb 09 81 38 db a4 0c c9 79 c0 1a c3 d5 0f c5 | a6 f7 bc 02 12 ce b3 53 ed 14 0b 2b 85 65 1c 8a | 26 42 07 dd d2 f5 bf 50 cd f1 d4 8b 22 6e 3e bc | cb 48 42 e8 90 81 1d 77 5b 21 5f 2e 63 99 be 74 | e2 12 68 75 15 9c 0e 11 e0 5e 59 a5 28 51 39 a9 | 1f ca 93 33 1a 63 8d 09 00 b5 e8 | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 dd 2f ef ab 84 72 6c 3e f4 e4 05 f2 | b4 bc bd cb 4c 05 dd be 5d 38 52 5b 04 66 66 98 | 68 ef a0 08 d1 df 95 29 ad e7 d7 73 a8 1a a5 c8 | 9d 15 f8 13 bc 57 19 4b 34 ff ab a4 6e 38 29 31 | 48 c7 bc fb 13 a4 6f 9c b6 8d e7 c2 13 f2 e3 a7 | cd ce 15 2f fb 4a 17 d8 7c 58 0f a9 fd d5 f5 21 | 81 25 92 43 6f 3a 30 b6 b1 f2 df 0e 58 e5 b8 1f | 6b 25 f1 89 9d 24 9d e6 3d 2a 8b 0a c2 ab a4 a3 | 31 92 9f cb 02 71 7f eb 90 29 c5 2a de f2 c8 84 | 7d b3 ec 36 ae 15 5c 11 88 d2 a1 06 75 8b 71 64 | 8b 22 8c 82 ba 70 f0 d7 74 fe bd ee 49 5c 53 94 | 1b a9 47 e8 60 e0 5c 40 32 fb 01 8f e9 92 49 80 | 9b f1 62 6c 88 e2 bf fb b7 c5 fc 00 d8 8c 87 54 | 64 73 72 d0 c8 ac 00 88 d2 3b f8 1d 89 28 26 7a | a5 61 5b f5 e6 36 0a 1e 05 7c 76 25 c5 3a 13 ba | 7c 15 bd 49 54 42 1a fa 3f b3 95 d2 24 ac 50 7b | f2 66 14 b6 d4 d7 63 f9 90 5d 40 a6 64 d0 ea bf | 82 43 3b f2 b1 f0 be 6d 09 73 6e 88 ac 51 21 40 | 88 b8 f0 2d 2b 10 5b cb 14 26 3c 2b 20 ec 40 36 | 73 9a d8 60 bf 75 2f 01 51 df 82 66 e4 5f a5 5c | 8e db c7 34 7f cb 64 2e b8 ff 03 d5 f1 60 49 d9 | 38 94 95 5f 90 f9 fd 95 97 77 6f d4 1b 20 99 a2 | 94 d9 3f c1 85 5e fe 1b d4 b4 80 46 48 22 e9 4f | 85 cd 16 c0 da e3 8f e2 2b 14 54 22 24 5c fc 6c | df 84 35 70 cb 3b 44 86 e0 c6 74 1f cf af d0 f8 | c1 11 1a ba f2 3f cd 95 cc 8a e3 e3 76 fd b0 36 | 5a 00 43 09 33 6a ce b8 bb 89 b4 fc 22 f4 3e 80 | 64 73 16 79 a9 85 1a ff 48 18 e3 5c 08 03 af ff | fe c1 0c 3c 8d 15 de bf 43 f4 e2 6a d1 e1 1a e2 | 5c ea 0d 97 63 01 6d 44 ec 64 43 04 01 3f d1 e5 | b4 96 bb cd cd 0d 25 61 9e 3f f1 ff cf dc | sent 4 fragments | releasing whack for #4 (sock=fd@-1) | serialno table: hash serialno #3 to head 0x55795bd21c80 | releasing whack and unpending for parent #3 | unpending state #3 connection "ikev2-westnet-eastnet-x509-cr" | #4 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbb5e60 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #4 | processing: stop state #4 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | 16 f0 66 2e d6 b0 4b 7f 92 13 86 f2 f9 56 d7 5b | 3c 32 6c 80 8f bb 9b 6f 05 9e f8 49 9d b4 bc 26 | 54 ca fc 88 be | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R2 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #3 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #3 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 04 80 b2 76 | delete PROTO_v2_ESP SA(0x0480b276) | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 CHILD SA #4 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x0480b276) "ikev2-westnet-eastnet-x509-cr" #3: received Delete SA payload: delete IPSEC State #4 now | processing: suspend state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #4 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #3 to head 0x55795bd21c80 "ikev2-westnet-eastnet-x509-cr" #4: deleting other state #4 (STATE_V2_IPSEC_R) aged 0.193s and NOT sending notification | child state #4: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.480b276@192.1.2.45 | get_sa_info esp.8c727a80@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #4: ESP traffic information: in=0B out=0B | child state #4: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #4 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbb5e60 | serialno list: removing object 0x55795cbb0300 (state #4) entry 0x55795cbb0ad0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cbacdc0 (state #3) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: removing object 0x55795cbb0300 (state #4) entry 0x55795cbb0af0 (older 0x55795bd21ca0 newer 0x55795bd21ca0) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.480b276@192.1.2.45 | get_sa_info esp.8c727a80@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332911' PLU | popen cmd is 1487 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332911' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1440):0x480b276 SPI_OUT=0x8c727a80 ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.480b276@192.1.2.45 | netlink response for Del SA esp.480b276@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.8c727a80@192.1.2.23 | netlink response for Del SA esp.8c727a80@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #4: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #4 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #3 to head 0x55795bd21c80 | processing: resume state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs 8c 72 7a 80 | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | 34 7f 55 a9 9c 9b 1b ca 2f a4 09 fb 11 8b e1 e2 | a5 d9 e4 3f 2a 0d 07 b2 89 fd 67 b4 c2 97 bd a6 | d7 90 02 43 a0 | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #3 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #3 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #3 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #3 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #3: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | 0c 34 2c 1d 9d 05 73 8b 2d 38 e1 29 25 d3 9c e8 | cb 13 2a 4e 5c 8a 48 08 0b 41 5a a9 48 2d 04 52 | e2 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | v2 IKE SA #3 found, in state STATE_PARENT_R2 | found state #3 | processing: start state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #3 is idle | #3 idle | #3 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #3 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #3 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | a9 49 3e f3 e3 3b 5b 3d | responder cookie: | ef 8e b3 18 d0 5e 6e ef | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #3) | a9 49 3e f3 e3 3b 5b 3d ef 8e b3 18 d0 5e 6e ef | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | 35 74 ad 98 4d a0 2c df 05 8e 4e dd de ab 06 11 | b7 d9 0c a1 27 43 49 03 77 | IKE SPIi:SPIr table: hash IKE SPIi a9 49 3e f3 e3 3b 5b 3d SPIr ef 8e b3 18 d0 5e 6e ef to 18284317380767039878 slot 0x55795bd1d3e0 | parent state #3: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #3 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #3 to head 0x55795bd21c80 "ikev2-westnet-eastnet-x509-cr" #3: deleting state (STATE_IKESA_DEL) aged 0.373s and NOT sending notification | parent state #3: IKESA_DEL(established IKE SA) => delete | state #3 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbbea80 | serialno list: removing object 0x55795cbacdc0 (state #3) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cbacdc0 (state #3) entry 0x55795cbad5b0 (older 0x55795bd21c80 newer 0x55795bd21c80) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #3: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbb8c30 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #3 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #3 to head 0x55795bd21c80 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 2c 09 0a 48 e3 8a c6 3f | 1b 2a 58 e0 29 ed 73 4c dd 17 e7 66 1a 9e 0b da | b1 f8 4b 3c b9 7c f7 5d bf 3d ca 1c c3 15 b9 ea | 06 22 02 8c 2c 1c b0 cc d5 62 2a 09 25 1d ec 24 | c6 ca ac 03 92 bf e3 f2 12 6c 8a 04 b2 6f d9 d0 | e1 60 96 b7 8f fb ad 63 9e cf 5f 93 97 5e 12 71 | 1b 61 ea 07 ec c9 8f b9 47 72 d4 09 1f 16 34 6b | e1 04 75 5f a6 76 db 12 a9 41 5b 17 5a 79 8d c2 | f9 37 ac 23 c5 bc ae 21 4e 76 83 cd ba af d6 23 | c1 e3 ec 60 9e d1 08 b8 d5 7e a8 5c 65 7d 1f 8a | bc cb 2e 21 be 93 7b e6 c4 25 73 c7 95 05 46 67 | bc 70 f8 dc 39 33 6a 53 34 f4 e8 d8 5f 24 f6 9a | 59 c0 6d 47 84 09 c5 5a f0 2c 39 46 47 db 63 f1 | 5a 99 57 81 53 15 4f 59 83 99 ee 05 5c 36 67 bb | e8 cc 49 c0 81 bb 96 6e 77 af 24 c3 e3 57 8f 76 | 54 3c 9a 3e b5 21 ba 24 ac 72 3d e2 90 91 59 b9 | 72 e0 da 96 40 34 ee 6e 29 00 00 24 8f 18 43 9a | 8e 7b 15 6b 10 c2 a5 b4 b1 c7 f6 0c 02 3d bf 9f | 9c 76 08 e6 1a 5b f2 91 c4 49 d6 f8 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 9d 03 50 ef | 51 04 ac 8f c5 de 26 ee c3 5e da 47 59 b8 85 cd | 00 00 00 1c 00 00 40 05 b3 4a d2 07 cc ee 01 ea | ed 7f c7 5e 1c 39 0c d3 7e c2 a9 8c | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb to 3510139394267417705 slot 0x55795bd1e340 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #5 at 0x55795cbacdc0 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #5 | serialno list: inserting object 0x55795cbacdc0 (state #5) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cbacdc0 (state #5) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbacdc0 (state #5) entry 0x55795cbad5b0 into list 0x55795bd21cc0 (older 0x55795bd21cc0 newer 0x55795bd21cc0) | serialno table: inserted object 0x55795cbacdc0 (state #5) entry 0x55795cbad5b0 (older 0x55795bd21cc0 newer 0x55795bd21cc0) | serialno table: list entry 0x55795bd21cc0 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #5: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | using existing local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #5: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 37 e8 3e bc 14 49 7a cb | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= b3 4a d2 07 cc ee 01 ea ed 7f c7 5e 1c 39 0c d3 | natd_hash: hash= 7e c2 a9 8c | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 37 e8 3e bc 14 49 7a cb | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 9d 03 50 ef 51 04 ac 8f c5 de 26 ee c3 5e da 47 | natd_hash: hash= 59 b8 85 cd | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 5 for state #5 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cbaf630 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #5 | backlog: inserting object 0x55795cbb0300 (work-order 5 state #5) entry 0x55795cbb0308 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb0300 (work-order 5 state #5) entry 0x55795cbb0308 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb0308 newer 0x55795cbb0308) | crypto helper 0 resuming | backlog: removing object 0x55795cbb0300 (work-order 5 state #5) entry 0x55795cbb0308 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 5 for state #5 | crypto helper 0 doing build KE and nonce; request ID 5 | crypto helper 0 finished build KE and nonce; request ID 5 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 5 for state #5 to event queue | scheduling now-event sending helper answer for #5 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #5 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #5 and saving MD | #5 is busy; has a suspended MD | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #5 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 5 | serialno table: hash serialno #5 to head 0x55795bd21cc0 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 5 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #5: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x de 65 bf 4b fa a0 0a 98 db 82 84 6c 16 46 c0 26 | ikev2 g^x 6a 82 92 f4 2e 0b 9f 1e 71 e1 a1 f2 5c 89 7e 7f | ikev2 g^x a9 e2 03 88 f7 17 3d 58 98 3d 44 db 34 01 7d 0c | ikev2 g^x d9 7b f1 05 a8 ee 1b 39 c4 fa 71 80 23 79 31 61 | ikev2 g^x ab 16 bf 4a 09 fa 2c 36 ab b2 7b e7 45 45 2e 36 | ikev2 g^x 2d cd 38 54 46 8c 43 9c 94 ab b2 50 b3 9c fd e0 | ikev2 g^x ea 1f 68 e6 8d b8 c0 52 c5 33 b2 7e 2a c4 bd 2f | ikev2 g^x 36 cf b1 38 06 b9 8a dd cd e7 0e 38 cd f8 ab f3 | ikev2 g^x 90 05 1c 19 bf e0 b2 3d a6 8a 26 09 e8 08 59 31 | ikev2 g^x 67 cd 1f 7b 85 3f 1a d6 2d 40 69 86 5c 9e e0 e5 | ikev2 g^x 05 6a f3 cd 35 69 e4 a7 d9 9d e7 c7 b2 06 26 0f | ikev2 g^x b1 73 a5 17 92 af 2a ba e8 74 80 e0 0c 2a cb b0 | ikev2 g^x 62 b8 1f c4 ed 06 26 17 01 f2 ad 45 28 a1 82 74 | ikev2 g^x 8c fc 7c ef 6c 9d 1d 5f 04 1e 1d 07 f7 da 8f 2a | ikev2 g^x 00 ca d8 b0 31 a4 2d 22 80 fc 1c d8 5c c0 8a 0f | ikev2 g^x f6 6c 08 aa d0 5b e0 ee b9 fd 74 bf f9 0a bf 97 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 62 da d7 2d f6 f8 bc 51 79 5f 2a 63 5d 1e 83 a0 | IKEv2 nonce 6f 2a b8 0b c7 fa a3 37 dd 40 ec 1e 95 31 be af | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 37 e8 3e bc 14 49 7a cb | natd_hash: rcookie= fa 68 a9 68 0f e6 ad 3e | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= be 64 73 4d 1f a6 f5 1d 97 8f 06 72 03 1c d5 f9 | natd_hash: hash= 1e 63 c2 ea | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data be 64 73 4d 1f a6 f5 1d 97 8f 06 72 03 1c d5 f9 | Notify data 1e 63 c2 ea | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 37 e8 3e bc 14 49 7a cb | natd_hash: rcookie= fa 68 a9 68 0f e6 ad 3e | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 81 93 4f 0a ba 58 e0 2a 0e 61 23 98 08 7e d0 40 | natd_hash: hash= 3f d8 59 dd | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 81 93 4f 0a ba 58 e0 2a 0e 61 23 98 08 7e d0 40 | Notify data 3f d8 59 dd | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #5 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #5: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #5 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #5 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #5: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 de 65 bf 4b | fa a0 0a 98 db 82 84 6c 16 46 c0 26 6a 82 92 f4 | 2e 0b 9f 1e 71 e1 a1 f2 5c 89 7e 7f a9 e2 03 88 | f7 17 3d 58 98 3d 44 db 34 01 7d 0c d9 7b f1 05 | a8 ee 1b 39 c4 fa 71 80 23 79 31 61 ab 16 bf 4a | 09 fa 2c 36 ab b2 7b e7 45 45 2e 36 2d cd 38 54 | 46 8c 43 9c 94 ab b2 50 b3 9c fd e0 ea 1f 68 e6 | 8d b8 c0 52 c5 33 b2 7e 2a c4 bd 2f 36 cf b1 38 | 06 b9 8a dd cd e7 0e 38 cd f8 ab f3 90 05 1c 19 | bf e0 b2 3d a6 8a 26 09 e8 08 59 31 67 cd 1f 7b | 85 3f 1a d6 2d 40 69 86 5c 9e e0 e5 05 6a f3 cd | 35 69 e4 a7 d9 9d e7 c7 b2 06 26 0f b1 73 a5 17 | 92 af 2a ba e8 74 80 e0 0c 2a cb b0 62 b8 1f c4 | ed 06 26 17 01 f2 ad 45 28 a1 82 74 8c fc 7c ef | 6c 9d 1d 5f 04 1e 1d 07 f7 da 8f 2a 00 ca d8 b0 | 31 a4 2d 22 80 fc 1c d8 5c c0 8a 0f f6 6c 08 aa | d0 5b e0 ee b9 fd 74 bf f9 0a bf 97 29 00 00 24 | 62 da d7 2d f6 f8 bc 51 79 5f 2a 63 5d 1e 83 a0 | 6f 2a b8 0b c7 fa a3 37 dd 40 ec 1e 95 31 be af | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | be 64 73 4d 1f a6 f5 1d 97 8f 06 72 03 1c d5 f9 | 1e 63 c2 ea 26 00 00 1c 00 00 40 05 81 93 4f 0a | ba 58 e0 2a 0e 61 23 98 08 7e d0 40 3f d8 59 dd | 00 00 00 05 04 | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cbaf630 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cbaf630 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #5 | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 f2 54 90 80 c8 75 49 41 ad 83 af 53 | 3d 20 69 5d 40 a0 fc df 30 51 f1 ac 39 46 15 5a | 50 a8 4b 8c fe 7c 37 99 f9 6c ce 05 dd a6 e2 83 | 31 0c a4 8f 71 b4 ac 41 75 47 80 3d 6d 44 c5 35 | 56 01 2a c6 20 cd c0 71 56 a6 ff 83 23 84 ac 84 | 1f 86 97 0b ca c8 05 24 bb d1 38 80 50 be f4 d2 | c8 9b 8a b6 cd 43 09 33 a5 ac 3f 0c bb bd 9e 62 | 70 28 e6 8c 46 03 52 f7 77 f3 9f ef 1a b1 88 88 | 81 30 94 57 34 d3 84 b8 7e e0 89 62 4b 52 6b 3c | e2 6a ea a9 b9 6f 53 e2 b4 18 cf 10 88 86 bb 66 | c8 28 6c 12 17 76 0e 2f f4 94 81 65 91 cd 2a c5 | 9b 4f fb da 70 9b 4c 48 3f 94 71 3c 8d b3 8d 69 | 8a 7f 25 14 cb 36 87 f3 4e 41 8f 02 1d be 24 a9 | b9 da 60 0f a6 97 01 17 cb c8 8c 46 cf 35 2b 66 | 2c 79 8b e7 b2 de 86 21 83 2c 46 f7 1b 64 c1 e4 | 93 9e d4 88 90 b6 02 b7 65 bf 9a 9f 00 63 87 a7 | ad 1c a6 cb 2c cc dc ae 96 9b 18 87 dd 74 67 fc | 39 22 9c ef 28 b6 52 15 52 83 f3 7e 46 ff 39 fc | eb 6e 34 33 7e 9c f5 05 b9 c9 82 a6 d4 27 17 f7 | 41 da 8d e6 20 91 e8 ea 01 86 2f 82 4a 60 f6 46 | 81 28 76 1f ae 18 6d 8d 36 17 d3 b4 4a 55 54 9b | c2 ba 9a b3 3e 12 32 43 64 39 3a d3 0a 71 8f 48 | ea 8c 94 c8 d6 85 f8 7b 13 49 78 45 2c a4 cd 83 | 4d d6 12 0b d5 3c 4d 9c be d0 c6 85 de 09 0b 58 | 3b 8f d0 9c 86 0a 41 78 95 f5 43 e5 ab c1 bf c5 | ec 5c cf 27 25 f7 64 a6 f7 fb 6d 6f 24 17 3e 5c | d4 d6 f1 a7 90 20 be a5 4b 08 93 c6 a9 eb 84 d6 | e3 f3 4f 68 af 28 7a 50 f0 4e 2c d6 03 8a d7 ba | 44 9a e0 80 a2 28 28 3a 37 1f 98 75 32 ed 8f bd | 02 f7 44 2c 7d 75 cb 9b f0 1f 89 c3 34 ea 52 33 | a4 4a 73 69 91 25 00 17 68 b9 a5 76 66 4d 79 04 | dd cd d3 52 a8 04 d2 12 e6 f8 a4 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R1 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #5 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 bd 7c 09 1e 19 3d d2 8b 78 7b f8 2e | 34 f5 26 46 9b cd 73 a0 de a9 79 a7 85 1a de 98 | dd f7 26 0e 79 d0 45 98 72 05 d6 e5 ee 27 f4 96 | 36 30 c3 a4 19 64 d1 b0 4c 6f 0e 46 49 eb 2e 9e | 9b c3 e0 ec 1a 17 95 56 91 6d c4 a7 c4 9d 5d db | 34 47 96 5c 01 df a5 af 71 ea 4e 4b 19 bd 6e a1 | 01 60 cd 96 66 fc b3 e0 81 52 87 a6 3e f7 b2 54 | 8d db 23 fc 67 d4 4e d3 74 ca c7 4a 89 6f 8b 14 | b9 4d 21 04 85 e5 65 62 d7 49 6f 0b 3d ae e1 51 | 54 5e 15 b9 bf 9f 51 39 f8 f5 a4 e3 07 18 19 22 | 46 5d bc 2d b8 5c 8c 67 b8 1c cc 91 71 c4 65 d9 | 5f 17 96 31 5d 88 7b cf 58 ad 24 5f 27 af 22 d7 | 5c b3 f0 b9 f8 88 f3 76 53 68 9c 2d 08 f8 81 02 | db 8d 1d 72 cc 39 aa 4e f2 e4 da c2 19 61 98 df | 3e b0 91 5f 2c 24 6d 6b f5 a2 4d 2e 04 76 80 9d | 10 4f 95 bf 84 ce a8 97 82 d3 e0 b4 c6 75 86 9f | ba fd b9 d7 69 66 65 63 c1 9c b4 3b 82 bc f3 b1 | ef 1c 81 21 c9 0b 94 fe c1 cd fd 17 ea 15 e6 06 | 89 8f ea e4 2c cc 22 61 9b 4c 9a 7b 56 fb a5 07 | 41 98 3b d6 3b 94 03 e6 4d f1 e5 61 3b 78 71 67 | ff 9b 71 92 4b da 0a 09 71 86 3d 1b 4b 2b d3 b8 | 42 11 e5 46 e4 47 48 b5 c6 53 47 2b 87 d2 f0 79 | 98 c0 b3 db c7 6e 29 a8 00 e9 cf 39 c8 15 11 ae | 79 59 20 5f ea 56 3a 6d 8c 34 bb 2a 81 a4 e1 03 | 9f 46 85 52 5c e2 f1 7a 51 32 6e fa 6a 85 23 62 | 5a 43 40 ea e9 c9 99 bb 43 a2 17 70 5f 1f b3 bb | 62 bb f5 d1 34 75 00 fc df e6 92 9d 79 73 01 bd | c2 69 31 4b 23 01 cd 5f 3c a7 11 90 97 95 8a b6 | 15 34 c7 ec e7 f1 6d 7b c7 e3 19 85 43 95 38 a9 | 09 70 ea 8a 82 83 73 79 7e 36 d9 87 22 14 0f 94 | f5 66 70 71 e9 bc 57 33 29 58 79 8f aa 62 37 fc | 39 0d 8e e2 2d 04 7a 3f 76 5b b9 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R1 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #5 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 69 5f 4a d7 6f 3d 5a 5a d6 ad 02 ae | a6 fe 61 5d 59 9e 0d 41 74 27 b9 b6 a9 5d 62 8d | 36 bf 38 b1 eb d7 b8 e6 50 7e ac c9 33 9f d4 d8 | c3 d4 f2 1b 19 7b b5 41 3c a7 e8 e0 57 ec 63 07 | 1d ec 7c 6a cf 36 28 fc e9 f3 d3 99 0b 8f ed f7 | fe b4 c2 60 b2 98 69 57 0e 90 b4 3a 73 1b 3d 6b | 93 87 81 7f 32 af ae 59 ba dc 2c 09 a0 ae 1c 87 | cf f2 b7 28 aa 59 85 04 f5 f4 6e 8b 98 e4 b1 0c | 35 14 b6 8c 8c b2 e4 1c 6c e9 ab 23 4f 76 72 d1 | be 00 7c 3a 01 58 14 5c c3 f9 e4 8c a7 e3 14 f0 | b1 bd 4c 51 62 2b 92 19 46 86 4e 11 ef a9 b2 19 | f9 0b 9e 0c 37 13 dc f5 0b e6 13 34 ac ab a6 49 | 86 5d 8b 45 db 3c 78 94 da 6d fa 1a 04 80 fe cb | 75 ff 2f 53 0a 99 02 b2 a5 81 e7 56 df 62 ab 66 | 67 79 75 03 47 5a 72 77 58 cb 4f d3 ce e5 02 6f | e6 76 4b 66 a7 3d 31 15 58 01 16 98 2d 75 1d 7b | da 67 a6 8b 6b fd 2c cf 27 9f 6f 6f 0e 44 a4 75 | ad 27 78 7d b6 4c 7a df 96 b9 9e b9 e2 6b f1 6d | c9 1c 5e 0b d3 b2 dd e3 74 70 72 6e ca 26 69 21 | 20 88 ff da 01 25 57 61 9c b1 05 3f ad cc 38 0c | b6 91 27 b1 b7 df fe 6c b6 8b be fb fc af 07 4b | 17 1d ef b2 8c 07 04 89 09 67 d6 6c 21 43 61 fd | a2 c2 f9 be 2f be 9a 05 39 a6 24 16 e5 a7 dd f5 | 66 b5 0e 4e 2c a6 a3 d7 73 dd 3c b8 c9 db cb fe | ba 56 80 9f 08 00 12 fd 19 ab 8e ed 1b c4 f8 dd | 97 41 81 40 6b 5a 69 69 c7 71 f1 d4 6f 1a 90 8d | 78 bc e7 38 dc 2a 67 f5 ad fb e9 ad 91 d8 ba 67 | cc 64 7d be 86 e2 ec 1d d7 ed 51 d2 ed 0e 5a 32 | 47 14 9c 60 16 64 fc c7 1f 39 3d e9 36 68 b7 8a | dc 8f df 9c e2 8c ad b8 76 e5 2c fd d4 23 fb 8b | b1 f1 fc 49 2b 4a 36 b1 d8 59 e0 9e 1d 5a 84 ce | 1f 98 cd 70 5b 8d c3 51 9f 2f ab | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R1 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #5 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 b3 2b 74 e2 93 af 09 48 24 1a 56 90 | c2 a3 a1 cb 0f 5a 59 34 6b 89 5c 0c 6a 87 9e 92 | 04 3f 2a fc eb f2 a4 df c6 34 6e 2b 49 50 27 6d | 4e 94 4f 03 9c 6f cf b2 b0 2a 5a 73 6f 1f a5 6a | be e3 29 b5 5b c8 97 15 49 b9 e7 81 d4 b3 6e 0b | da 95 b6 ad d4 24 e1 97 63 22 1a 3d cf 55 06 00 | 21 30 26 59 99 e4 c4 53 64 61 84 d9 72 f4 39 2e | 09 ef af f6 c6 79 9d 9e 4b ec 01 69 e6 a8 95 b0 | 0f 61 88 f5 63 b0 bf 80 e1 e4 b2 6a 40 c0 7d 71 | 78 22 58 aa bb 72 10 c2 70 7d 14 5c 52 07 5d 2f | 05 09 25 5f 9b 34 f1 cc 3b 55 86 1c bb 0b 80 25 | a6 1a 52 d5 89 af de 9f 88 fd fe 9b 94 cf aa 95 | a8 79 ff 8a d3 fc ed 0f e9 29 a8 b4 18 84 64 36 | da 38 e0 9c c3 f6 63 83 d6 92 1f 47 48 7b b4 4b | 94 48 8b 2a 28 f5 50 ce 70 86 2a c7 42 e0 84 23 | f4 11 42 db 2b 5a a9 da 0d b0 16 1c 9e e8 1c 74 | 34 05 db 85 77 3a 3d ec b0 5b de 37 ba 17 0a 8d | 97 b7 ab 08 da 1b d0 66 93 3d a3 e4 7b a9 07 b2 | e2 4e 1f e0 f3 eb b1 9d 90 6f 65 02 8e 9f a7 d9 | 8e 9c 1f 17 03 9f 5e e9 8a b1 29 4d 9b c0 f7 64 | 7f 49 6c d9 c7 e1 b3 2a 6a a0 f3 1e 3a da 1a 5b | 78 51 e6 0e 1f 38 0d 1c 48 f7 2f c7 92 51 a0 06 | 76 5f 32 65 53 64 71 d2 b8 ba 1e 18 6b b4 80 2a | 47 48 b4 0a 0d 1a 6f 24 a7 45 bd 79 4c 7e c7 d6 | d1 18 4b 77 2e e8 41 1f 52 aa ef 0b 29 d0 8f aa | 46 a1 fb 5f fe 2f 5f d3 fe 29 66 bf 33 5c 3c a7 | ad ac bc ed c7 c8 17 11 41 d8 89 fc d1 e0 80 82 | 52 a7 23 17 d6 2f c9 e7 c1 ed ef f0 5f b6 4e ef | 3f d1 70 b3 97 72 65 bf 94 d4 69 a4 91 71 91 89 | c7 58 4d 23 ba ae fa b6 64 8c c4 ad 1f 12 f9 13 | 02 57 db f0 83 09 41 e5 2b 62 2a e2 aa 02 c9 9f | 4d 02 dc 97 3a 8a eb 85 4c 3e 6d | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R1 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #5 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 407 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 08 00 00 00 01 00 00 01 97 00 00 01 7b | 00 05 00 05 b3 14 af f3 54 61 74 84 d6 88 ba cd | 76 7f f5 de e7 54 bd cb 34 8f 90 eb 35 0a 4f 83 | e1 81 fb 03 b9 0b 46 e6 1d f8 d7 6e cf d7 2f a9 | 54 be 06 21 b1 08 5c 8d 7a 2b d5 a8 54 73 da 41 | d5 68 19 32 e6 c5 08 e4 0e 84 5c 49 b3 b6 40 5c | 78 74 2d 2b bb b4 70 e0 c7 bc 13 ff b5 91 e1 5c | 97 63 25 33 64 cc 40 ba 5b 20 c0 7e d9 da c2 3f | 79 b4 19 58 9a 77 29 29 4c d9 15 91 28 8a cd 84 | f7 e9 93 6b d0 da fe d6 10 40 de 4b 72 19 df 2d | f4 3c 85 e4 b9 0c 7c bc d5 4a b8 44 70 cd 5e d5 | 46 25 2d 4b cd d4 cc 77 11 cf b3 fd 24 1f 38 68 | d7 31 66 be 8c 94 59 d0 42 b6 f8 50 95 ac bf f0 | 66 b6 69 74 ba 5e a6 7f 4a bb 8a 70 22 95 3c d5 | 06 e9 53 e7 57 82 2d 25 0d 9c 52 2a 56 6e c7 f7 | 30 9c c1 f6 cf 57 66 15 62 9b 31 a6 55 01 37 5e | 27 ae e9 00 82 3c 06 df 66 cb 7e d7 70 88 9e be | 53 55 8b 2d db 27 35 53 9c a4 27 dc 4d a6 59 0b | 42 67 41 85 ea ef f5 4f e8 75 23 d6 4b 58 7c 0b | 47 88 32 fa c0 7d 47 f3 d1 02 4f 9b b6 4d ad a1 | 25 20 ec 58 4e 30 62 d7 41 c6 14 a1 6b a0 bc 97 | c9 48 81 64 fa a5 8e 1f 78 28 d6 42 ed 93 14 64 | 53 4f 48 de 95 1d 84 77 63 14 6b ac 76 92 71 e9 | 01 6d df 3b 0e 38 d2 05 45 25 e1 e6 2a d3 54 70 | 24 1e ee 6d 9b 52 38 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 407 (0x197) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R1 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #5 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 379 (0x17b) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=371) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 6 for state #5 | state #5 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cbaf630 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0002b70 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #5 | backlog: inserting object 0x55795cbb0300 (work-order 6 state #5) entry 0x55795cbb0308 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb0300 (work-order 6 state #5) entry 0x55795cbb0308 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb0308 newer 0x55795cbb0308) | crypto helper 1 resuming | backlog: removing object 0x55795cbb0300 (work-order 6 state #5) entry 0x55795cbb0308 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 6 for state #5 | crypto helper 1 doing compute dh (V2); request ID 6 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #5 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #5 and saving MD | #5 is busy; has a suspended MD | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #5 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 finished compute dh (V2); request ID 6 time elapsed 0.005 seconds | crypto helper 1 sending results from work-order 6 for state #5 to event queue | scheduling now-event sending helper answer for #5 | executing now-event sending helper answer for 5 | serialno table: hash serialno #5 to head 0x55795bd21cc0 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 6 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #5: calculating g^{xy}, sending R2 | #5 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #5 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #5: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | unreference key: 0x55795cbb8c30 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c644370 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c64f740 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c684580 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c68aa80 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65ba90 | unreference key: 0x55795cbbb640 192.1.2.45 cnt 1-- | unreference key: 0x55795cbbab50 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbae50 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbae5e0 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbae3a0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "ikev2-westnet-eastnet-x509-cr" #5: No matching subjectAltName found | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #5: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #5: Authenticated using RSA | parent state #5: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #5 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #5 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0002b70 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cba4950 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #5 | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 9a 0a cb 2e e5 67 92 48 94 c1 66 1f 67 83 dd ce | rsa signature a8 b8 56 11 9a b0 52 1e b9 39 fc b9 23 dd a7 4f | rsa signature e3 85 80 63 21 3d 21 93 c8 2c 33 4c 15 b4 72 91 | rsa signature 26 85 d9 ca bb 5b 4d 0c 57 93 e5 f4 63 4b d0 4e | rsa signature 4f 5c fb b1 5c 73 cf 90 af 5c 64 4d 13 f6 55 6b | rsa signature e2 11 c0 8f 88 85 22 40 61 5d 05 d3 f5 72 0f 60 | rsa signature 58 7f 3e 3b 84 70 c4 f4 68 5d 05 61 24 ae c6 46 | rsa signature 48 4c fc 22 fe cb d3 54 5d a8 0c 14 7d 5f 9a 1a | rsa signature 6b 37 b4 fa 49 39 48 5c ad d1 10 33 b1 9a de ee | rsa signature de a6 34 c1 f3 8d 9f 66 f5 49 9c ac 0f f3 78 0b | rsa signature 6d b4 49 64 cc 50 23 de f5 f1 d2 6c 1f 1f 4a 84 | rsa signature 3b 73 2a b5 99 86 71 b6 82 33 06 27 60 db 4f 06 | rsa signature db c5 a1 fd 29 21 62 0c 8e f4 a5 d9 dd 5f 5b 73 | rsa signature c2 5f 9e 3d c6 7d b3 9f 87 e2 41 2e 8e 01 2c d2 | rsa signature 99 a4 5f aa 48 12 dc ff 15 c7 76 53 61 6d 54 0a | rsa signature 73 84 cb ee 9f c6 64 00 3e d6 40 33 d5 8c fe 30 | rsa signature 93 4f f5 bb 46 6c e0 1a da 6c 74 a7 0e 6b 39 f5 | rsa signature 4e 53 73 1c 8a a5 f9 19 a4 36 67 9f 3c d1 e6 a7 | rsa signature b1 c1 19 e3 ce b7 83 28 2f f6 52 b5 81 b3 e8 dd | rsa signature 9a 02 04 ce 8b a3 63 0e e4 5c 97 26 5d 67 46 5c | rsa signature b0 db 52 9a 46 5d 75 0b 5a 72 26 79 93 24 18 fc | rsa signature 8c a5 3c 76 e4 84 51 fb 27 53 ea a1 db c6 bd 51 | rsa signature e1 0a 66 8c f8 e9 34 41 2b 09 7e 4c 23 51 b4 c9 | rsa signature 80 5b fe ef b2 a1 52 f9 1f b4 4a 84 62 08 6f ad | emitting length of IKEv2 Authentication Payload: 392 | creating state object #6 at 0x55795cbbba90 | duplicating state object #5 "ikev2-westnet-eastnet-x509-cr" as #6 for IPSEC SA | inserting state object #6 | serialno list: inserting object 0x55795cbbba90 (state #6) entry 0x55795cbbc260 into list 0x55795bd2c860 (older 0x55795cbad590 newer 0x55795cbad590) | serialno list: inserted object 0x55795cbbba90 (state #6) entry 0x55795cbbc260 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbbc260 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbbba90 (state #6) entry 0x55795cbbc280 into list 0x55795bd21ce0 (older 0x55795bd21ce0 newer 0x55795bd21ce0) | serialno table: inserted object 0x55795cbbba90 (state #6) entry 0x55795cbbc280 (older 0x55795bd21ce0 newer 0x55795bd21ce0) | serialno table: list entry 0x55795bd21ce0 is HEAD (older 0x55795cbbc280 newer 0x55795cbbc280) | serialno table: hash serialno #5 to head 0x55795bd21cc0 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #5 to head 0x55795bd21cc0 | using existing local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 7e c7 0d 35 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 7e c7 0d 35 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 7e c7 0d 35 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 7e c7 0d 35 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 7e c7 0d 35 | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #5: proposal 1:ESP:SPI=7ec70d35;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=7ec70d35;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0x9a4d5cfc for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 9a 4d 5c fc | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #6: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.7ec70d35@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.9a4d5cfc@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #6: prospective erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:ikev2-westnet-eastnet-x509-cr esr:{(nil)} ro:ikev2-westnet-eastnet-x509-cr rosr:{(nil)} and state: #6 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.7ec70d35@192.1.2.45 | get_sa_info esp.9a4d5cfc@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332911' PLUTO_C | popen cmd is 1486 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332911' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):7ec70d35 SPI_OUT=0x9a4d5cfc ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #6 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #6 (was #0) (spd.eroute=#6) cloned from #5 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 9a 0a cb | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 2e e5 67 92 48 94 c1 66 1f 67 83 dd ce a8 b8 56 | cleartext fragment 11 9a b0 52 1e b9 39 fc b9 23 dd a7 4f e3 85 80 | cleartext fragment 63 21 3d 21 93 c8 2c 33 4c 15 b4 72 91 26 85 d9 | cleartext fragment ca bb 5b 4d 0c 57 93 e5 f4 63 4b d0 4e 4f 5c fb | cleartext fragment b1 5c 73 cf 90 af 5c 64 4d 13 f6 55 6b e2 11 c0 | cleartext fragment 8f 88 85 22 40 61 5d 05 d3 f5 72 0f 60 58 7f 3e | cleartext fragment 3b 84 70 c4 f4 68 5d 05 61 24 ae c6 46 48 4c fc | cleartext fragment 22 fe cb d3 54 5d a8 0c 14 7d 5f 9a 1a 6b 37 b4 | cleartext fragment fa 49 39 48 5c ad d1 10 33 b1 9a de ee de a6 34 | cleartext fragment c1 f3 8d 9f 66 f5 49 9c ac 0f f3 78 0b 6d b4 49 | cleartext fragment 64 cc 50 23 de f5 f1 d2 6c 1f 1f 4a 84 3b 73 2a | cleartext fragment b5 99 86 71 b6 82 33 06 27 60 db 4f 06 db c5 a1 | cleartext fragment fd 29 21 62 0c 8e f4 a5 d9 dd 5f 5b 73 c2 5f 9e | cleartext fragment 3d c6 7d b3 9f 87 e2 41 2e 8e 01 2c d2 99 a4 5f | cleartext fragment aa 48 12 dc ff 15 c7 76 53 61 6d 54 0a 73 84 cb | cleartext fragment ee 9f c6 64 00 3e d6 40 33 d5 8c fe 30 93 4f f5 | cleartext fragment bb 46 6c e0 1a da 6c 74 a7 0e 6b 39 f5 4e 53 73 | cleartext fragment 1c 8a a5 f9 19 a4 36 67 9f 3c d1 e6 a7 b1 c1 19 | cleartext fragment e3 ce b7 83 28 2f f6 52 b5 81 b3 e8 dd 9a 02 04 | cleartext fragment ce 8b a3 63 0e e4 5c 97 26 5d 67 46 5c b0 db 52 | cleartext fragment 9a 46 5d 75 0b 5a 72 26 79 93 24 18 fc 8c a5 3c | cleartext fragment 76 e4 84 51 fb 27 53 ea a1 db c6 bd 51 e1 0a 66 | cleartext fragment 8c f8 e9 34 41 2b 09 7e 4c 23 51 b4 c9 80 5b fe | cleartext fragment ef b2 a1 52 f9 1f b4 4a 84 62 08 6f ad 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 9a 4d 5c fc 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #6 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #6 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #5 to head 0x55795bd21cc0 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #6: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #6 after switching state | serialno table: hash serialno #5 to head 0x55795bd21cc0 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #5 PARENT_R2; CHILD #6 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #6: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #6: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x7ec70d35 <0x9a4d5cfc xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 b3 5c db ce e8 a5 6c 34 3b 91 47 db | d5 4f 88 12 f3 cf 26 f5 31 1c 9d 60 ec f2 35 46 | 52 d3 08 23 e6 c8 8d aa bc b2 fa 4e c6 4e 61 2c | 7d ad b0 3a a5 97 26 d2 00 7f 77 3e eb 40 93 be | 08 1a ac 86 4b 96 b4 49 98 e9 ca 69 81 54 ec 15 | a6 d0 77 30 54 d2 21 4e 19 3a 6a d6 37 a9 ea c5 | c7 99 38 5f f2 dc cb 26 2a 65 98 88 9c d9 3b 08 | 9a 0d 3a 06 03 92 37 fe 74 bd 1a f5 7f 1e 89 09 | bc 15 4e 60 42 d2 c8 38 51 76 7d b0 d5 8a 73 99 | 5e 57 86 56 66 fb e5 af 8a bd fe e5 73 a6 35 41 | 49 f2 82 63 0c a2 55 67 94 58 4c 33 29 ba 2f f5 | c6 b3 30 51 d9 91 42 d2 d7 b9 f6 6c f2 3f 0f 13 | 6c 6f af 03 7e 32 e9 07 09 7c 65 7c a1 67 01 6d | 28 20 12 9c 10 b2 27 30 70 4e cf 9c 86 c8 5f 12 | d6 01 5d 4d f5 d6 24 c2 07 b3 20 ff 7f 9b aa a7 | 3d d0 82 bd 86 77 88 ab 7b 22 d6 8e c8 c9 c7 ac | 27 f4 99 d6 6d 84 77 11 e1 72 21 51 0d a8 3e 12 | 38 74 1d 01 47 a5 16 70 b2 37 ff 85 6b aa 7b c3 | 45 6c 03 b2 9b dd 31 dd 71 6e 94 ef fc 6a 41 23 | ce 11 a3 2e e0 7c 31 90 7b 03 42 0f 27 6d 72 3f | 4d 6f 34 72 17 b1 e2 a7 d2 62 61 d8 46 76 33 ca | 46 7d 8f aa 03 70 38 e1 90 ff cd c0 13 a8 80 55 | 38 2e c5 9e af 7f a6 45 5a cf 3d bb 69 12 0a 95 | 9f 05 25 ff 55 60 68 af 48 b0 b9 40 f6 d3 39 00 | 74 16 16 46 49 e3 e4 6b 17 fd 67 b0 77 d1 b7 ce | 74 62 78 0b 6c d7 a1 7a 06 51 21 ac 08 bf ad 36 | d9 ba 7f 73 14 1f a0 84 fd f2 ec bc f9 36 e7 08 | cf a4 33 7c 61 5c 8d 97 aa 88 a5 eb 62 8e 3a 87 | 9a 20 94 71 de b2 6f c7 16 dd b2 de 09 8e a2 ae | f1 d5 b9 a8 05 9c 39 6e 91 d6 8c c1 c7 08 3f f5 | 2e ba e6 1e 0d 0e b2 a9 e9 78 48 20 6e b9 ca 53 | 7a 6e ae 58 a3 4d 21 1a 3e 4d 7d | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 7d 8d d3 9e 74 0e c3 85 ba 30 2c 73 | fd c4 20 03 9d 6c 51 b2 73 99 b6 45 df 16 3a d3 | 7d 22 d8 89 d1 71 21 5b 53 ca cc 99 d4 75 b1 01 | d3 d6 5f be 51 ff 42 42 c2 1a 52 49 7a ea 88 a0 | 7c 16 46 37 ff 4e 2b 9a 20 ae 50 4e b1 97 34 2c | 6e 62 4c 2f 70 0e 2c 8d 5c 04 54 6a ac 19 ff 6b | 16 ce f3 53 ee f4 4e 8a 77 9e 34 a7 1a 23 87 87 | af 5f f2 a4 a5 4f e1 7f 09 25 62 ed 53 ab be 55 | 59 11 90 05 64 8f b2 08 6b 14 b6 1f c9 1a 64 48 | e8 7a 56 05 a7 b0 cc a1 23 d5 9b 2f 84 e1 b0 9f | 1a ea 58 63 fa 16 37 7a b7 5c 6e 21 cb 33 2e 3f | cf ae c4 25 ec 24 e6 d3 1f 2b 50 0e 5e 77 93 fe | b4 94 04 e2 14 d3 e5 6c 6f ff df a0 cd 79 0a 53 | 39 19 31 c6 b0 d1 5e 8d 9c 0d a1 73 6a 26 81 25 | 03 b8 3d aa 7c 1a 4f fe 83 92 83 82 40 1b 92 e8 | 07 e7 6d 25 7e 2b 49 17 7c 36 2c 86 21 ef 65 39 | c5 7b b2 3f 9e 4b 3c 33 19 21 17 ce 57 61 d2 e5 | d0 cf a2 c6 d4 3f 43 40 1d b6 49 3e a8 64 c9 95 | f9 a0 08 09 58 fd 46 03 16 70 45 d7 04 0f e0 03 | f6 71 3d 1d 88 8a 61 79 fd 0d 94 e8 a2 ff 1a f0 | 2c a7 3f 9b 01 b0 89 61 85 c4 2d 03 d0 ad 5d f7 | df 3f 57 79 c3 39 2f e9 7b 4e 51 af f4 e6 29 89 | 29 76 11 9d 3a 6d 63 95 ea 87 c6 e7 8b 54 53 a0 | 93 d6 f8 23 8d 83 20 32 17 2b 1d 9f 34 92 3a 95 | e5 32 51 6d cd e4 4d e8 3f fc 4e d7 df b0 79 b0 | eb e6 df 75 a6 70 3a e2 29 3c e8 61 67 f6 20 40 | 5b 65 34 47 40 da cc 30 7d 76 e8 47 f5 69 af b4 | b5 5a 94 9c 73 85 1c 3e ae 60 e3 ad 6d 1f eb 91 | a7 6c 1e 38 69 d5 9c 3f 2a e9 fb 4c b5 26 7f a4 | 3e 1a 10 22 66 ee 75 e2 1e db e3 6b 95 08 30 e7 | 7f 66 47 30 e7 89 41 c4 cc fb fc 1f 4e ad 81 4f | bd df ec 20 6a c1 5c 4a fc 87 72 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 ea f3 ba b6 3d 33 cc c7 27 af 61 4d | 89 70 6e 68 af ba 95 bc 19 d3 2e ed 16 79 30 d3 | fa 9b 92 9d 2f 57 70 b3 68 8e f0 97 b2 44 6e 43 | 49 b9 10 a3 74 d1 30 87 85 6c dd dd fc af a9 f4 | 86 3d ff 85 b1 2b 8b 30 29 45 ca f0 b7 1b 7f 07 | 8e 31 a4 19 62 e0 29 29 be cc bc 76 31 9c e1 c0 | ab b5 9f 40 49 f2 cf 10 91 c4 61 dd d6 ed cb 81 | f6 be 8c 90 60 f1 02 cb 7e 2d 22 73 01 b9 b7 a1 | 7f 52 ee 34 7c f4 b2 ae 66 b9 f4 12 23 4d 9f 44 | e9 7c 4c 43 54 fe 82 4a 92 da 04 4b de 1d 5c 88 | 64 c0 6e 69 55 fc a3 82 be c7 43 89 8d 32 42 44 | 34 73 8c ee 6f 56 13 2a 0c aa aa e0 c1 fa 89 70 | 09 f0 c1 6c ea 5d bc ad 20 50 bd 90 25 4d 70 ae | a8 ee c8 bf bf 6c 07 67 85 92 50 48 c2 71 78 70 | ae ee 8d 38 30 cb 96 a1 76 f6 1b 8f 2e 64 9b e6 | 86 c6 95 0d 2b c4 60 94 18 4c 65 1c a4 cd 4c 75 | 73 8e 11 b8 45 ef b4 5e be ae e0 a6 c5 d3 ad 0d | 16 bd 90 aa 50 16 ed 6b 28 81 00 8e 2a 5c ca 97 | 0f 45 37 7f 4d 78 ba 29 5a a3 be 40 fb 50 3d 98 | ac 67 c3 e3 a4 19 7b 30 37 a4 18 f7 49 ca 6f a6 | 94 3e 07 67 7f c4 05 33 21 b2 14 32 1d b9 82 39 | 46 7b 42 bb 2e 36 d3 55 6b 27 f7 ff e5 39 d6 e9 | 03 82 e4 02 50 42 c9 38 69 6c 74 d9 7f 8a c4 f6 | 92 ae 21 b6 17 62 f0 9e fe 44 14 8f d7 74 13 0e | e2 2b 1d 92 ae f0 54 24 12 2a 70 a7 7f 72 b1 60 | fc 26 49 97 c8 9e 66 e2 36 8f d3 a6 25 b4 c1 e4 | 16 a8 47 9c 69 9b 93 f5 a1 b7 14 ed 29 99 1d e1 | e0 c7 57 67 17 94 b8 ef 8b ce 3a 41 68 3b d4 5a | c9 f8 a2 44 d2 ac 74 d0 60 13 3c 95 89 bb b9 fd | 9d 8c b3 b7 74 da f8 21 11 65 05 6e fa c8 39 87 | 56 6f 1e 49 b6 8a ae b7 66 34 00 ad 14 a6 65 10 | 99 d6 2c 6f 60 4b 78 e0 c8 c5 16 | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 f9 58 22 ae 39 37 bf b8 64 a0 e0 f9 | 2c 5d 25 6b ec 8a 20 20 b3 4e b1 18 95 e6 8e d6 | a4 f0 d0 ca 66 66 7b ff 5c 6d 9c 06 60 36 00 3b | e9 c0 01 76 5a 3e b8 b6 38 5c 6a 10 aa 7d 42 94 | 05 4c 5c f2 58 b0 fc b6 12 e7 55 ba c9 53 13 60 | b6 05 f4 0a c2 dd 91 ee 66 4f 89 0b 82 1f 86 0f | c0 e9 49 47 7f 9b 2a 73 09 3d 72 55 f6 5d eb 22 | b7 4e 7a 69 14 8c ff cb 93 50 46 40 25 9c c7 11 | f4 11 79 d2 fa 24 c5 96 67 21 b8 ce 1d 63 75 f6 | 3e bb 3d 33 cd a3 49 e7 59 d3 b3 72 d5 34 48 14 | f6 36 fb 65 a0 e6 fe 5a 9e 1e 23 6f f3 11 be a8 | 41 e0 ee 98 7f fb 3e ed fd af 21 e9 f0 74 02 46 | 61 17 fc 50 b2 dd df 73 27 11 84 bd e6 5b 45 b5 | 07 0a fc 88 fd ec ba a4 2c d5 25 ff 6b 4e a1 37 | a7 d6 6f 3c 50 33 d4 63 ba f0 1f e5 4d e7 9c 8f | 85 b5 93 b4 a6 6a 2b f8 1b b5 46 92 d0 d4 37 83 | 52 64 38 c7 11 85 dd 19 38 09 c0 5c 81 59 bb 7e | 2e 66 3d bb e6 23 e7 c0 92 0a 6c 7c 85 61 b6 85 | e8 df a9 b7 a9 79 f5 9e 40 56 68 e2 ba 2e 22 1a | 53 0a 95 38 3f 53 13 42 4e 09 bc cd 55 63 5d 8e | 18 1c 33 e9 7a 9b 33 57 9e dc f0 8a 8b 0d 45 bc | 63 6f 66 0e e1 9e 3e 2f 07 42 c9 ae 08 4d ae 59 | b9 2b 36 ef 00 38 70 a8 c8 7d 71 88 2c b6 91 a6 | fe 2b 47 25 70 98 ab 55 de d1 37 5d 47 a2 4a 0c | f2 2d c1 53 0b 48 35 ab 7a 07 e3 b3 a0 05 e9 b0 | 8b 4e d4 3e ac 6b f2 e2 80 b6 32 70 5f c4 90 5b | 18 48 f5 46 77 4c 4a d5 e5 6a ab af 1a 92 41 f5 | fd 97 65 ee 60 81 d4 46 5d 2d 72 4e 43 39 9f be | 3a 48 08 19 62 68 3f 76 18 ac 09 b7 b4 9e 7e 78 | 98 2f 5e f1 f7 34 34 57 38 7d 4e 9d d6 c3 56 b0 | 07 3f 80 81 a6 db 45 a0 92 7d da 11 3f 13 | sent 4 fragments | releasing whack for #6 (sock=fd@-1) | serialno table: hash serialno #5 to head 0x55795bd21cc0 | releasing whack and unpending for parent #5 | unpending state #5 connection "ikev2-westnet-eastnet-x509-cr" | #6 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbaf630 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #6 | processing: stop state #6 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | b8 67 50 81 f5 a6 e9 55 9b fb 09 61 aa 60 27 16 | f0 4c 08 2e 79 d1 b8 71 42 dd d5 04 87 18 79 5a | 26 ab 6f 69 a5 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R2 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #5 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #5 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 7e c7 0d 35 | delete PROTO_v2_ESP SA(0x7ec70d35) | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 CHILD SA #6 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x7ec70d35) "ikev2-westnet-eastnet-x509-cr" #5: received Delete SA payload: delete IPSEC State #6 now | processing: suspend state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #6 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #5 to head 0x55795bd21cc0 "ikev2-westnet-eastnet-x509-cr" #6: deleting other state #6 (STATE_V2_IPSEC_R) aged 0.200s and NOT sending notification | child state #6: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.7ec70d35@192.1.2.45 | get_sa_info esp.9a4d5cfc@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #6: ESP traffic information: in=0B out=0B | child state #6: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #6 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbaf630 | serialno list: removing object 0x55795cbbba90 (state #6) entry 0x55795cbbc260 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cbacdc0 (state #5) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: removing object 0x55795cbbba90 (state #6) entry 0x55795cbbc280 (older 0x55795bd21ce0 newer 0x55795bd21ce0) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.7ec70d35@192.1.2.45 | get_sa_info esp.9a4d5cfc@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332911' PLU | popen cmd is 1488 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332911' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1440):0x7ec70d35 SPI_OUT=0x9a4d5cfc ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.7ec70d35@192.1.2.45 | netlink response for Del SA esp.7ec70d35@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.9a4d5cfc@192.1.2.23 | netlink response for Del SA esp.9a4d5cfc@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #6: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #6 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #5 to head 0x55795bd21cc0 | processing: resume state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs 9a 4d 5c fc | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | 01 05 21 d1 25 d8 ec 18 27 3c 58 61 67 30 4c 3e | eb 14 a5 46 99 8b f1 d5 d5 98 bd bd af 16 63 4c | cb c7 f9 c6 c8 | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #5 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #5 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #5 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #5 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #5: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | c2 da d0 1d f0 86 37 a3 22 e2 fb 65 c7 8c 80 29 | 9c cb 5c 8f 99 5e 06 22 b6 8c 7e 10 ca 30 6c e2 | 47 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | v2 IKE SA #5 found, in state STATE_PARENT_R2 | found state #5 | processing: start state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #5 is idle | #5 idle | #5 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #5 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #5 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 37 e8 3e bc 14 49 7a cb | responder cookie: | fa 68 a9 68 0f e6 ad 3e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #5) | 37 e8 3e bc 14 49 7a cb fa 68 a9 68 0f e6 ad 3e | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | 39 21 48 7d 77 ca 3c b4 38 47 ea db 63 a3 a0 34 | ea a1 9c 3a de 3a 2e 66 1e | IKE SPIi:SPIr table: hash IKE SPIi 37 e8 3e bc 14 49 7a cb SPIr fa 68 a9 68 0f e6 ad 3e to 154249506631000012 slot 0x55795bd1a2c0 | parent state #5: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #5 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #5 to head 0x55795bd21cc0 "ikev2-westnet-eastnet-x509-cr" #5: deleting state (STATE_IKESA_DEL) aged 0.381s and NOT sending notification | parent state #5: IKESA_DEL(established IKE SA) => delete | state #5 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cba4950 | serialno list: removing object 0x55795cbacdc0 (state #5) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cbacdc0 (state #5) entry 0x55795cbad5b0 (older 0x55795bd21cc0 newer 0x55795bd21cc0) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #5: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbb79e0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #5 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #5 to head 0x55795bd21cc0 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 c3 76 e0 e3 9c 97 85 f8 | 65 0f ae 20 93 8b 71 14 1c 78 64 10 e9 8a a4 6c | f9 cb f5 d9 4b 9d 16 e9 1f 1e 9e 74 44 4e b7 b5 | 3f 65 c6 28 41 16 08 01 34 35 94 12 a9 a6 8c 23 | 81 99 7e 46 29 08 49 2c 9e f6 00 47 01 2c 5c 4f | 18 72 97 67 4c 08 59 a1 f2 2e 5b f6 25 2c 15 a5 | 28 64 85 6b cf b7 59 b4 0e 7a 38 aa a9 ce 74 53 | a5 93 cd 76 6a e7 c4 80 aa ae 74 b6 94 56 d9 80 | 89 3f ff a0 f9 b7 92 f8 bf df 7e 5b 13 53 67 22 | 83 ee 3b f1 a0 d2 bf 5d a3 a6 a7 bd 15 3a 41 03 | 52 6c 58 21 b5 76 45 ea e7 1a 2d 90 de 0c ed 08 | a5 51 33 47 70 9b 95 a1 2c 37 50 6b 00 c2 e5 22 | 62 9f 9e 25 8f f7 fd 87 60 76 1a 78 d3 f9 1c e2 | de 81 e2 4b ed 5d 71 f8 c7 a0 b2 57 98 cd 75 2d | 25 2b db aa 6a 06 f3 a2 27 8a 71 72 b0 06 57 22 | ec 4c f9 6b a9 de 7c d7 92 43 20 11 1a 32 92 f2 | 07 32 6b 05 79 67 69 8b 29 00 00 24 a3 26 2b 55 | cb a3 de ff 73 ba 82 03 10 e0 7c f6 1d 7a db de | ce 17 e3 48 09 32 2e 0c 9e 9a d7 aa 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 43 6b 62 19 | a8 e2 a3 f6 1d b5 90 d2 eb ac 3d ac 3a 85 c3 68 | 00 00 00 1c 00 00 40 05 c2 30 57 0e 57 01 63 1b | aa 90 59 ab 2a f1 12 18 68 e1 14 89 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a to 8049036738632754963 slot 0x55795bd1e880 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #7 at 0x55795cbacdc0 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #7 | serialno list: inserting object 0x55795cbacdc0 (state #7) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cbacdc0 (state #7) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbacdc0 (state #7) entry 0x55795cbad5b0 into list 0x55795bd21d00 (older 0x55795bd21d00 newer 0x55795bd21d00) | serialno table: inserted object 0x55795cbacdc0 (state #7) entry 0x55795cbad5b0 (older 0x55795bd21d00 newer 0x55795bd21d00) | serialno table: list entry 0x55795bd21d00 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #7: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | using existing local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #7: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 80 3c 8d 28 f8 81 8f 4a | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= c2 30 57 0e 57 01 63 1b aa 90 59 ab 2a f1 12 18 | natd_hash: hash= 68 e1 14 89 | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 80 3c 8d 28 f8 81 8f 4a | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 43 6b 62 19 a8 e2 a3 f6 1d b5 90 d2 eb ac 3d ac | natd_hash: hash= 3a 85 c3 68 | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 7 for state #7 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #7 | backlog: inserting object 0x55795cbb0200 (work-order 7 state #7) entry 0x55795cbb0208 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb0200 (work-order 7 state #7) entry 0x55795cbb0208 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb0208 newer 0x55795cbb0208) | crypto helper 0 resuming | backlog: removing object 0x55795cbb0200 (work-order 7 state #7) entry 0x55795cbb0208 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 7 for state #7 | crypto helper 0 doing build KE and nonce; request ID 7 | crypto helper 0 finished build KE and nonce; request ID 7 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 7 for state #7 to event queue | scheduling now-event sending helper answer for #7 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #7 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #7 and saving MD | #7 is busy; has a suspended MD | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #7 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 7 | serialno table: hash serialno #7 to head 0x55795bd21d00 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 7 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #7: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x f3 c5 59 de 91 2a c6 66 b4 61 2b 6b 8b bb dc 37 | ikev2 g^x 56 9c b5 65 9c 0b 0e 5d 11 3f 58 0a bf eb b1 fe | ikev2 g^x 36 3f e0 21 69 d1 87 c1 32 9f e7 13 a9 d7 ee e7 | ikev2 g^x e1 71 1a 11 a3 45 4e 36 97 c5 d1 d2 a8 c7 37 68 | ikev2 g^x 0b 75 24 d0 5b 59 11 1e 50 46 f5 9a fb 8e ff 7f | ikev2 g^x 5c 42 07 11 a0 58 16 f6 2a 68 20 ec 62 36 cf f9 | ikev2 g^x 17 78 01 55 01 9e 57 90 d0 24 b4 6b da 72 b0 51 | ikev2 g^x a6 0b da 0d de 49 86 b0 ea ef 46 da 7f 21 4e d8 | ikev2 g^x 13 16 9b 40 68 69 39 0d 09 29 75 55 9b 4b da 1e | ikev2 g^x e4 ff c9 fb 42 f4 ee 7b 28 2d 12 5f f7 c6 ed 3c | ikev2 g^x 1d 1f a3 57 73 99 a7 ba bd b7 9d 97 0d ac a8 70 | ikev2 g^x e6 30 d4 a5 40 e9 d5 40 cf 06 f5 5c 16 37 fd 4d | ikev2 g^x 5f 07 c2 c0 c9 f5 1b ca e7 f7 f0 5e 37 c7 c6 71 | ikev2 g^x b0 fc 1f e3 38 23 0a 3c ec 3d 8f 3e ca 7b 93 64 | ikev2 g^x 15 6e 33 53 c3 23 d8 32 22 d5 f0 e6 56 17 24 c2 | ikev2 g^x 22 da 8b 0f 45 af c0 9e be 5d ac ce 00 97 81 42 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 47 18 38 9a 12 2a d9 61 7b 98 73 7e fb 29 bf 6d | IKEv2 nonce 0c d7 61 e4 74 21 24 00 7b e5 f7 30 c4 2b ba 0f | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 80 3c 8d 28 f8 81 8f 4a | natd_hash: rcookie= 48 61 2b 24 55 1e 89 ba | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 55 c7 6c 60 8c ca 5c ae fe 65 8e 66 1d 2f 17 a2 | natd_hash: hash= 70 9c b6 be | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 55 c7 6c 60 8c ca 5c ae fe 65 8e 66 1d 2f 17 a2 | Notify data 70 9c b6 be | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 80 3c 8d 28 f8 81 8f 4a | natd_hash: rcookie= 48 61 2b 24 55 1e 89 ba | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= bc 01 37 7d 0f 2f 1d 97 5b e7 08 73 8c 5a 19 7d | natd_hash: hash= a1 9d 67 bd | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data bc 01 37 7d 0f 2f 1d 97 5b e7 08 73 8c 5a 19 7d | Notify data a1 9d 67 bd | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #7 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #7: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #7 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #7 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #7: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 f3 c5 59 de | 91 2a c6 66 b4 61 2b 6b 8b bb dc 37 56 9c b5 65 | 9c 0b 0e 5d 11 3f 58 0a bf eb b1 fe 36 3f e0 21 | 69 d1 87 c1 32 9f e7 13 a9 d7 ee e7 e1 71 1a 11 | a3 45 4e 36 97 c5 d1 d2 a8 c7 37 68 0b 75 24 d0 | 5b 59 11 1e 50 46 f5 9a fb 8e ff 7f 5c 42 07 11 | a0 58 16 f6 2a 68 20 ec 62 36 cf f9 17 78 01 55 | 01 9e 57 90 d0 24 b4 6b da 72 b0 51 a6 0b da 0d | de 49 86 b0 ea ef 46 da 7f 21 4e d8 13 16 9b 40 | 68 69 39 0d 09 29 75 55 9b 4b da 1e e4 ff c9 fb | 42 f4 ee 7b 28 2d 12 5f f7 c6 ed 3c 1d 1f a3 57 | 73 99 a7 ba bd b7 9d 97 0d ac a8 70 e6 30 d4 a5 | 40 e9 d5 40 cf 06 f5 5c 16 37 fd 4d 5f 07 c2 c0 | c9 f5 1b ca e7 f7 f0 5e 37 c7 c6 71 b0 fc 1f e3 | 38 23 0a 3c ec 3d 8f 3e ca 7b 93 64 15 6e 33 53 | c3 23 d8 32 22 d5 f0 e6 56 17 24 c2 22 da 8b 0f | 45 af c0 9e be 5d ac ce 00 97 81 42 29 00 00 24 | 47 18 38 9a 12 2a d9 61 7b 98 73 7e fb 29 bf 6d | 0c d7 61 e4 74 21 24 00 7b e5 f7 30 c4 2b ba 0f | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 55 c7 6c 60 8c ca 5c ae fe 65 8e 66 1d 2f 17 a2 | 70 9c b6 be 26 00 00 1c 00 00 40 05 bc 01 37 7d | 0f 2f 1d 97 5b e7 08 73 8c 5a 19 7d a1 9d 67 bd | 00 00 00 05 04 | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cba4950 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #7 | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 3b 52 aa 2a 20 d9 fb 08 ae 5a e6 b5 | 6a 09 0b 1e 4b ad 00 02 ee 41 dc b0 46 74 0c 97 | ac 60 b2 15 70 07 5f d7 8f db 8a f6 c6 1f 33 59 | 7a 64 b5 82 a7 41 dc a3 60 63 6a fd 14 2d 09 24 | b2 1a 8e c3 d2 ae bb 99 46 ea b3 51 b6 3a cc b5 | 90 24 c5 4e 5a ea 0c 7e 51 87 79 85 f9 b1 e9 fa | b7 fd 4f e6 35 21 bd e5 cd de 9b 88 b7 d2 05 e0 | 7e cf ad 03 e3 9a 14 97 53 5f 97 35 7d 35 61 da | 32 0a ba 82 3c 1a 79 43 c3 bc fe 08 42 4d 5d d8 | a2 2b 0a 71 82 60 a1 20 66 11 b2 e4 91 41 13 02 | c4 b2 2d d1 e2 24 3b f2 14 b6 93 91 83 27 d4 c0 | 71 6a 43 1c bd 68 d0 8a 9a ed 68 55 0f bf e7 12 | 6d d4 d8 27 f4 32 e2 3d 5e d0 86 fc 80 8e 92 2d | 5a 00 02 f6 77 97 23 f5 ab 91 d9 91 20 b2 fd 9c | b5 a5 57 da 23 10 ee b6 bc 96 e3 21 f1 01 55 3b | 23 19 ff 0c 7a 20 41 fb f4 f5 dc f4 b4 bc 68 cf | ec b1 0e 31 98 71 33 0d 4a 48 86 3c 86 96 7a 6d | ab 0c 31 15 28 d8 4c e1 af 3c 9c 0b cd 52 56 a0 | 33 74 d8 23 9e d8 e2 7b 16 11 d3 7f b4 66 5d 15 | 27 c7 d6 5f fd 03 dc d5 a0 a2 4e c0 ec fe 06 0d | 55 e8 b8 e1 45 89 a9 f6 70 60 c8 3b fa 4f 26 88 | 20 8e a8 44 92 0d b0 e2 92 73 77 7d d1 a2 a2 3c | 2b 2d 03 76 fb 07 d6 db 0e 6e 0d 3f 86 e0 44 83 | 07 ef ba 49 1e 8c e6 12 9e ce 0b 7f a7 72 ca 1f | e8 31 8a 2a 50 c1 f2 dc d0 b0 c5 e5 21 ef d7 a1 | ad 84 d5 99 8e 9f ff ed 66 08 14 d0 45 db 4a 8b | 7f a4 3e fc 5f 8e 8b 55 3a d9 86 4b 7f 27 5e e4 | 17 3c b3 61 b5 37 e0 6c 18 a6 3f bf 0c e3 06 4d | 8e f1 08 b3 18 8e 3a 80 30 94 dc 1f 06 45 01 67 | e9 22 c0 15 fd 82 a3 da 2b 1b 82 0b 1f 7a 28 78 | f5 69 d5 33 47 2d 52 66 08 e6 5f 33 08 52 ca 8b | d6 42 7e f9 b0 c0 9e 67 24 27 2f | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R1 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #7 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 bb a9 ec 43 7a 26 5c 76 3c c8 6a 2d | 16 d2 bd 8e 6c 78 40 e2 31 a4 51 01 88 5d 95 84 | b2 8e ad 0b c7 c8 a2 fa 9b b5 61 94 39 55 96 4e | 65 5c ad 71 76 ed b4 c7 f0 5d de 96 d9 91 8f 45 | f6 41 9f 44 7b 54 70 06 f7 b1 a8 6e 52 80 15 0f | e3 1d ef 6b 6f ca 96 80 f9 b0 11 38 59 d4 5f fa | a2 91 35 b4 1b df 09 a3 22 fc 51 c2 03 0e 80 3d | a8 01 3a da dd 5c 7f 0a 8f fd b3 82 14 64 36 1f | ed dd ff 2c 9a 1f a5 cf bb 1b 39 85 12 71 03 c4 | dd d5 50 ad 1d 3c 01 44 b2 8e 15 20 6e a0 78 88 | f7 df a9 bb 20 8a ed a3 95 d2 3f b0 b4 a2 7e 17 | 8e 80 e8 3f 77 31 04 5d 58 45 b3 89 99 9f 91 12 | 97 fa c6 d7 27 2c cf ed 46 48 47 ab 2f b4 98 2d | 06 e8 de 93 48 ee 9b e7 a7 47 3d 5e b2 13 83 99 | 04 01 d9 82 ef ae 92 15 fd 4c 84 d7 c4 e8 eb 43 | 63 2c 26 ee 90 1d c4 c2 d4 b9 a9 47 f3 4b 65 ee | cb 7c 5c 27 20 ee 04 1e 61 a5 cb 8f fd 9a c9 05 | 6a f4 ad 5f 15 60 c6 58 77 e7 24 cc 3a f3 cc c2 | 3e dc 79 fb 93 da c6 67 f5 7b dc 21 6e e8 8e a2 | 2d 75 ab ce 90 a2 db 95 c6 18 4b 2c db 52 f2 d4 | 5b d9 65 9b 87 a7 40 37 37 cc 3f 82 4d f5 b2 3f | 6b 92 90 b9 62 8c be 74 4d 78 f9 17 f0 6b 82 a1 | 8a e4 80 b5 5a 52 0d cf c1 a1 f3 e9 48 04 32 4a | 05 c4 0e c2 ef 59 f4 cc d5 86 d5 b1 d4 77 f6 a3 | 33 9a 26 a3 68 c2 83 80 12 18 ef ae 50 40 23 a5 | 9f fc 62 1d f5 7a 69 90 07 d9 b7 d1 d0 c3 7e 06 | 60 d9 8e e8 47 d8 a7 d5 3e c6 33 73 a8 76 18 af | 0b c8 0a 13 10 dc a3 77 fc eb 82 1b 71 b8 76 ce | 77 b0 50 d4 66 e5 2d bd 8e 6e 28 d7 45 ae 64 63 | 1f 20 6e 69 77 50 c1 e1 fe 7c c7 bb b5 35 65 a0 | ab ef 2f e2 df de b4 d7 4a 8d d3 de bc c0 f4 84 | 5b bb bf a5 10 58 66 cd f5 0e 4b | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R1 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #7 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 51 c9 b7 38 e0 1f b7 b3 27 f3 78 98 | 45 cc 27 8c a0 52 a0 ff 7a 89 f9 9a b5 1c c3 52 | 63 8b de 9e 89 52 6a 41 71 99 78 5b b5 0a a5 81 | b3 10 a3 99 09 f9 05 35 bf 0a c1 b9 bb 28 db 9a | 2f 6f f5 ff 20 cd 17 19 4a 3b 3c f8 12 fc dd 34 | 8b 94 9e 74 f5 fa bc ad c5 bc 52 a5 7d 61 f9 a1 | 79 ff 1b c4 cd 1f c3 d5 84 0a 47 ee e4 ae a8 42 | 9c 91 b9 40 42 08 1a 6d 0c 58 6a de 01 ea 57 60 | 00 00 f6 f3 28 de f7 07 83 d0 cf f5 95 24 09 28 | d5 88 2a 65 79 59 3d 9c 3a 35 aa 01 8f 43 de c1 | 45 62 c5 da 54 a6 90 0e a3 6f 76 c8 98 38 69 51 | 0b cf 5a 3e 6d 9d fa 3c f2 67 02 24 63 96 bb 27 | 74 d7 ba cc 85 7b c0 73 b2 df 42 d0 74 77 c5 32 | a2 83 d9 68 26 ca 7a 74 38 e8 73 29 58 79 c5 fb | 58 58 33 9f bd e0 6b 46 55 d7 2e 2b 37 6f aa e8 | c0 a0 0d aa 74 83 dc ba 4f 1e be d7 55 d2 ce 93 | 41 f1 5e 35 a9 06 00 e7 56 43 31 c7 e5 3d b6 4b | c1 c3 20 87 e9 6e 09 a5 8e 36 77 31 2c d1 02 5c | 71 6c ac 61 8b 7b 6c da 05 c4 1e e6 3f 4c 25 4d | 59 13 e3 8f 77 6d 12 8a 87 ce 42 65 a5 99 db 19 | 79 94 80 64 24 5f 2a 47 47 d7 1d 73 3b cb 0f 0a | 84 f8 87 73 42 d5 b2 86 08 6d 74 95 b1 24 2c da | ef 36 97 43 8f 1b fb 71 6f ab 20 3a 76 92 e1 80 | b2 f9 63 16 fa ab 3a 8a ae c4 39 bc 46 00 f5 fd | 76 d3 3f f3 c8 e3 bf 17 6d af 33 3e 92 23 e8 a5 | 0b 32 23 0c c1 ab 5f f0 ab 32 5a ee 66 6a 59 25 | b1 a2 c9 7d 6d 42 c4 d6 c2 68 7a be c8 65 5f 45 | bc f7 04 bd 3a bb e8 52 9e f1 3a 09 ed 4a 5b 7a | c0 b0 49 7c 20 7d f4 fe 4b 34 2e 63 0c 8b 75 04 | f5 a1 23 cf bf 09 f6 db 15 74 77 51 35 ca e2 ee | 38 56 c6 38 76 0a c8 8f 62 7f da 4d ee a1 03 ca | 92 a7 b4 fe bb 76 b1 5b f4 2f 61 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R1 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #7 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 1b dd f9 c6 67 cd 3d 22 36 fa bd 83 | 1e d3 3b 98 9c 77 8d ef 96 c6 4d 31 21 83 2f b7 | 35 2a 3f c4 2c 4e 19 75 b0 4a 52 eb 31 cf 21 12 | 99 66 47 9b 6b a5 45 e6 9f e5 8a c0 61 c6 72 4f | 0f 33 64 85 f9 84 c6 2c 1c d1 b6 a4 f1 14 1b 2f | a3 01 b1 74 9e b7 ca 8d 38 d8 ce 1b 34 1c 93 fd | 8c ad 2e 2a a1 99 4b 0d df 9d 13 ae aa b1 bc eb | 85 52 2b 6c b8 e5 e5 27 dd fd e0 e0 f4 99 4b 69 | e0 74 06 1d 3d 3d e6 fa e6 9f 17 7c 3a 39 e2 83 | 3b 54 77 4a 70 b9 94 cb bb b0 81 cd 0e c6 3f f3 | 96 c4 3b e6 95 b1 09 6d e2 5f 62 01 cb d2 4a 18 | ce 03 f3 e7 92 8b 45 7d 11 cb 53 84 7b 42 91 3b | 2b e1 15 8d d5 27 0c ce 7a 95 80 a6 9f 92 7b 95 | 57 ef 0f 4e 6a 06 43 84 e2 c1 80 97 a7 8c 4a ab | 96 4a 5d f2 e1 ef cc 6b c2 4d f9 6e 9c e9 be 0b | 43 9b 29 96 66 84 11 48 73 a6 3b 5e 6e 74 bd 5a | c9 fa 94 fd e7 67 50 ae 72 86 dc 31 fa fc 82 f3 | 04 a2 52 81 93 ee bd de 65 cc 35 e8 2c 72 21 b8 | 84 1a e0 e0 03 49 59 8a 53 cb c6 1b 97 39 7a 52 | 59 bd 26 ab 38 38 98 73 ff 6b 29 88 33 fa 0e 5c | c4 23 19 cd b0 d4 62 28 0e 65 85 c3 dc f6 a3 39 | f8 50 30 a5 fe 2c df 91 1d df 92 cf 7c 52 73 ec | b1 ba bc 5c 35 a4 55 e7 41 e1 ac d7 9b 2b f2 39 | 4f 74 66 30 b0 e5 88 ee 7f f2 58 6e a1 ac 22 bd | 84 57 39 95 36 31 1e a4 df 7c cf 63 da 1e 9f 1b | bc 8a e0 21 81 fc 5a 46 65 f9 11 ca ac c6 09 65 | 19 36 c6 7b b7 72 18 85 cd 12 86 f9 52 3b cf 65 | 5d d5 2c c2 e4 a7 fa 08 01 63 a4 49 b2 09 4f c8 | 27 24 af 70 1d 9c 43 86 0b 6f 26 ef cf 3f 1c f1 | 25 84 4b c5 a2 b9 c8 3f 4a 40 76 62 21 05 51 e4 | 22 60 7c 8f 30 16 29 77 a3 49 f8 28 11 b6 e8 f6 | 0d e8 ff 68 4d a9 36 eb 8f 78 05 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R1 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #7 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 407 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 08 00 00 00 01 00 00 01 97 00 00 01 7b | 00 05 00 05 64 e3 36 ec 10 31 d4 ed b9 89 ee ad | 4d 07 e7 b5 c6 de 13 0f 9b b3 30 6f 1b 8b 64 fe | 41 7a 9f 93 8f 84 f7 02 3d d2 98 41 b3 89 ee 86 | 58 d7 f5 4d 19 3a 3a 75 8d 1e bc 5d da 66 51 66 | d2 e3 00 27 3c c0 8d 3e 4b 79 b2 e2 cf 41 2f b9 | bd 4f c0 33 84 6e 04 37 e4 f8 e6 9e a2 39 7e c0 | ab 73 ae 2f 0c 5d bc c4 02 b4 91 80 92 43 42 77 | 01 26 44 f5 5b f1 00 7e 64 87 86 ef 1c 14 33 ee | 98 e5 9b 2c 7a 54 d9 ba 57 a8 61 c9 c8 66 6a 06 | 5b 75 65 bd 20 46 9f 24 43 8b 04 e8 a1 4e db ff | 33 72 62 6b fb 75 10 96 f7 18 80 e9 7f 72 41 e3 | 19 6a d4 d1 e1 9a 23 df 59 ca 45 bd 80 a0 bc bb | e8 06 d0 ad a9 c9 9e dd bb 6b fb 42 8f ee b5 e1 | 4d 31 89 06 66 00 1b 5e b0 ee 35 dc b8 9b 71 40 | e4 10 86 e0 5f a6 dc 09 5a 31 e1 d4 06 e8 55 ba | 72 34 e0 02 53 89 71 67 00 eb ef 8a a7 40 5a 41 | ab 7e 83 a4 91 ab 7b 9c 1b f1 76 84 bb 9e 33 18 | b0 84 82 8c f9 1e dc 88 00 c8 97 b3 4c 01 38 30 | 97 dc 92 7a 44 dd 62 e7 24 6a 9b cf 5f 70 52 23 | e1 f8 a0 6a 99 de 45 15 96 bc c8 6a 6b 9a 5c 13 | ec 94 61 34 b9 06 70 11 12 18 9f cb 4d f8 1e 12 | c5 a4 ed 55 48 d3 1a 00 49 59 3f 05 e7 1a 2a 46 | 3a 74 a8 12 42 ba 1b 66 a8 dd 69 6b 66 dd fe 06 | c0 50 90 f1 39 aa 74 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 407 (0x197) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R1 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #7 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 379 (0x17b) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=371) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 8 for state #7 | state #7 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cba4950 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0003900 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #7 | backlog: inserting object 0x55795cbb0200 (work-order 8 state #7) entry 0x55795cbb0208 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbb0200 (work-order 8 state #7) entry 0x55795cbb0208 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbb0208 newer 0x55795cbb0208) | crypto helper 1 resuming | backlog: removing object 0x55795cbb0200 (work-order 8 state #7) entry 0x55795cbb0208 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 8 for state #7 | crypto helper 1 doing compute dh (V2); request ID 8 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #7 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #7 and saving MD | #7 is busy; has a suspended MD | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #7 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 finished compute dh (V2); request ID 8 time elapsed 0.005 seconds | crypto helper 1 sending results from work-order 8 for state #7 to event queue | scheduling now-event sending helper answer for #7 | executing now-event sending helper answer for 7 | serialno table: hash serialno #7 to head 0x55795bd21d00 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 8 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #7: calculating g^{xy}, sending R2 | #7 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #7 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #7: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | unreference key: 0x55795cbb79e0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c630d10 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65ba90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c633c80 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c64de90 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c6850d0 | unreference key: 0x55795cbba710 192.1.2.45 cnt 1-- | unreference key: 0x55795cbaf9d0 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbacd0 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbf720 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbb0fa0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "ikev2-westnet-eastnet-x509-cr" #7: No matching subjectAltName found | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #7: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #7: Authenticated using RSA | parent state #7: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #7 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #7 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0003900 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cba4950 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #7 | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 7c 3d 90 3d f1 90 b6 3b 1c 83 a4 34 6b aa 9d 2f | rsa signature 30 17 ae 38 22 13 b5 56 ea 9c dd 66 99 cf aa d9 | rsa signature 17 b9 0f 1e 49 94 8c 5d 79 c0 62 bb 7b fe c6 c6 | rsa signature e8 a8 ee 6e c6 4b 83 26 66 ce e7 72 9c 84 04 e6 | rsa signature ae 49 4e 7b d4 69 d5 ed f0 6a a6 4f 3e e8 d2 84 | rsa signature 6e 2d 1b e2 8f c7 e4 9e ce 0e 18 d2 c7 3e fc b3 | rsa signature db 79 0b 72 2e 44 79 7f dc e4 3f 81 3e 80 79 43 | rsa signature 53 ad 6c d0 63 d9 6f 60 bd b2 34 4d 6f e8 ea b2 | rsa signature d4 47 d8 e8 41 43 ad 9d c5 c6 e2 b7 0c ab 0b 20 | rsa signature 18 f7 eb b1 80 c1 5d fd 92 cd 61 a4 03 9b 8f 28 | rsa signature d2 78 49 96 39 8e 59 67 c7 29 dd de b7 93 3b 95 | rsa signature 5e 4f 74 36 eb 3b 6f 00 42 c0 63 3d ff 22 ec 57 | rsa signature f3 35 a9 3a fa 2b ae 95 a0 6c b9 d1 5a 67 14 2c | rsa signature 65 d9 b0 e1 fb 99 83 51 45 f2 ea fd f5 04 3e 6c | rsa signature 16 33 14 f2 ac 9a 68 7e 2d 05 42 f8 a9 10 a6 f9 | rsa signature 02 d5 f0 a1 1e 56 b9 8f d1 38 f8 c4 08 63 5c ae | rsa signature f9 80 f6 6e 4b a8 a8 62 cb 26 a5 ae 79 8b 86 8f | rsa signature 5f cb 70 e4 2f 61 07 76 85 b2 39 c4 ab 39 45 fd | rsa signature 0c 54 53 4c 30 38 e3 57 12 0b 5a 59 45 c2 71 7c | rsa signature d2 2b 40 63 c6 83 10 b6 73 5a 3b 17 3c f3 b3 29 | rsa signature 4c ab 03 82 f0 03 05 2d 3d 72 21 59 41 de 54 8a | rsa signature 0e 0a db 0e b5 53 44 f6 cf 93 5e 57 e3 6f fe c8 | rsa signature e3 bd 8f d8 12 ca 43 a4 7e e6 a7 83 8d 2b 02 67 | rsa signature 11 4f a5 b9 1d 73 41 6e bf 5d 50 ce 3e 19 02 df | emitting length of IKEv2 Authentication Payload: 392 | creating state object #8 at 0x55795cbc25f0 | duplicating state object #7 "ikev2-westnet-eastnet-x509-cr" as #8 for IPSEC SA | inserting state object #8 | serialno list: inserting object 0x55795cbc25f0 (state #8) entry 0x55795cbc2dc0 into list 0x55795bd2c860 (older 0x55795cbad590 newer 0x55795cbad590) | serialno list: inserted object 0x55795cbc25f0 (state #8) entry 0x55795cbc2dc0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbc2dc0 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbc25f0 (state #8) entry 0x55795cbc2de0 into list 0x55795bd21d20 (older 0x55795bd21d20 newer 0x55795bd21d20) | serialno table: inserted object 0x55795cbc25f0 (state #8) entry 0x55795cbc2de0 (older 0x55795bd21d20 newer 0x55795bd21d20) | serialno table: list entry 0x55795bd21d20 is HEAD (older 0x55795cbc2de0 newer 0x55795cbc2de0) | serialno table: hash serialno #7 to head 0x55795bd21d00 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #7 to head 0x55795bd21d00 | using existing local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 0e 57 7c 42 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 0e 57 7c 42 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 0e 57 7c 42 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 0e 57 7c 42 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 0e 57 7c 42 | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #7: proposal 1:ESP:SPI=0e577c42;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=0e577c42;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0x8a60a829 for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 8a 60 a8 29 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #8: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.e577c42@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.8a60a829@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #8: prospective erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:ikev2-westnet-eastnet-x509-cr esr:{(nil)} ro:ikev2-westnet-eastnet-x509-cr rosr:{(nil)} and state: #8 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.e577c42@192.1.2.45 | get_sa_info esp.8a60a829@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332912' PLUTO_C | popen cmd is 1485 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332912' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):e577c42 SPI_OUT=0x8a60a829 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #8 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #8 (was #0) (spd.eroute=#8) cloned from #7 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 7c 3d 90 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 3d f1 90 b6 3b 1c 83 a4 34 6b aa 9d 2f 30 17 ae | cleartext fragment 38 22 13 b5 56 ea 9c dd 66 99 cf aa d9 17 b9 0f | cleartext fragment 1e 49 94 8c 5d 79 c0 62 bb 7b fe c6 c6 e8 a8 ee | cleartext fragment 6e c6 4b 83 26 66 ce e7 72 9c 84 04 e6 ae 49 4e | cleartext fragment 7b d4 69 d5 ed f0 6a a6 4f 3e e8 d2 84 6e 2d 1b | cleartext fragment e2 8f c7 e4 9e ce 0e 18 d2 c7 3e fc b3 db 79 0b | cleartext fragment 72 2e 44 79 7f dc e4 3f 81 3e 80 79 43 53 ad 6c | cleartext fragment d0 63 d9 6f 60 bd b2 34 4d 6f e8 ea b2 d4 47 d8 | cleartext fragment e8 41 43 ad 9d c5 c6 e2 b7 0c ab 0b 20 18 f7 eb | cleartext fragment b1 80 c1 5d fd 92 cd 61 a4 03 9b 8f 28 d2 78 49 | cleartext fragment 96 39 8e 59 67 c7 29 dd de b7 93 3b 95 5e 4f 74 | cleartext fragment 36 eb 3b 6f 00 42 c0 63 3d ff 22 ec 57 f3 35 a9 | cleartext fragment 3a fa 2b ae 95 a0 6c b9 d1 5a 67 14 2c 65 d9 b0 | cleartext fragment e1 fb 99 83 51 45 f2 ea fd f5 04 3e 6c 16 33 14 | cleartext fragment f2 ac 9a 68 7e 2d 05 42 f8 a9 10 a6 f9 02 d5 f0 | cleartext fragment a1 1e 56 b9 8f d1 38 f8 c4 08 63 5c ae f9 80 f6 | cleartext fragment 6e 4b a8 a8 62 cb 26 a5 ae 79 8b 86 8f 5f cb 70 | cleartext fragment e4 2f 61 07 76 85 b2 39 c4 ab 39 45 fd 0c 54 53 | cleartext fragment 4c 30 38 e3 57 12 0b 5a 59 45 c2 71 7c d2 2b 40 | cleartext fragment 63 c6 83 10 b6 73 5a 3b 17 3c f3 b3 29 4c ab 03 | cleartext fragment 82 f0 03 05 2d 3d 72 21 59 41 de 54 8a 0e 0a db | cleartext fragment 0e b5 53 44 f6 cf 93 5e 57 e3 6f fe c8 e3 bd 8f | cleartext fragment d8 12 ca 43 a4 7e e6 a7 83 8d 2b 02 67 11 4f a5 | cleartext fragment b9 1d 73 41 6e bf 5d 50 ce 3e 19 02 df 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 8a 60 a8 29 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #8 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #8 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #7 to head 0x55795bd21d00 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #8: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #8 after switching state | serialno table: hash serialno #7 to head 0x55795bd21d00 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #7 PARENT_R2; CHILD #8 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #8: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #8: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x0e577c42 <0x8a60a829 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 d9 8e 44 2e 59 bd 8a f9 0a da 80 3e | 13 b8 77 50 04 6b 69 51 ec e2 73 ba 18 d4 16 b0 | b1 51 07 ab 59 44 64 93 cf 8b d8 e5 8a 23 f4 e2 | ba e7 d2 75 9a 42 41 ab f8 30 0b ad 73 94 08 e1 | c1 b4 14 00 64 68 33 41 b2 59 7b 08 3a 1e be 3f | a1 fb a6 e6 5c 7a 5c 3c f7 84 51 d1 19 ba 0a fd | c6 ff 6b 02 d5 a2 b7 32 48 54 d7 bd 89 36 19 eb | fb b9 60 8d ed 16 28 d5 5f 57 45 90 66 3f 4b a1 | 89 8a d9 6c c7 34 53 06 1e f6 e5 2f f4 e4 99 d1 | 89 be 84 8e b0 5f 31 70 8d 17 3f a8 28 52 1f df | 23 f0 b4 c4 ed 55 05 e2 8b 8d 9e b5 ef 7d 87 33 | 49 4c 39 b1 c1 5b 90 43 01 b7 91 34 48 00 bb 8b | c6 b9 5c 31 89 c3 69 b5 f5 e0 dc 3c d6 34 25 b4 | b5 cf 29 4a 00 ca bd 7c 58 21 6e ca 0b 9c eb eb | 29 a1 14 7a 6a 51 82 64 c8 ac 1a dd ba 77 7d f6 | d4 8d 67 68 0f 98 5b 69 06 cd fa 9e 1d cd 72 d2 | b7 db e9 49 6b 03 a6 1a b4 d3 9a a4 3c 65 64 4a | 5b a9 1f 21 b7 a5 2e 15 54 a8 3c a4 42 5d 05 c1 | 1f f1 b8 a7 68 cd 74 16 8b 2b 37 48 17 a1 12 af | 0c 81 a6 8b 47 5e 80 10 52 ee c7 40 df 7f 83 0d | a8 9a 20 ce 15 c7 72 dd 34 96 22 b7 9d cf 70 6d | 71 4f 2a e2 ed e8 60 10 dc ee 8b f1 e6 81 4e a8 | 1d a2 92 23 ef a7 ae ca a4 e1 11 e7 df 76 f8 64 | 6d ef 66 32 0a 43 78 c8 c5 dd de 68 2e 75 58 23 | 75 8f 90 c0 9f fa 76 2f ac 99 64 71 a2 6a d3 f6 | e1 ce f1 3a ee c2 e6 85 5d 3f ee 8a b7 c5 e3 89 | 01 be 90 2f 29 d8 09 52 9e 36 22 2d 11 9d dd 34 | f0 36 38 8d d7 c9 24 98 76 d6 11 d3 d9 ef cd c1 | fb 21 d3 8d 85 93 fa 0b 56 6a 11 f3 1d 8f 5a 99 | 8d 36 f6 0d e0 af 79 6a 6a c8 01 80 78 09 5f 9f | d1 57 d2 5d e0 f6 f9 43 96 1a 9b bb a8 a0 30 2d | b3 40 66 8d d6 bb cd d9 32 52 90 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 06 e3 59 e4 e8 fc 8a 22 fc 22 13 03 | 13 6b ae 15 85 ae 50 5b 7d a9 19 c7 f4 57 28 7d | f6 f6 da 21 79 68 b0 f8 5e a4 54 c6 67 37 45 dc | 08 5d 72 26 66 9b 38 e3 d2 a6 35 fa cc 28 cf a2 | e4 a9 ea 1c b3 39 56 56 4e a9 57 c3 9a 77 d8 2a | 87 66 18 5f b3 06 a7 6b 3d 48 01 f6 a1 02 8f e1 | 87 99 8f 7c c2 e7 7d 51 d4 0c 78 f4 5a a3 64 76 | f1 aa ad 03 c4 ee c3 96 5d b9 00 d2 7e 6a da a4 | 7b 0c 2a 93 cb 76 01 c4 1e df b2 32 b6 f5 59 77 | b7 91 f2 40 0e 68 f6 4e 81 6b 82 66 09 d4 e6 11 | fd 74 56 da b3 ae f0 d1 9a 2b fb d3 c3 2c 2f b4 | 06 48 e0 7c 9b ac b4 68 32 f8 7d 8c 31 f4 e0 d2 | f3 4e 5c 5f 2f 15 e2 29 20 45 24 ee 4b 88 b8 88 | 6e 60 44 0a 05 ad 9b d5 c4 43 33 5a 67 90 3c 82 | ae 89 1a 9b 83 3a 0c fa 22 81 30 21 52 4a 95 50 | f1 81 eb 02 1f f2 f4 4b 4d d3 39 e4 37 9c 82 b5 | 5f 2a 95 8f 76 e4 35 69 a6 81 6b ee d2 8e 04 ca | cf ba ab c1 67 0b a1 12 47 f1 80 f4 b7 eb 1f d4 | 73 2c 78 7f b8 61 75 6a b8 dc 4b 0b 94 ed 78 62 | 2c 6c 6b 96 6b 3d 61 6b 35 26 26 da 2b 42 cc 41 | a7 c2 48 0a 84 ec da 95 0f ca 64 b4 f8 e2 ba b5 | 48 c5 b2 93 d5 a5 2e a8 ac 23 c0 10 4c 0b 3e 30 | ff 4b 52 29 27 37 d4 fc 3a c9 df 67 46 a8 e1 08 | e4 83 d0 06 0b bd ac 1f 8c 07 f6 7c fc 51 c6 db | b3 ce c5 ff 7d c2 eb 1c b6 32 91 f7 fc e5 3d 3e | ba 4a e2 e7 3f 74 42 70 ca 13 da 2e 2a ca 38 93 | ae 04 9e f2 a9 2a 03 c4 bc ee ce c9 c9 c0 45 2a | 3a 17 c1 be ca 13 48 76 4c 88 f4 07 bb e8 95 69 | 62 ef 9a c0 71 e6 18 b6 23 12 ef 4e 94 43 cd b8 | fa 62 e6 6c 21 45 11 cf 16 c7 08 9c b4 38 f5 57 | f6 98 87 96 e6 7a b3 cc 45 9a 9c b2 d3 fc ee 42 | 2c 76 3c 5e a5 d5 6a b3 28 3d 43 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 24 9a e8 c0 d3 ba 81 49 9d 7d bf c3 | 88 f8 59 7e ad 69 73 0d 34 bd 95 c7 14 3d ca 4e | 75 a9 83 e0 60 e9 38 88 20 4f 7c d0 6c af 39 25 | 59 f1 ac 2a 62 f0 e3 58 5f 13 f3 5e 38 22 ed 8d | c1 54 f6 4c 21 09 34 23 18 81 ec 69 38 d2 dd e4 | c2 cb 8e f9 e5 be d8 67 f4 0b 31 0e 76 f3 81 e4 | 7c 97 a1 52 d7 85 8e c3 34 74 33 0b 6a 69 37 b1 | ca 14 c9 e8 e6 3a b0 51 98 22 91 ca 6a 60 b4 b8 | 07 20 fb 3d 15 55 3f 46 c7 4a a8 ae f7 be 50 19 | 9f 0f 91 2d a2 5f e4 00 55 eb 57 fa 8b 4d d6 5c | c6 7f ee c3 b3 e8 ad db f6 eb 4e 7d 18 52 6e 2e | e0 10 6d 76 a5 64 9b 99 4a c7 9f 41 48 90 2c 4f | 8e 0f 21 d5 1e 10 42 f3 8a c2 a8 a7 60 47 e1 d0 | c0 5b 61 aa e5 1d 20 a4 d5 ed 2c 51 ef 2a b5 4b | 0b 90 f8 90 06 f8 41 25 45 4b 57 6e 0b b0 0b f4 | b3 cb 15 93 44 29 1b 03 0b cb 27 05 ef 53 d7 36 | fc 70 54 ba 0d f0 88 00 ef b4 5f 2a 7b 7f 95 95 | 17 45 95 7a f8 a2 64 2c ec b1 7b f0 08 a1 85 36 | 76 1a a8 fa 11 eb 88 fe 2b 00 3b e5 13 3d b0 68 | 77 58 f5 cb 49 dd 8d 27 c2 04 e3 58 84 32 03 04 | 74 47 2a e8 93 e0 c6 69 a4 0f 07 22 6a f2 dd f0 | b0 ef 42 c3 e7 98 f4 c0 16 f5 54 71 46 8e 6c 8c | 9a 9e a4 9f 34 9b cc ed b6 ef a1 80 26 f5 80 ce | f6 01 54 e3 92 e6 84 ca 76 f0 36 2e 0c d7 3e 44 | 15 79 ff 1e 70 5a d3 ed 81 9f 29 39 f0 ed 3f 05 | 93 a1 c8 43 0a 4b 6d fb eb a9 74 8e bb 14 46 af | 19 de 7b 65 95 05 2c 15 f6 58 cb 97 50 df 2a 3a | 1b 98 95 db a6 57 bc 72 aa 8f 6f 3a 09 3b 67 5d | 24 b0 82 b2 e5 67 a0 40 05 80 9d 19 34 b9 8a d0 | c8 6e 10 eb 0d 47 80 45 a1 5e fc 95 3c 8c a2 3c | ac c2 a5 d6 be 02 e4 90 3e 9a 5d a4 6f b3 9e 67 | 4e de 0a d5 16 37 50 6b 5f d6 d7 | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 a9 ca 43 8e 2b 4c 9d ab 16 0e 69 87 | 41 57 c5 8b eb f4 d6 00 d5 c1 3a 7e fb b6 cd 46 | 46 3a 62 4f e3 46 88 ed dc 6e 43 cb 7f 13 8d 73 | e9 b1 78 57 3f 15 fb 95 64 9f 78 c6 37 e5 7d 3d | e5 44 08 bc 88 58 9c d2 62 14 d6 ae 86 46 28 4a | f1 c2 04 25 5e 12 d6 70 2d 4b 4b f6 02 15 71 8f | a5 d0 0e 6a b0 ab d7 14 4e bf ed cf 2b 3c 45 58 | e3 d8 6e d1 a3 f8 74 ce c5 15 25 f3 48 c4 d6 77 | a8 f5 95 77 52 1a 87 eb e4 5b 12 85 65 a2 32 f7 | 4b e0 3c 6b 31 26 6f 05 90 d4 79 f0 5b dd 9d ad | c0 a4 f9 7e 2b fe 2f 51 8c 61 9c c1 79 07 b6 45 | 6d 15 98 44 88 bf 9c 99 78 0c 84 ff 10 88 bc c0 | 7f e0 55 3c 78 13 40 db 26 f1 4a b8 dd 95 c1 97 | e7 c4 5c af f1 66 20 3c 46 50 8b 9c 7f fd 67 b9 | 8f cb 1a 99 18 10 be 60 d2 3b 1e f4 5c 64 aa 7b | 3c 35 d4 c2 1f f5 bf 4c 9b 4a 22 ed f5 27 5f 7f | 2a 92 0d 4e 08 7c d5 76 a8 3e 2f 85 73 c2 ad a0 | aa 74 bd d1 65 95 8b a4 64 ad bf f8 ab 50 2f c9 | c2 c2 4d 5d 65 08 c1 20 e8 fa 21 d3 c6 b8 cd 5d | a7 12 5a e2 9b 86 a1 bb d2 6e 71 47 5a 68 0e 98 | a4 95 51 14 d6 15 37 fe 51 32 83 40 3c 34 7c 07 | 70 23 dd 1c d6 c5 e4 19 ec da 08 be e3 19 20 7f | ec f2 65 57 7a 33 9a e6 1a f2 12 bf 82 17 8b 17 | 84 1c b1 65 c8 03 19 90 3d 5a e3 c3 52 b4 af e0 | 2f 27 c6 7f 8d 38 f2 f5 f4 00 9b 94 4c 14 de 7e | 8f e5 62 3c 06 49 79 70 f7 49 55 d6 ca d7 65 de | 96 94 19 5e a4 6a f1 d9 3d 65 6a cb f7 aa ff fb | a2 7c a2 45 1e 12 71 e7 07 7f cc 86 b9 0d 63 89 | 94 b8 81 75 59 53 6d 00 85 fc c8 13 1f 3e b4 40 | 62 b1 84 9d b4 e1 5c b5 06 2f cd a2 c1 68 b6 94 | bc f8 b9 cc 98 78 2b ba ba 34 01 2d 8e 6b | sent 4 fragments | releasing whack for #8 (sock=fd@-1) | serialno table: hash serialno #7 to head 0x55795bd21d00 | releasing whack and unpending for parent #7 | unpending state #7 connection "ikev2-westnet-eastnet-x509-cr" | #8 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbaf630 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #8 | processing: stop state #8 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | 9d 6d be a2 8a 83 04 8f 7b 15 9d 9c 0a 49 3d dc | 39 74 27 dc 9a 5c 86 1e b5 ae be 54 e8 0a 6c 18 | 97 aa 51 1c b5 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R2 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #7 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #7 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 0e 57 7c 42 | delete PROTO_v2_ESP SA(0x0e577c42) | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 CHILD SA #8 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x0e577c42) "ikev2-westnet-eastnet-x509-cr" #7: received Delete SA payload: delete IPSEC State #8 now | processing: suspend state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #8 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #7 to head 0x55795bd21d00 "ikev2-westnet-eastnet-x509-cr" #8: deleting other state #8 (STATE_V2_IPSEC_R) aged 0.186s and NOT sending notification | child state #8: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.e577c42@192.1.2.45 | get_sa_info esp.8a60a829@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #8: ESP traffic information: in=0B out=0B | child state #8: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #8 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbaf630 | serialno list: removing object 0x55795cbc25f0 (state #8) entry 0x55795cbc2dc0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cbacdc0 (state #7) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: removing object 0x55795cbc25f0 (state #8) entry 0x55795cbc2de0 (older 0x55795bd21d20 newer 0x55795bd21d20) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.e577c42@192.1.2.45 | get_sa_info esp.8a60a829@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332912' PLU | popen cmd is 1487 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332912' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1440):0xe577c42 SPI_OUT=0x8a60a829 ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.e577c42@192.1.2.45 | netlink response for Del SA esp.e577c42@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.8a60a829@192.1.2.23 | netlink response for Del SA esp.8a60a829@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #8: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #8 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #7 to head 0x55795bd21d00 | processing: resume state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs 8a 60 a8 29 | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | 4e 6e 53 ab a6 ea fd ad b6 c5 37 b9 0f 18 ab ff | 90 0e 41 7b c1 4c 60 26 9f 4d e3 28 c8 61 75 b8 | 50 23 ca ad a4 | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #7 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #7 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #7 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #7 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #7: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | 92 1a 6c fd 8f 32 a7 67 80 19 b4 70 61 8e a4 c1 | 6a e7 2a 41 ff f6 18 05 cf 04 e0 70 57 1d 0b 6d | fa | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | v2 IKE SA #7 found, in state STATE_PARENT_R2 | found state #7 | processing: start state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #7 is idle | #7 idle | #7 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #7 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #7 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 80 3c 8d 28 f8 81 8f 4a | responder cookie: | 48 61 2b 24 55 1e 89 ba | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #7) | 80 3c 8d 28 f8 81 8f 4a 48 61 2b 24 55 1e 89 ba | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | ba 4b 0a 0c 8a 74 fc ec 31 d3 59 54 34 db 39 a4 | 89 41 a9 29 9e 4e 82 72 f1 | IKE SPIi:SPIr table: hash IKE SPIi 80 3c 8d 28 f8 81 8f 4a SPIr 48 61 2b 24 55 1e 89 ba to 10277867494473017327 slot 0x55795bd1b0e0 | parent state #7: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #7 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #7 to head 0x55795bd21d00 "ikev2-westnet-eastnet-x509-cr" #7: deleting state (STATE_IKESA_DEL) aged 0.385s and NOT sending notification | parent state #7: IKESA_DEL(established IKE SA) => delete | state #7 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cba4950 | serialno list: removing object 0x55795cbacdc0 (state #7) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cbacdc0 (state #7) entry 0x55795cbad5b0 (older 0x55795bd21d00 newer 0x55795bd21d00) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #7: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbae5e0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #7 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #7 to head 0x55795bd21d00 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 0a 6c e5 54 69 bb f0 26 | 2c 6d 9a 05 ba 98 59 5f bd 55 5c 42 2c 9b f4 d5 | 32 c6 2e 92 0f b9 c7 26 8f be 09 fd 88 1a 49 0c | 30 df 34 b1 3b 60 ab 32 2f c9 c8 bd 54 47 d1 8e | 1e 3f 8d 86 26 96 ce 2b 38 a8 4e d4 3f 20 6b b9 | ad 01 02 12 49 89 94 82 fd 18 07 f0 32 ad 05 08 | 82 c9 a5 eb 0d f8 b9 eb 08 06 01 1e 8c ae e7 92 | 00 23 e4 95 3c 0e 91 8a 7c eb 09 41 6a 69 df 8c | 08 e9 cd 99 a9 ae 4c 66 61 95 cd 82 d3 7f ce bd | 11 f2 51 c6 b5 49 b5 7b 48 bb b5 87 e7 82 0b 5d | c6 05 36 10 4d f1 e0 c3 c5 cb a8 e7 e8 6a 10 13 | cc 11 7d cc b3 0b ec 1d 81 fb 7c 5b a5 9e 9b 8d | ab 4c f3 31 d6 f7 dc 2a b0 8a 29 83 46 01 d5 d4 | 3f fb a9 95 cb b0 83 20 0e 21 ee 85 d0 60 da 2b | 3f e0 9e 68 c1 a4 d6 df f4 cc ef ce bc 67 02 48 | dc 26 77 4f 03 82 d5 56 b7 4e 55 ac a6 a9 d5 3f | da 15 0a 91 c7 ac 58 3d 29 00 00 24 a9 42 68 df | e6 49 2c 71 31 c8 27 e9 d7 6b 91 16 db 29 f7 a0 | 5d 68 0e 41 4b 37 8d 96 77 ab 3e 08 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 94 f6 d5 a8 | c8 31 ed f4 73 cc 1a 6c fb 36 94 42 6a f1 a6 5e | 00 00 00 1c 00 00 40 05 bc 62 07 09 3e 3e be 32 | 89 0e f4 e3 d2 ca 65 7d ae 9b 73 cb | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 to 3648729548428422213 slot 0x55795bd20640 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #9 at 0x55795cbacdc0 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #9 | serialno list: inserting object 0x55795cbacdc0 (state #9) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cbacdc0 (state #9) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbacdc0 (state #9) entry 0x55795cbad5b0 into list 0x55795bd21d40 (older 0x55795bd21d40 newer 0x55795bd21d40) | serialno table: inserted object 0x55795cbacdc0 (state #9) entry 0x55795cbad5b0 (older 0x55795bd21d40 newer 0x55795bd21d40) | serialno table: list entry 0x55795bd21d40 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #9: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | using existing local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #9: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 3a 21 78 79 d0 51 d3 83 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= bc 62 07 09 3e 3e be 32 89 0e f4 e3 d2 ca 65 7d | natd_hash: hash= ae 9b 73 cb | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 3a 21 78 79 d0 51 d3 83 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 94 f6 d5 a8 c8 31 ed f4 73 cc 1a 6c fb 36 94 42 | natd_hash: hash= 6a f1 a6 5e | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 9 for state #9 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #9 | backlog: inserting object 0x55795cbc25f0 (work-order 9 state #9) entry 0x55795cbc25f8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbc25f0 (work-order 9 state #9) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbc25f8 newer 0x55795cbc25f8) | crypto helper 0 resuming | backlog: removing object 0x55795cbc25f0 (work-order 9 state #9) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 9 for state #9 | crypto helper 0 doing build KE and nonce; request ID 9 | crypto helper 0 finished build KE and nonce; request ID 9 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 9 for state #9 to event queue | scheduling now-event sending helper answer for #9 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #9 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #9 and saving MD | #9 is busy; has a suspended MD | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #9 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 9 | serialno table: hash serialno #9 to head 0x55795bd21d40 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 9 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #9: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x c9 44 cb c3 16 74 7d 0b 17 3c 88 2e 99 81 80 2d | ikev2 g^x 1c 3c d4 ab dc 22 e7 fe 26 06 d0 84 7a c8 5b 86 | ikev2 g^x 4b be 04 cb b4 d7 c2 15 1b a2 d4 45 1a 35 8c 98 | ikev2 g^x ae 07 24 97 56 52 25 84 38 56 90 88 f8 70 f5 c4 | ikev2 g^x 62 2b 44 74 76 4e 6a 0c ed 70 d4 58 2f de a3 a1 | ikev2 g^x 71 ff 8c c2 cf 5f 88 ae eb d1 d1 66 59 3c 40 84 | ikev2 g^x 17 4c e9 df 29 bd 39 58 1e 53 e2 b3 fb 46 9c fe | ikev2 g^x 09 a3 de d1 ca 0e 66 fb b2 99 86 73 91 3b 98 df | ikev2 g^x e4 aa d3 f6 9c a6 d8 13 28 01 b8 96 30 ac eb 33 | ikev2 g^x 53 db b0 a6 d7 b0 10 2f 0f 3e 9e 69 62 3a 1c 19 | ikev2 g^x e2 19 ba 30 4b 33 e9 fb 67 96 37 0e 20 ee 1a 99 | ikev2 g^x 69 df f6 c8 d0 d2 87 be a5 2e d8 d1 92 89 b5 41 | ikev2 g^x 83 3c b4 9b 06 7c 2c 17 9a f0 b3 3a b6 35 cf 1c | ikev2 g^x 7c 85 4e d8 60 dc 46 5f e9 a2 49 5e e7 93 3c a9 | ikev2 g^x d0 a4 10 43 25 8f 89 ee ce 2e 2f 89 36 d6 73 3c | ikev2 g^x d7 ed 39 d4 a5 32 a2 08 cd 58 c1 f7 f4 f4 8d 55 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce b4 77 05 41 9c 09 af 0e b4 7b b3 16 6a 67 1d 34 | IKEv2 nonce 32 01 a5 64 ff 92 24 46 fb 6a ec 68 13 64 f9 18 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 3a 21 78 79 d0 51 d3 83 | natd_hash: rcookie= 9d fe 7c d9 f7 16 e7 a5 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 44 20 ad 71 e9 90 ca 66 53 49 c6 02 61 88 17 66 | natd_hash: hash= aa e9 b7 9b | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 44 20 ad 71 e9 90 ca 66 53 49 c6 02 61 88 17 66 | Notify data aa e9 b7 9b | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= 3a 21 78 79 d0 51 d3 83 | natd_hash: rcookie= 9d fe 7c d9 f7 16 e7 a5 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= f8 0c e8 c5 46 7a 0e 35 3a 78 96 85 48 e0 36 2d | natd_hash: hash= f6 fe a8 44 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data f8 0c e8 c5 46 7a 0e 35 3a 78 96 85 48 e0 36 2d | Notify data f6 fe a8 44 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #9 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #9: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #9 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #9 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #9: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 c9 44 cb c3 | 16 74 7d 0b 17 3c 88 2e 99 81 80 2d 1c 3c d4 ab | dc 22 e7 fe 26 06 d0 84 7a c8 5b 86 4b be 04 cb | b4 d7 c2 15 1b a2 d4 45 1a 35 8c 98 ae 07 24 97 | 56 52 25 84 38 56 90 88 f8 70 f5 c4 62 2b 44 74 | 76 4e 6a 0c ed 70 d4 58 2f de a3 a1 71 ff 8c c2 | cf 5f 88 ae eb d1 d1 66 59 3c 40 84 17 4c e9 df | 29 bd 39 58 1e 53 e2 b3 fb 46 9c fe 09 a3 de d1 | ca 0e 66 fb b2 99 86 73 91 3b 98 df e4 aa d3 f6 | 9c a6 d8 13 28 01 b8 96 30 ac eb 33 53 db b0 a6 | d7 b0 10 2f 0f 3e 9e 69 62 3a 1c 19 e2 19 ba 30 | 4b 33 e9 fb 67 96 37 0e 20 ee 1a 99 69 df f6 c8 | d0 d2 87 be a5 2e d8 d1 92 89 b5 41 83 3c b4 9b | 06 7c 2c 17 9a f0 b3 3a b6 35 cf 1c 7c 85 4e d8 | 60 dc 46 5f e9 a2 49 5e e7 93 3c a9 d0 a4 10 43 | 25 8f 89 ee ce 2e 2f 89 36 d6 73 3c d7 ed 39 d4 | a5 32 a2 08 cd 58 c1 f7 f4 f4 8d 55 29 00 00 24 | b4 77 05 41 9c 09 af 0e b4 7b b3 16 6a 67 1d 34 | 32 01 a5 64 ff 92 24 46 fb 6a ec 68 13 64 f9 18 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 44 20 ad 71 e9 90 ca 66 53 49 c6 02 61 88 17 66 | aa e9 b7 9b 26 00 00 1c 00 00 40 05 f8 0c e8 c5 | 46 7a 0e 35 3a 78 96 85 48 e0 36 2d f6 fe a8 44 | 00 00 00 05 04 | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cba4950 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cba4950 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #9 | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 a7 8c 6f 83 48 25 42 76 73 23 d8 81 | 41 da 65 46 32 6a 28 65 af ef 72 64 c4 b9 58 8a | 43 52 ae 34 34 f5 0f 3e c3 8c 63 e6 04 26 ee fe | 6b a0 4e 43 6d 9a 05 2a bc 97 83 a9 98 6e 65 00 | f3 97 b2 08 7d af cc 09 ae 5f 98 81 c9 05 c5 61 | 86 c4 de 3b c1 41 c7 e8 cb 05 0d 9c 5b 47 f6 00 | 61 f7 49 f8 d5 cc 81 45 37 dc 8f 82 0f 8a 37 9b | 32 60 eb 39 ee 81 8c 58 32 14 3a 18 cb d8 93 b5 | 3c 0c 03 74 56 5f 79 9b 76 86 db 56 bb 5e 26 8e | 04 1e b3 30 5c e6 48 14 29 02 21 ba 63 d2 1d dd | 91 d3 51 d0 6a 8a d5 ff b7 40 96 20 15 bb ad f4 | 1c 41 18 eb 44 b9 9d 42 b0 70 82 8e 0e 9f 19 c7 | a2 5f cc 6d cc 02 45 e2 18 63 6d 5f 5e 75 1a d8 | 25 bc d6 20 74 66 b9 72 7f 43 a2 3b 44 67 0c da | ea f1 5e 8d f0 d6 dd 4c 8c 11 d3 1e db ef 45 d5 | 83 1b de 29 80 31 02 1a e9 41 f6 78 72 70 2f 79 | e7 8b 10 08 5e a9 7b 78 61 fb b1 e8 83 b1 ae a6 | 7d dc 10 9d df 98 9d 48 40 65 22 15 6e 6a e1 ee | 06 bf 19 0a d8 06 7d 30 08 a6 02 80 12 d7 bf e7 | 8c 23 e2 21 5d 5e 02 9c d5 a0 bb 27 14 14 88 3d | 4c 1f 8f d9 8d f8 47 4d 4c 32 c3 11 a1 2f 96 e8 | 87 f2 17 25 89 4c ee e7 52 f5 60 bf 24 e8 28 6f | 82 aa e3 b7 e2 66 cd 97 d1 8f aa d6 b2 0b 1b bb | 42 4d 46 c5 6e 56 84 7e 12 6d 93 28 4a f4 53 49 | 75 0a 0d d8 ad df 93 09 44 cb 51 bc 53 f6 88 3d | 26 bb 85 22 4b 7c 45 11 69 28 6b 29 54 a0 d0 b8 | c9 b9 26 78 43 b5 4c 0c a0 57 d0 eb 18 07 d6 db | e3 8a 73 d8 7a c1 ac 13 cb 7b e2 12 64 bd 40 55 | ba 09 25 ed df d7 3d 10 7b 8b b2 a2 02 90 e2 90 | 7c af 27 c3 99 be a7 f9 55 b9 41 47 70 3b b8 53 | bb 5d 31 40 a6 8e 6b 22 10 78 63 78 df 6e f7 b6 | 3a d4 b8 eb 19 35 eb e9 ee fe ad | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R1 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #9 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 09 50 b0 91 69 18 c1 cf 2a 32 c0 9d | bd bd 72 87 06 e1 0a d7 de 46 04 18 61 21 5f da | 0d 54 d2 30 70 01 a6 af f0 7f 18 13 fa d6 a3 c4 | 37 bf 3f 74 2d 97 10 56 46 92 c5 c5 ae c6 7d 2a | 9b 37 3f 27 0d 2c 57 fe c9 22 f7 ba 5c 4e e3 ac | 39 10 3b 75 10 7c 07 b8 9a a6 bd 56 44 e9 79 96 | 27 cd d3 b7 23 eb 3b 4e 9e 8d 7c 57 7d 12 20 1c | 3e 6d fc b4 22 56 17 07 9d 72 8c 4b e2 e5 31 3e | 71 67 95 44 66 b3 e9 84 e6 1f d8 5b 6f 56 0c f5 | eb 22 dd 5e e9 6f 0c 99 a4 68 99 74 a1 ea b5 96 | ae 39 c8 8e 3d 70 97 ae 02 67 55 07 52 f4 3b af | b3 24 c2 51 9f 42 47 b5 1e 1e 16 c1 3f 5f 06 e5 | 1d f1 93 56 7b 69 8a 52 b7 e1 94 20 5d 64 b3 41 | 44 bd 02 53 d9 cd 11 48 75 04 89 9e f6 87 6f 7f | 05 96 25 2a b4 2e 95 b9 18 dd 67 11 4e b7 7a 62 | 6d 74 4f 3e f8 22 e7 0a 9f f0 13 f0 e3 4e 62 75 | de 03 30 c5 e6 8f fc ea 46 e9 16 02 b4 a2 de af | b9 3f 6b e9 07 60 c8 86 c4 b9 fc 60 31 77 71 50 | d9 85 e4 73 8d d0 d1 8d 55 a9 a4 53 01 3e fb cc | c1 d3 36 41 2e bd 24 25 51 a4 ea ff f7 3c d1 21 | d8 6a 61 2d d2 3d 3b 57 b9 ec 39 89 b7 a9 2d c0 | eb 6a 5f 5b 9a 6b 32 96 22 f7 c9 19 13 50 66 7f | d4 46 13 78 bc 11 8a ca 80 a5 18 34 83 e0 63 36 | ef e4 6d 06 ec ba b0 ee b6 d0 0f 41 0e ef 49 9f | bd d6 e1 d2 93 ca c9 3d 31 d7 49 a3 a2 19 80 13 | 65 31 4b 58 c6 25 14 45 90 ba e3 33 3b 44 8d b4 | 72 ce a9 a7 11 17 9a 45 13 58 74 47 2c 2a f4 ed | 4d 3a 82 ab 21 ce fe d1 1d 94 54 e7 d4 45 66 df | c5 dc ae bb a3 12 ac 92 c1 3c 7e 26 ed 92 ad ef | f6 7a 74 39 30 d8 44 be 3f 4d 5c cd 71 67 a5 29 | 92 28 e1 6d 5a 59 e3 6e c5 bb c1 79 51 29 e8 36 | 5e 09 e9 f3 d6 de ab 96 31 22 89 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R1 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #9 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 80 5e 63 fb fe 0b 06 54 a4 44 e6 95 | d9 76 fa c8 72 c4 c2 27 ab 38 f0 cb 6a 6f 1c fd | 84 f0 90 e4 d5 ec f8 f8 7d c3 d5 e0 88 c0 40 36 | 3f 09 b3 c5 58 95 d2 81 3e 4e c6 a4 75 54 70 c8 | 65 14 2b 55 a8 5c 51 e3 95 5b be 8d d3 b1 56 a1 | 47 56 df 57 23 e5 3c 89 34 56 66 94 20 33 4d 56 | c4 90 2b 73 89 68 da 58 39 10 59 24 49 46 8d a0 | c5 b2 ca 27 ee 5a 2f 37 98 c1 f0 e4 dd af ae 4d | e1 68 cc 3e bf 96 07 d7 fa 23 11 a6 c6 a0 17 a8 | 2f 69 82 26 36 cb 17 ca c6 d7 74 45 36 39 01 e7 | 1c c5 45 31 3c 8e 78 82 1c 14 3a 9b a3 e7 7a 04 | 11 4b 86 8a d5 c6 2a 76 43 f9 0d b7 df eb aa 3a | f5 59 91 a7 52 4d d8 37 ba f2 32 cc d2 d8 42 bb | b0 c5 63 de 81 31 5e 8f 07 ac d6 03 5b 1f c2 ea | 82 ce 49 17 73 bb d6 6a 5f 40 75 cb de c6 20 26 | dc 31 04 72 c5 fa 40 58 69 84 00 8d 30 75 11 8f | bb 97 2f 5f eb d0 28 47 0c b2 d8 53 5b 84 13 f6 | 78 56 3d 9a 59 96 26 34 81 66 dc a1 80 54 f7 6f | 9d f2 ec 22 67 9b da fc 5f a2 b8 f6 70 d3 1f 52 | b2 3b 1f d7 8b 58 08 f3 80 c7 c4 65 fd 63 c2 1b | d5 d6 39 c5 44 4d 22 36 67 bf 56 5f 3f aa 87 cb | 98 49 0b 74 d5 36 1e ec 79 cf 1b 67 24 76 e3 df | 9b 33 fb 5a 6a bd 64 59 48 64 58 03 47 60 34 6c | 74 27 98 04 59 da 33 8c d9 85 38 81 cb 3d 84 e7 | 09 85 e5 f1 1a 68 39 db cd 1d 0b 88 26 47 6e 8a | 10 a1 8a a9 94 e0 04 b6 b1 35 5e 1e 19 bd 99 f7 | d3 aa 51 7c d1 c3 a5 b2 96 06 53 18 9a ec 73 52 | e0 74 52 7b e3 b7 f1 af bc b8 de f5 37 3a 48 17 | af d9 2d dd e8 14 83 48 1e 40 c5 66 c2 d2 52 cf | 4a f8 a9 23 89 ab a5 45 0b 9b a7 30 6e ea 03 a0 | 23 4b 1c 99 05 cd b3 17 5d 35 63 6b c1 0b b9 e0 | d3 88 aa 8b 8f a1 16 59 e9 3a 84 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R1 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #9 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 eb 73 f2 08 50 00 6c 7b f2 50 af 62 | 13 2e 06 dd a5 2a de e4 2a b0 8a f1 9f 66 13 27 | 92 d6 bf 5c 2d a9 69 ab 0b 6c 96 54 7e b6 24 96 | 1b a9 df 02 7a 7a 51 da 5b 15 a6 b8 a2 bd 9d 36 | a3 42 b4 7d 6b 29 9c 4d d1 91 69 90 17 2c b2 52 | c4 f0 f0 ca 60 61 99 ac dd a7 3d 07 97 7d cb 89 | 5b 27 c7 81 53 d7 9f 76 81 5f c1 97 d8 01 70 ff | 4f 45 35 d6 9b 4f b0 61 8f 27 c9 a2 7a 7a 78 5f | 91 87 06 42 33 8b 3a 6b 46 e7 2f b3 25 90 e6 90 | 72 d5 a4 b8 4b 3a e8 90 90 18 a1 b2 99 fb 7e 73 | 2b 94 cf 45 75 99 91 aa c0 1a 4e 98 9d f0 16 66 | cd 1e 8f 0f 9a 8e 28 25 71 71 41 45 71 0e 7f d4 | 7b 1f 34 67 95 d1 68 58 a5 bf cb 87 7d 04 16 93 | 7d 1c 77 43 f1 bf bb 07 95 7f e5 02 78 d2 43 00 | dc bc fb c5 9d 1c 72 4c ce a1 17 aa da ee 97 86 | 42 28 51 c7 54 44 91 fa b4 31 42 2a 9d 25 ad f9 | 79 ae fe 37 0d 8b ce ad 6c 6e 3d 5e 63 29 41 e9 | 2b eb a8 2f e7 92 1f 6f 71 bf 5d 05 bb 41 95 1a | 3c 50 9b 72 34 e0 25 2e 8b 11 bf b0 a1 18 d4 07 | b5 9e fc 54 5e 16 ba c9 fc 0d 7c fe 46 2d 28 b5 | b4 80 61 af 01 00 1c d7 6a f3 b5 7e 70 97 16 c2 | 7b 09 e1 c5 16 c3 a4 27 c4 2a da 12 02 4c df e9 | 0c d5 8b 93 37 7c 7f 5a 31 c8 f7 db 8b 93 c4 24 | a5 50 cb a2 7f 2e 6c 75 78 1c d2 a8 c2 cb ca 82 | 4d 6d 65 ab 63 76 6d 32 5c d2 d5 9b 0d 14 01 33 | 72 7a 44 c7 0f 51 6b cb 71 e2 5d d3 2e b0 f4 0f | 8f 11 51 3e 1e 5b f8 d1 93 7f e1 7d 30 02 1c 01 | df a0 4f 6b cb 7b ee 09 d8 04 d3 55 7e ba 26 b4 | 7d 48 9c f3 34 b6 de 67 c0 ae c7 c4 e2 2d 0d 36 | cc 12 07 94 68 b1 e3 09 2d 72 10 84 8a 93 6a 03 | d3 c7 7c 32 18 6b 46 81 46 b2 32 58 21 c9 ae a0 | 21 98 04 64 57 62 ee 94 1c 47 bb | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R1 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #9 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 407 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 08 00 00 00 01 00 00 01 97 00 00 01 7b | 00 05 00 05 93 12 16 96 e3 94 ec ff f7 13 ef 21 | ee e1 6d 87 2d d9 19 01 e0 19 07 7b ee 04 02 36 | be d5 9c 50 9d 86 de a6 3f 94 66 2b 0a 1e 96 50 | ff b9 e3 67 a2 08 14 c0 a6 4c 2b 5c 5b 93 39 1f | 7e ee 95 cb 01 4e b7 b4 c5 03 a2 f0 3c 25 5b 57 | fc f8 56 c3 71 63 19 f2 43 40 c8 e6 0e 48 e9 9b | 56 40 98 6a f6 61 72 3b bd 1c c0 d2 11 46 8c 50 | 04 5b 57 cb a4 de f8 b3 8b 98 c4 bf dc 08 95 ec | 0c a1 a4 8e 1b b2 72 9a 2c 8a 55 81 4e 1b 21 73 | 17 09 9d f9 53 a3 b2 ff c0 b7 49 d1 0c a2 36 a8 | 91 3d 9c 59 fc ef 82 9d 89 5d 1c 2e cb 1b c7 42 | f3 71 46 e0 ea 57 70 ee a7 b1 54 b3 9f f6 99 8b | 1e a9 6f 0e 98 37 2f 6e fc c9 7e 0f d5 b4 6f 80 | 29 5d 73 a2 e6 1c fe 3e c3 cb e1 1e 30 32 1f 25 | 47 f4 39 11 65 ed b8 93 6b 3a 28 a1 24 b0 0b ea | 16 15 ee 14 a9 e9 e2 7f ee b5 a2 a6 5f 62 b9 c6 | 30 bb 92 b1 41 68 9f 78 7b 68 22 f6 f7 59 82 4f | 1c 6c 72 11 10 95 f7 1e 03 a7 30 26 7e 5a 7f e7 | 1b 01 c8 a5 f8 27 ef a1 18 9f 03 7e d0 d7 df fc | 84 7e 13 93 d2 92 16 48 55 67 94 37 0c a2 b9 10 | 62 06 19 1b a5 f2 46 15 c8 54 50 99 70 b4 49 3a | 7e 9d bc 56 08 e7 6a 8b 1f bb 07 37 19 c8 a9 cd | 1d 23 d8 0e 0e b0 da 20 01 e2 3a 2c c0 1f 58 b1 | 10 82 2b 25 5c 9c 7d | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 407 (0x197) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R1 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #9 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 379 (0x17b) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=371) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 10 for state #9 | state #9 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cba4950 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0003900 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #9 | backlog: inserting object 0x55795cbc25f0 (work-order 10 state #9) entry 0x55795cbc25f8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbc25f0 (work-order 10 state #9) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbc25f8 newer 0x55795cbc25f8) | crypto helper 1 resuming | backlog: removing object 0x55795cbc25f0 (work-order 10 state #9) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 10 for state #9 | crypto helper 1 doing compute dh (V2); request ID 10 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 1 finished compute dh (V2); request ID 10 time elapsed 0.005 seconds | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #9 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #9 and saving MD | #9 is busy; has a suspended MD | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #9 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 sending results from work-order 10 for state #9 to event queue | scheduling now-event sending helper answer for #9 | executing now-event sending helper answer for 9 | serialno table: hash serialno #9 to head 0x55795bd21d40 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 10 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #9: calculating g^{xy}, sending R2 | #9 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #9 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #9: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | unreference key: 0x55795cbae5e0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65e6c0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c6850d0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c689ea0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c684580 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c65af50 | unreference key: 0x55795cbae3a0 192.1.2.45 cnt 1-- | unreference key: 0x55795cbbb640 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbab50 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbae50 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbb0ee0 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "ikev2-westnet-eastnet-x509-cr" #9: No matching subjectAltName found | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #9: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #9: Authenticated using RSA | parent state #9: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #9 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #9 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0003900 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbc7d00 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #9 | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 2f 7b 0a 17 9e 33 69 0f 89 9a db 59 3c 6d d3 bd | rsa signature 29 92 d3 1c 59 6f 3c 62 90 37 86 bc 56 b0 f0 18 | rsa signature 69 5e 83 fe 79 7e 44 ba fd b0 6c c4 a6 6d 00 ae | rsa signature 9b af 77 12 2e e0 e1 7b 3f a9 8e be cc 92 8b 64 | rsa signature 15 8e 61 aa d1 e9 e8 dd 82 b5 32 36 56 be fa 4c | rsa signature 4e 2e ba 62 a6 d9 c0 86 84 27 8c 5a 4a 0d c3 40 | rsa signature 81 e9 be 31 a5 8e 82 9a 01 b1 dc bd 89 15 91 ab | rsa signature ea 70 00 50 af ce a5 84 93 ff 02 2d 21 48 fa f1 | rsa signature 00 d9 64 c1 50 f4 65 f1 cc 10 41 ea db 65 9c bf | rsa signature fb e6 a4 52 65 6e 1c f2 4c 25 f9 5b 4b 02 3d 24 | rsa signature ca bc 2f 66 23 62 05 c7 a0 95 41 df 3f 83 fe 95 | rsa signature bc a4 00 70 2e b1 14 e0 58 05 cb 0d 5e 75 28 86 | rsa signature a9 19 43 85 18 a3 b0 78 e9 74 7c 34 21 d9 1f 39 | rsa signature b2 97 3c 6d f2 75 86 f0 2d 60 2b c7 ef d3 eb e2 | rsa signature 96 4d e2 1b bb 4f 3a 81 3a a1 1d 23 a5 a0 98 10 | rsa signature 31 4b 3a d6 72 6f 88 cf e4 92 f6 46 ee f2 11 35 | rsa signature d4 7e c3 62 cc 67 14 73 b0 b2 14 a4 ac 55 89 80 | rsa signature d4 16 36 66 24 9a 3c 38 bd f5 c7 23 d4 46 1c 1c | rsa signature 5f 5b 72 fe 0c cf 12 78 4a 74 ab 53 85 7f 35 b3 | rsa signature 7e 09 55 b9 89 85 c6 30 d6 d6 26 54 cc 5e ac 52 | rsa signature 4a 9c 88 65 c5 ee b2 ac 9f d4 8c 39 e3 6b 8b a5 | rsa signature 8e d1 be a1 a9 82 62 5b 5a 91 22 1d 06 03 72 fe | rsa signature 61 ac 50 ef 5f c0 46 7d c1 da 64 d0 21 1a 1b a9 | rsa signature 23 e2 42 09 de f4 b0 1f dd 94 11 27 6e cb ea cc | emitting length of IKEv2 Authentication Payload: 392 | creating state object #10 at 0x55795cbb0150 | duplicating state object #9 "ikev2-westnet-eastnet-x509-cr" as #10 for IPSEC SA | inserting state object #10 | serialno list: inserting object 0x55795cbb0150 (state #10) entry 0x55795cbb0920 into list 0x55795bd2c860 (older 0x55795cbad590 newer 0x55795cbad590) | serialno list: inserted object 0x55795cbb0150 (state #10) entry 0x55795cbb0920 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbb0920 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbb0150 (state #10) entry 0x55795cbb0940 into list 0x55795bd21d60 (older 0x55795bd21d60 newer 0x55795bd21d60) | serialno table: inserted object 0x55795cbb0150 (state #10) entry 0x55795cbb0940 (older 0x55795bd21d60 newer 0x55795bd21d60) | serialno table: list entry 0x55795bd21d60 is HEAD (older 0x55795cbb0940 newer 0x55795cbb0940) | serialno table: hash serialno #9 to head 0x55795bd21d40 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #9 to head 0x55795bd21d40 | using existing local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 72 14 5d 59 | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 72 14 5d 59 | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 72 14 5d 59 | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 72 14 5d 59 | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 72 14 5d 59 | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #9: proposal 1:ESP:SPI=72145d59;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=72145d59;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0xf27e4162 for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi f2 7e 41 62 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #10: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.72145d59@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.f27e4162@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #10: prospective erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:ikev2-westnet-eastnet-x509-cr esr:{(nil)} ro:ikev2-westnet-eastnet-x509-cr rosr:{(nil)} and state: #10 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.72145d59@192.1.2.45 | get_sa_info esp.f27e4162@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332912' PLUTO_C | popen cmd is 1486 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332912' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):72145d59 SPI_OUT=0xf27e4162 ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #10 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #10 (was #0) (spd.eroute=#10) cloned from #9 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 2f 7b 0a | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 17 9e 33 69 0f 89 9a db 59 3c 6d d3 bd 29 92 d3 | cleartext fragment 1c 59 6f 3c 62 90 37 86 bc 56 b0 f0 18 69 5e 83 | cleartext fragment fe 79 7e 44 ba fd b0 6c c4 a6 6d 00 ae 9b af 77 | cleartext fragment 12 2e e0 e1 7b 3f a9 8e be cc 92 8b 64 15 8e 61 | cleartext fragment aa d1 e9 e8 dd 82 b5 32 36 56 be fa 4c 4e 2e ba | cleartext fragment 62 a6 d9 c0 86 84 27 8c 5a 4a 0d c3 40 81 e9 be | cleartext fragment 31 a5 8e 82 9a 01 b1 dc bd 89 15 91 ab ea 70 00 | cleartext fragment 50 af ce a5 84 93 ff 02 2d 21 48 fa f1 00 d9 64 | cleartext fragment c1 50 f4 65 f1 cc 10 41 ea db 65 9c bf fb e6 a4 | cleartext fragment 52 65 6e 1c f2 4c 25 f9 5b 4b 02 3d 24 ca bc 2f | cleartext fragment 66 23 62 05 c7 a0 95 41 df 3f 83 fe 95 bc a4 00 | cleartext fragment 70 2e b1 14 e0 58 05 cb 0d 5e 75 28 86 a9 19 43 | cleartext fragment 85 18 a3 b0 78 e9 74 7c 34 21 d9 1f 39 b2 97 3c | cleartext fragment 6d f2 75 86 f0 2d 60 2b c7 ef d3 eb e2 96 4d e2 | cleartext fragment 1b bb 4f 3a 81 3a a1 1d 23 a5 a0 98 10 31 4b 3a | cleartext fragment d6 72 6f 88 cf e4 92 f6 46 ee f2 11 35 d4 7e c3 | cleartext fragment 62 cc 67 14 73 b0 b2 14 a4 ac 55 89 80 d4 16 36 | cleartext fragment 66 24 9a 3c 38 bd f5 c7 23 d4 46 1c 1c 5f 5b 72 | cleartext fragment fe 0c cf 12 78 4a 74 ab 53 85 7f 35 b3 7e 09 55 | cleartext fragment b9 89 85 c6 30 d6 d6 26 54 cc 5e ac 52 4a 9c 88 | cleartext fragment 65 c5 ee b2 ac 9f d4 8c 39 e3 6b 8b a5 8e d1 be | cleartext fragment a1 a9 82 62 5b 5a 91 22 1d 06 03 72 fe 61 ac 50 | cleartext fragment ef 5f c0 46 7d c1 da 64 d0 21 1a 1b a9 23 e2 42 | cleartext fragment 09 de f4 b0 1f dd 94 11 27 6e cb ea cc 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 f2 7e 41 62 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #10 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #10 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #9 to head 0x55795bd21d40 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #10: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #10 after switching state | serialno table: hash serialno #9 to head 0x55795bd21d40 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #9 PARENT_R2; CHILD #10 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #10: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #10: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x72145d59 <0xf27e4162 xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 b9 32 70 63 2d a0 bf b6 7b 2f 3a 6f | 97 4d 64 73 86 94 08 d3 51 f4 aa 8f 0d ca 34 eb | 45 a0 33 51 11 96 1a 44 d6 ec ea 88 7d 2b 94 b5 | 01 e3 68 05 e8 85 ea cd 0d fa ce 1b 10 51 af c6 | 57 cf 53 27 99 bf 49 de 32 14 f0 f2 f0 d5 45 10 | 03 19 0d cf 36 28 27 5e d8 88 94 c1 20 7d de 77 | 23 c5 a0 3e aa 2b 8f 19 54 6f b3 27 6e 01 e4 3c | f0 18 77 ec cb fc 0f 28 9f 76 3c de e6 c4 80 06 | 85 e4 73 42 40 83 62 bb 1f 27 d6 f3 e6 20 41 ed | 6e ca af 67 a5 e7 34 61 49 91 fd 9f 48 56 10 e5 | 56 b4 8c 2d 1e f4 28 e6 a6 98 ac 68 b2 60 c8 f0 | fe 85 e0 69 48 f2 7b 34 77 f0 01 43 90 75 cf d5 | 2f 7c c7 31 e4 88 78 d0 8c a1 0d 3b 42 ff fa 3f | 14 28 d9 24 ff f6 eb 01 24 a6 6f 93 1d 71 2d 3a | ed b0 78 e1 b8 e2 96 e9 a9 02 45 61 49 88 ff 68 | 1b e9 46 b9 be c1 3b 03 c3 ba 58 2d 09 e9 99 97 | c5 aa 45 41 fe 3b ac c4 09 3f fd 7c f8 12 ff de | 89 01 21 e3 ae 88 16 74 58 5a 2c 44 f8 c7 e1 bf | 63 5a 65 70 9d 5c e6 78 40 2e bb 15 99 98 fc 5c | 38 0e 8c db 90 a2 90 ea 9a 24 3c e1 1c e0 a9 ba | 7b 70 15 70 a0 1e 4e 9a 1e 6f b8 22 f2 65 19 31 | d9 db 3a 70 b1 54 63 00 17 77 6f 44 c1 7a fc 84 | 0d a9 fb 4f 58 0f b5 93 6d cf d4 77 5c d1 ad d4 | 9a 8e 72 91 5f 18 e5 a4 16 91 51 28 44 80 f1 7d | 14 5a ee 70 1b d5 28 82 fc 40 de 62 ab 26 9d 76 | 8f 9f 1d 41 a0 e9 03 c6 1c 4c a0 47 64 44 10 2d | 26 ad d9 00 38 98 c3 b6 e8 60 76 2c 40 6e 8a 99 | 3f 7f 2a 93 60 d6 9e 9c 98 d2 aa 95 b8 f0 47 15 | a4 66 49 75 31 be 5b df 11 33 78 34 7a df d8 f9 | a9 1b 62 e5 8a e2 b1 6a 09 52 bb 1b 3e 94 0a 15 | 0b 6c 1b d3 1e f7 98 3d db a7 fe 5f 9a b9 18 ac | 2d 90 1f 99 cb 87 80 4c 1d 24 b2 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 ca 23 11 3c 31 5f 2c a8 87 ba da 68 | 00 8b 24 33 12 63 cd 8b be 91 09 4c f3 57 9f 70 | 48 4d 23 cf 94 82 ad 08 38 19 0e bb 88 3a 5d db | 9d 24 4b e0 0d 9e e6 05 54 e9 a9 cb ac c8 91 37 | 4c d1 d0 97 9b 4f 2c d3 40 65 31 3c 91 21 17 f6 | 24 6e ed 13 02 9a 46 ed f1 02 ec 59 4c 03 05 e8 | f1 50 fc 39 2e cd 4c 29 28 f4 a1 dc cc 6f 1e 54 | bf 1d 6e 04 56 b9 ce 34 79 58 1e 69 7d f9 67 95 | 21 73 fa 3c 22 0a b3 2b 16 ba 89 0e e3 70 67 b7 | 6f 68 97 53 36 b4 75 f8 ed 09 12 24 da c0 5e 54 | c2 ee 04 42 2d 88 ee be 46 7c 55 c3 8b e4 85 a8 | 62 fd 64 8e 2c 93 24 2d 8e 73 80 2f 37 40 94 64 | 85 0d ef 9e 9f 77 40 4b e5 66 31 c1 3f d7 eb f0 | 01 ce 46 90 ac f7 7b 71 4e 0e 28 fb ab fb b3 1d | a7 4d 28 f2 47 d0 2b e4 b7 1b 3e 8b a0 96 b7 b4 | d1 97 6c 0a 8b 4c 44 46 e3 fb 2f 17 a3 08 26 4a | c6 0c 72 f6 a5 78 ee 56 8a aa fa 38 52 1d 22 cf | ba eb 37 c2 41 58 cc 09 f3 bc de 5d e6 15 2f 26 | e2 f7 52 bb ff e7 7c fe 87 e7 6f 15 a9 c9 a4 53 | d1 60 a7 fb b6 c4 0f 08 c3 27 81 82 85 b2 46 90 | 69 65 07 16 ba a6 8c f3 9d 61 c9 76 88 63 f3 2e | f4 37 53 7a aa 20 21 a4 07 38 c8 2d 42 d9 64 c1 | 27 56 ec 48 7c ad 72 16 e3 49 26 a4 4d 02 bf 9b | b8 af 3a 2f 45 8d 80 31 1c 3c eb 9d d8 4e 3e 75 | e3 61 b0 75 02 c5 50 2d 92 b7 ca d8 b8 93 0c 4d | 04 ff f7 60 31 b3 48 69 8e 68 b5 31 63 80 2a 0b | 83 1c 5c 49 2c 61 bc 46 4b d3 d4 83 9a 99 35 ba | e6 c4 ee 8f 97 9b cf 15 69 b8 29 67 ee 20 8e 83 | a0 ba ab d7 da 8f cc 1c 0e 08 e3 7f 77 8d 1f 94 | 71 6a 63 f6 19 76 e2 40 4b bf c9 0c a9 90 1b 02 | 42 55 be de 81 36 5b 92 d3 cd 84 2a ae 66 44 73 | 5e ac 5e 4e bc b6 42 73 41 c3 34 | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 57 23 cb 5a 3c ba 0b ba 99 be 53 1d | f0 ff c4 37 51 4a df 62 01 f8 14 4b ca bf 69 f2 | d8 51 f2 ac ae 1d ee 9d 84 39 00 8d 26 d4 c8 b5 | 8f cd 25 9b 29 68 5d 7b 5b 23 40 c6 17 65 70 84 | b8 ec 9f ec 16 b9 8b 2e 5c 96 bf 91 d7 67 b1 7d | 01 df 98 fa 43 d9 f7 e2 f7 17 a7 8e 9a fa 93 6a | 33 28 05 bd 1a 27 f3 18 3e e4 cc f0 61 d6 e8 b7 | 3f 76 c9 ac 03 6e 18 ea 49 43 bd b1 ef 25 eb 6b | 52 35 fe 8b b5 69 33 71 fa d3 47 96 a7 8e 21 f2 | 4c 0b e8 2e 44 16 b7 60 5f fb f0 c9 88 06 48 16 | 20 46 1d 2a 66 fd 57 24 a3 4f 0e b1 35 38 c7 42 | bc 8d b7 3c 10 11 a5 f6 15 63 1b b6 a6 bc ed d2 | f5 eb 07 ae 7e c9 6f 45 7d 3e 8f 5f b7 e3 f7 30 | 0f 7c 1c 58 23 07 ce 2c 99 3a 6f 4f 93 6b a2 8c | 1e d8 a4 8a 5e 88 cc 4f 8d ef cd 4a 9a da 34 8e | ab 81 78 20 c0 c0 c1 d9 a0 d5 33 a2 81 0b 3f 31 | a9 4b 5a 23 2d cf 2c 2c 8b 26 aa ee f7 36 33 2b | 88 32 3a 2d a2 11 0e 19 b7 cb 15 6b 7d c9 81 ec | da 2b f6 38 0c e3 21 f1 18 e6 39 fd b7 41 31 56 | a5 c6 9b f9 6c 7b ef 09 65 a5 89 30 39 a0 f0 8f | c7 ea 4a e2 1d 9e ad a8 49 14 90 fb ff 9f c8 d0 | 8b 6c e4 35 d6 d6 64 89 e5 51 69 65 45 1b 76 19 | 00 2a a3 ca 9b df 79 69 d1 20 ce f5 52 6c 9d ed | d5 05 08 ad 3c 20 fc 2f 93 51 cf a8 43 b1 c0 42 | 1b ee 04 57 db 6b 90 a4 2f d8 e0 b6 69 31 8f a6 | b8 2c 54 7b cc dc a2 97 39 25 b1 f4 4d 61 a5 5c | 63 2b 9b 5e 70 c5 bc 3d fd a1 62 65 f2 a5 cc 99 | 1b 8e be ee 93 94 98 81 25 34 b6 b1 9f 6f 91 cf | c5 28 eb 11 dc c9 1c b0 a1 3b 33 84 61 5b d6 4a | f9 5a bd 9e 33 1d 80 49 63 32 1b bb a2 c1 9d fc | 7a c2 1a 9a b5 f3 34 25 00 0e e7 8d a6 cd e0 51 | 0a 81 fb e6 12 d1 fe 94 6a b0 9b | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 0e a1 6e 15 d2 53 13 8c 77 eb 7c e7 | cc ca c5 9e e5 1e fe 26 24 50 7c 12 92 c9 56 b9 | 3b 77 65 3c 94 68 8b 6e d8 f0 0b d1 d8 ae fa ee | 9d f9 e2 ec f9 79 da 36 12 39 3f 86 fc d7 c6 cd | 7f 4f 9e 92 8f 39 77 58 d3 f6 fc 1d e3 6b ad 75 | c1 c4 31 99 d7 12 0d 3e b1 1c 69 d7 b7 56 f8 95 | bd cc 2c 24 e6 9d 77 de 26 82 ac fc 70 88 ef 97 | dc ef 11 8d f2 58 42 31 74 51 ad 4a ca d6 01 eb | c7 c2 88 87 91 e2 ac f9 c0 aa a4 cc e8 4a 48 29 | 1e 61 e2 3e c7 c6 81 80 b7 61 2c 7b 60 a5 55 f4 | 90 32 dd 39 28 2d f5 93 7b 1d 3f 76 3b 2f 28 e4 | e6 c0 ae f9 3c dc 7b 82 37 ab 93 02 09 e2 42 4d | b9 64 cc bc 2b 0a 94 ba 04 49 88 0e 0f f1 21 0e | bc 23 22 72 9f 3f 7b a9 c9 cd 71 f8 99 e3 fe 67 | 66 4b fd 9f 7c 0c 51 cf 7b 77 be 1c bb c5 42 fa | b8 34 7e ca 00 64 44 db 21 73 5a b4 16 27 cf ca | 19 fd e0 77 61 6e 35 a3 68 e5 69 2c 6d d7 da 40 | 98 fb 0b f0 75 35 65 b6 31 53 29 e8 e5 3a fb 27 | 63 d3 bb 35 3b 84 55 5a 34 b6 f1 51 b7 e1 ce 72 | d0 2b 64 22 cc f7 fa 35 1f 80 28 23 f5 ee 2b 9c | 49 5f 35 ce 49 5f 18 b5 6a 74 f2 fc ff 27 b0 52 | fb f5 3c 61 6f e9 e0 fd 02 03 bc da 2b 1f c7 6b | 48 8a 21 03 e9 24 f9 52 e3 b6 ec 62 83 25 10 92 | d6 fb 74 e6 2d dd 90 80 16 9a 6d 87 c1 8e 2d 42 | d7 92 83 81 33 2d da dd fb cb 4b d5 96 09 f1 05 | 12 c9 e8 bf 93 87 e1 45 71 e7 22 81 df 9e fc 30 | c5 87 02 b4 1c 8b e2 dd 39 33 f9 3a ed 68 3a 4b | 77 9d 0a cb 69 65 75 7a 17 90 dc 84 0f 91 eb 36 | da f8 5a de ec 30 f3 df d4 1f a5 d7 fa a7 f4 4c | 5b f3 cc 30 a1 9d 19 67 be c8 e2 e7 b0 f6 1b 35 | b5 89 45 ae 1b c7 f2 93 3a 59 51 6a 03 76 | sent 4 fragments | releasing whack for #10 (sock=fd@-1) | serialno table: hash serialno #9 to head 0x55795bd21d40 | releasing whack and unpending for parent #9 | unpending state #9 connection "ikev2-westnet-eastnet-x509-cr" | #10 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cba4950 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #10 | processing: stop state #10 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | 06 cd 97 9f 73 6e 71 36 54 f9 76 4e 08 60 7a bf | a1 a2 5b 5e e6 c7 4e df 4e bc 64 72 0d 07 13 4c | 21 19 76 29 80 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R2 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #9 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #9 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 72 14 5d 59 | delete PROTO_v2_ESP SA(0x72145d59) | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 CHILD SA #10 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x72145d59) "ikev2-westnet-eastnet-x509-cr" #9: received Delete SA payload: delete IPSEC State #10 now | processing: suspend state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #10 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #9 to head 0x55795bd21d40 "ikev2-westnet-eastnet-x509-cr" #10: deleting other state #10 (STATE_V2_IPSEC_R) aged 0.196s and NOT sending notification | child state #10: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.72145d59@192.1.2.45 | get_sa_info esp.f27e4162@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #10: ESP traffic information: in=0B out=0B | child state #10: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #10 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cba4950 | serialno list: removing object 0x55795cbb0150 (state #10) entry 0x55795cbb0920 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cbacdc0 (state #9) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: removing object 0x55795cbb0150 (state #10) entry 0x55795cbb0940 (older 0x55795bd21d60 newer 0x55795bd21d60) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.72145d59@192.1.2.45 | get_sa_info esp.f27e4162@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332912' PLU | popen cmd is 1488 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332912' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1440):0x72145d59 SPI_OUT=0xf27e4162 ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.72145d59@192.1.2.45 | netlink response for Del SA esp.72145d59@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.f27e4162@192.1.2.23 | netlink response for Del SA esp.f27e4162@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #10: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #10 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #9 to head 0x55795bd21d40 | processing: resume state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs f2 7e 41 62 | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | bb 2a 5d 8f 12 7e f7 0e c9 27 af 6a 4f c1 1b 76 | 0d cb d6 2e 81 5b 4e 83 ea 3d 90 80 f1 d8 eb 9d | e9 45 6e 6f 5a | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #9 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #9 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #9 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #9 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #9: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | 74 1e e4 e9 1a 2c b6 b9 e3 70 56 f8 c3 59 e2 1d | 8d 3c a4 0d e1 7b 0c ee 85 48 d1 0d 19 bc 1f 02 | be | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | v2 IKE SA #9 found, in state STATE_PARENT_R2 | found state #9 | processing: start state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #9 is idle | #9 idle | #9 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #9 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #9 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | 3a 21 78 79 d0 51 d3 83 | responder cookie: | 9d fe 7c d9 f7 16 e7 a5 | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #9) | 3a 21 78 79 d0 51 d3 83 9d fe 7c d9 f7 16 e7 a5 | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | ed 5d 50 d1 a0 00 08 61 d3 75 d7 03 53 61 6f f5 | e8 5a 98 9a 7c 73 10 47 71 | IKE SPIi:SPIr table: hash IKE SPIi 3a 21 78 79 d0 51 d3 83 SPIr 9d fe 7c d9 f7 16 e7 a5 to 9311044693862613082 slot 0x55795bd1a8c0 | parent state #9: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #9 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #9 to head 0x55795bd21d40 "ikev2-westnet-eastnet-x509-cr" #9: deleting state (STATE_IKESA_DEL) aged 0.387s and NOT sending notification | parent state #9: IKESA_DEL(established IKE SA) => delete | state #9 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbc7d00 | serialno list: removing object 0x55795cbacdc0 (state #9) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cbacdc0 (state #9) entry 0x55795cbad5b0 (older 0x55795bd21d40 newer 0x55795bd21d40) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #9: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbbf720 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #9 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #9 to head 0x55795bd21d40 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | *received 780 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 03 0c 22 00 01 84 | 02 00 00 54 01 01 00 09 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 03 00 00 08 | 02 00 00 05 03 00 00 08 02 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 02 00 00 54 02 01 00 09 03 00 00 0c | 01 00 00 14 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 04 00 00 0e 03 00 00 08 04 00 00 0f | 03 00 00 08 04 00 00 10 03 00 00 08 04 00 00 12 | 00 00 00 08 04 00 00 13 02 00 00 6c 03 01 00 0c | 03 00 00 0c 01 00 00 0c 80 0e 01 00 03 00 00 08 | 02 00 00 07 03 00 00 08 02 00 00 05 03 00 00 08 | 02 00 00 02 03 00 00 08 03 00 00 0e 03 00 00 08 | 03 00 00 0c 03 00 00 08 03 00 00 02 03 00 00 08 | 04 00 00 0e 03 00 00 08 04 00 00 0f 03 00 00 08 | 04 00 00 10 03 00 00 08 04 00 00 12 00 00 00 08 | 04 00 00 13 00 00 00 6c 04 01 00 0c 03 00 00 0c | 01 00 00 0c 80 0e 00 80 03 00 00 08 02 00 00 07 | 03 00 00 08 02 00 00 05 03 00 00 08 02 00 00 02 | 03 00 00 08 03 00 00 0e 03 00 00 08 03 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 04 00 00 0e | 03 00 00 08 04 00 00 0f 03 00 00 08 04 00 00 10 | 03 00 00 08 04 00 00 12 00 00 00 08 04 00 00 13 | 28 00 01 08 00 0e 00 00 e7 1e 2e 42 98 bd 79 be | 0e 88 1b 54 6a ba 3e 42 b1 0b af c8 36 ec 97 52 | 31 6b 8f 63 e7 58 e6 dc 7e 97 13 35 39 82 b1 c5 | 0d 6f 6a b3 3d 8f a6 e7 4a 67 74 45 d1 98 9a 5f | 25 71 14 66 c8 7e 59 64 48 df 2b ab 55 04 4a e1 | b9 3c 09 26 15 55 2d b8 29 ab df 96 48 88 7f b9 | 59 19 cc c1 c4 8b 7f 55 a5 ae 4b eb 10 8f 7a cd | fd 04 94 96 ba cf 58 5f c9 1b 13 5b 72 5c 0b 67 | b7 d2 e8 32 41 83 d1 17 a9 e4 ae 27 11 db b7 99 | 0b a7 33 51 76 69 ba d5 65 9d 35 f3 74 05 59 cc | 7f 23 fc dd 20 05 bd 40 f7 d6 60 05 b5 99 e5 54 | 89 ce 54 e4 58 1e 15 70 76 e7 37 c2 24 e1 70 4e | aa 8d 29 42 38 c8 64 ac 8e c5 2a 0f d1 fa 70 6b | 62 c6 9c 16 88 bc 23 98 55 80 9c e0 a4 7e 61 c3 | 68 c8 2f df 3d 16 34 73 35 4c 75 74 f7 52 7d aa | f8 63 46 d0 a2 93 fd f8 17 e2 a0 1a ed 2e 70 45 | cc 54 51 7f bd 2c a6 dc 29 00 00 24 12 c5 69 9a | 2b 02 64 9e 77 44 d7 ad 3c b9 6a d1 53 a2 46 23 | 73 06 9b b4 d6 3a 2e b0 3f b2 7c f1 29 00 00 08 | 00 00 40 2e 29 00 00 1c 00 00 40 04 c5 bc 53 bd | f7 39 bb dd ce e1 a9 a7 82 65 86 87 df 37 a6 0f | 00 00 00 1c 00 00 40 05 fc e6 30 49 4c 2f 2a 91 | d2 37 18 d6 f8 18 b5 d6 af a8 26 2e | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_v2SA (0x21) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 0 (0x0) | length: 780 (0x30c) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_SA_INIT (34) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_SA_INIT | I am the IKE SA Original Responder | IKE SPIi table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 to 15412959218110926070 slot 0x55795bd1f1e0 | v2 IKE SA by SPi not found | #null state always idle | #0 in state PARENT_R0: processing SA_INIT request | Unpacking clear payload for svm: Respond to IKE_SA_INIT | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | ***parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2KE (0x22) | flags: none (0x0) | length: 388 (0x184) | processing payload: ISAKMP_NEXT_v2SA (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2KE) | ***parse IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2Ni (0x28) | flags: none (0x0) | length: 264 (0x108) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | processing payload: ISAKMP_NEXT_v2KE (len=256) | Now let's proceed with payload (ISAKMP_NEXT_v2Ni) | ***parse IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 36 (0x24) | processing payload: ISAKMP_NEXT_v2Ni (len=32) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 8 (0x8) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | processing payload: ISAKMP_NEXT_v2N (len=0) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | processing payload: ISAKMP_NEXT_v2N (len=20) | Now let's proceed with payload (ISAKMP_NEXT_v2N) | ***parse IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 28 (0x1c) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | processing payload: ISAKMP_NEXT_v2N (len=20) | selected state microcode Respond to IKE_SA_INIT | anti-DDoS cookies not required (and no cookie received) | Now let's proceed with state specific processing | calling processor Respond to IKE_SA_INIT | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns empty | find_host_connection me=192.1.2.23:500 him=%any:500 policy=ECDSA+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=ECDSA+IKEV2_ALLOW | find_next_host_connection returns empty | initial parent SA message received on 192.1.2.23:500 but no connection has been authorized with policy ECDSA+IKEV2_ALLOW | find_host_connection me=192.1.2.23:500 him=192.1.2.45:500 policy=RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | find_next_host_connection policy=RSASIG+IKEV2_ALLOW | found policy = RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO (ikev2-westnet-eastnet-x509-cr) | find_next_host_connection returns ikev2-westnet-eastnet-x509-cr | found connection: ikev2-westnet-eastnet-x509-cr with policy RSASIG+IKEV2_ALLOW | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | creating state object #11 at 0x55795cbacdc0 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:474) | inserting state object #11 | serialno list: inserting object 0x55795cbacdc0 (state #11) entry 0x55795cbad590 into list 0x55795bd2c860 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: inserted object 0x55795cbacdc0 (state #11) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbacdc0 (state #11) entry 0x55795cbad5b0 into list 0x55795bd21d80 (older 0x55795bd21d80 newer 0x55795bd21d80) | serialno table: inserted object 0x55795cbacdc0 (state #11) entry 0x55795cbad5b0 (older 0x55795bd21d80 newer 0x55795bd21d80) | serialno table: list entry 0x55795bd21d80 is HEAD (older 0x55795cbad5b0 newer 0x55795cbad5b0) | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45 (in initialize_new_state() at ipsec_doi.c:492) | parent state #11: UNDEFINED(ignore) => PARENT_R0(half-open IKE SA) | using existing local IKE proposals for connection ikev2-westnet-eastnet-x509-cr (IKE SA responder matching remote proposals): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256,HMAC_SHA1;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128,HMAC_SHA1_96;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256 | Comparing remote proposals against IKE responder 4 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 3 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 5 transforms | local proposal 1 type ESN has 0 transforms | local proposal 1 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 3 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 5 transforms | local proposal 2 type ESN has 0 transforms | local proposal 2 transforms: required: ENCR+PRF+DH; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 3 transforms | local proposal 3 type INTEG has 3 transforms | local proposal 3 type DH has 5 transforms | local proposal 3 type ESN has 0 transforms | local proposal 3 transforms: required: ENCR+PRF+INTEG+DH; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 3 transforms | local proposal 4 type INTEG has 3 transforms | local proposal 4 type DH has 5 transforms | local proposal 4 type ESN has 0 transforms | local proposal 4 transforms: required: ENCR+PRF+INTEG+DH; optional: none | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 1 containing 9 transforms against local proposal [1..4] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 1 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 2 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 3 type 2 (PRF) transform 0 | remote proposal 1 transform 1 (PRF=HMAC_SHA2_512) matches local proposal 4 type 2 (PRF) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 1 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 2 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 3 type 4 (DH) transform 0 | remote proposal 1 transform 4 (DH=MODP2048) matches local proposal 4 type 4 (DH) transform 0 | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 1 proposed transforms: ENCR+PRF+DH; matched: ENCR+PRF+DH; unmatched: none | comparing remote proposal 1 containing ENCR+PRF+DH transforms to local proposal 1; required: ENCR+PRF+DH; optional: INTEG; matched: ENCR+PRF+DH | remote proposal 1 matches local proposal 1 | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 84 (0x54) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 9 (0x9) | Comparing remote proposal 2 containing 9 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 2 proposed transforms: ENCR+PRF+DH; matched: none; unmatched: ENCR+PRF+DH | remote proposal 2 does not match; unmatched remote transforms: ENCR+PRF+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 108 (0x6c) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 3 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 3 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 3 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH | ****parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 108 (0x6c) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 12 (0xc) | Comparing remote proposal 4 containing 12 transforms against local proposal [1..0] of 4 local proposals | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | ******parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_256 (0x5) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA1 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP3072 (0xf) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP4096 (0x10) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP8192 (0x12) | *****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_ECP_256 (0x13) | remote proposal 4 proposed transforms: ENCR+PRF+INTEG+DH; matched: none; unmatched: ENCR+PRF+INTEG+DH | remote proposal 4 does not match; unmatched remote transforms: ENCR+PRF+INTEG+DH "ikev2-westnet-eastnet-x509-cr" #11: proposal 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 chosen from remote proposals 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256[first-match] 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512;PRF=HMAC_SHA2_256;PRF=HMAC_SHA1;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;INTEG=HMAC_SHA1_96;DH=MODP2048;DH=MODP3072;DH=MODP4096;DH=MODP8192;DH=ECP_256 | accepted IKE proposal ikev2_proposal: 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512;DH=MODP2048 | converting proposal to internal trans attrs | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= f5 8e 4e a3 4a fc 73 01 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= fc e6 30 49 4c 2f 2a 91 d2 37 18 d6 f8 18 b5 d6 | natd_hash: hash= af a8 26 2e | natd_hash: rcookie is zero | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= f5 8e 4e a3 4a fc 73 01 | natd_hash: rcookie= 00 00 00 00 00 00 00 00 | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= c5 bc 53 bd f7 39 bb dd ce e1 a9 a7 82 65 86 87 | natd_hash: hash= df 37 a6 0f | NAT_TRAVERSAL encaps using auto-detect | NAT_TRAVERSAL this end is NOT behind NAT | NAT_TRAVERSAL that end is NOT behind NAT | NAT_TRAVERSAL nat_keepalive enabled 192.1.2.45 | adding ikev2_inI1outR1 KE work-order 11 for state #11 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x55795cbc7d00 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #11 | backlog: inserting object 0x55795cbc25f0 (work-order 11 state #11) entry 0x55795cbc25f8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbc25f0 (work-order 11 state #11) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbc25f8 newer 0x55795cbc25f8) | crypto helper 0 resuming | backlog: removing object 0x55795cbc25f0 (work-order 11 state #11) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 0 starting work-order 11 for state #11 | crypto helper 0 doing build KE and nonce; request ID 11 | crypto helper 0 finished build KE and nonce; request ID 11 time elapsed 0.001 seconds | crypto helper 0 sending results from work-order 11 for state #11 to event queue | scheduling now-event sending helper answer for #11 | crypto helper 0 waiting (nothing to do) | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #11 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_SUSPEND | suspending state #11 and saving MD | #11 is busy; has a suspended MD | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #11 complete v2 state STATE_PARENT_R0 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: STOP connection NULL (in process_md() at demux.c:396) | executing now-event sending helper answer for 11 | serialno table: hash serialno #11 to head 0x55795bd21d80 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 0 replies to request ID 11 | calling continuation function 0x55795ba2a400 | ikev2_parent_inI1outR1_continue for #11: calculated ke+nonce, sending R1 | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_SA_INIT (0x22) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 0 (0x0) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | Emitting ikev2_proposal ... | ***emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | ****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_IKE (0x1) | spi size: 0 (0x0) | # transforms: 3 (0x3) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | ******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_PRF (0x2) | IKEv2 transform ID: PRF_HMAC_SHA2_512 (0x7) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | *****emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_DH (0x4) | IKEv2 transform ID: OAKLEY_GROUP_MODP2048 (0xe) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 40 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ***emit IKEv2 Key Exchange Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | DH group: OAKLEY_GROUP_MODP2048 (0xe) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Key Exchange Payload (34:ISAKMP_NEXT_v2KE) | next payload chain: saving location 'IKEv2 Key Exchange Payload'.'next payload type' in 'reply packet' | emitting 256 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload | ikev2 g^x 01 dc c7 83 f6 d5 01 ad 4c ea 02 92 93 e8 89 20 | ikev2 g^x 9f bb 22 33 8a 9a 9b a1 72 52 d1 2c 0f e1 84 8f | ikev2 g^x 39 7c 11 86 47 eb b3 6e b9 30 27 c5 5d e2 d9 c9 | ikev2 g^x 40 86 74 87 f1 21 1e 3f c0 c4 cd af c3 38 e2 17 | ikev2 g^x 8c 3f d0 46 d8 b9 ea 43 1e bf c8 d1 a2 b1 c4 96 | ikev2 g^x b0 c0 6c ef 7f 76 50 7e cd 1b bc 3d 0c a6 0e 10 | ikev2 g^x 98 a9 16 7c d3 98 76 24 75 4d 23 54 99 fd 9f 98 | ikev2 g^x c3 3b 2a 52 27 21 3f 15 b7 20 bb d9 98 7d 7b 5f | ikev2 g^x 71 e0 07 d8 3b 19 c7 39 2c fb 1e a8 37 87 31 b8 | ikev2 g^x 19 5b ef e4 89 5c 0d a9 75 75 cb ca b0 7d 87 d6 | ikev2 g^x 64 8a a1 30 46 d1 eb 22 34 d3 c6 8c f8 04 24 c5 | ikev2 g^x d0 3a 2d 05 29 9c d8 5a 9d b5 d3 0f bf 38 2b f8 | ikev2 g^x c4 d7 9e f9 0e fd 07 9f e9 74 bc 1f e9 fd 19 a0 | ikev2 g^x d0 5f 78 b1 b6 68 2c 1b 29 10 4f 93 af b1 69 07 | ikev2 g^x 39 d5 11 f5 cb fd cf b5 2a 8a 54 8f 26 3f b4 92 | ikev2 g^x 6c 3d ce 07 e5 2c 6e d4 88 d2 31 35 c6 d3 5f 00 | emitting length of IKEv2 Key Exchange Payload: 264 | ***emit IKEv2 Nonce Payload: | next payload type: ISAKMP_NEXT_v2N (0x29) | flags: none (0x0) | next payload chain: ignoring supplied 'IKEv2 Nonce Payload'.'next payload type' value 41:ISAKMP_NEXT_v2N | next payload chain: setting previous 'IKEv2 Key Exchange Payload'.'next payload type' to current IKEv2 Nonce Payload (40:ISAKMP_NEXT_v2Ni) | next payload chain: saving location 'IKEv2 Nonce Payload'.'next payload type' in 'reply packet' | emitting 32 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload | IKEv2 nonce 9a 2c 4f 8f 9d 80 0a 27 ad 5f 78 ab 3f e4 27 31 | IKEv2 nonce 22 45 54 21 8e b2 23 2c 31 8b 65 26 6e f4 95 77 | emitting length of IKEv2 Nonce Payload: 36 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_IKEV2_FRAGMENTATION_SUPPORTED (0x402e) | next payload chain: setting previous 'IKEv2 Nonce Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Notify Payload: 8 | NAT-Traversal support [enabled] add v2N payloads. | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= f5 8e 4e a3 4a fc 73 01 | natd_hash: rcookie= a1 01 e3 82 98 f1 df 1e | natd_hash: ip= c0 01 02 17 | natd_hash: port=500 | natd_hash: hash= 21 2e 3b f0 fb 64 b0 04 9a d4 a7 03 38 5c 31 ce | natd_hash: hash= 0c b5 2d 68 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_SOURCE_IP (0x4004) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 21 2e 3b f0 fb 64 b0 04 9a d4 a7 03 38 5c 31 ce | Notify data 0c b5 2d 68 | emitting length of IKEv2 Notify Payload: 28 | natd_hash: hasher=0x55795bd0d820(20) | natd_hash: icookie= f5 8e 4e a3 4a fc 73 01 | natd_hash: rcookie= a1 01 e3 82 98 f1 df 1e | natd_hash: ip= c0 01 02 2d | natd_hash: port=500 | natd_hash: hash= 3f 55 bf b2 5f b4 44 77 c6 9f e0 b8 46 33 4c e6 | natd_hash: hash= 23 e5 fa 80 | Adding a v2N Payload | ***emit IKEv2 Notify Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | Protocol ID: PROTO_v2_RESERVED (0x0) | SPI size: 0 (0x0) | Notify Message Type: v2N_NAT_DETECTION_DESTINATION_IP (0x4005) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Notify Payload (41:ISAKMP_NEXT_v2N) | next payload chain: saving location 'IKEv2 Notify Payload'.'next payload type' in 'reply packet' | emitting 20 raw bytes of Notify data into IKEv2 Notify Payload | Notify data 3f 55 bf b2 5f b4 44 77 c6 9f e0 b8 46 33 4c e6 | Notify data 23 e5 fa 80 | emitting length of IKEv2 Notify Payload: 28 | going to send a certreq | connection->kind is CK_PERMANENT so send CERTREQ | ***emit IKEv2 Certificate Request Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Notify Payload'.'next payload type' to current IKEv2 Certificate Request Payload (38:ISAKMP_NEXT_v2CERTREQ) | next payload chain: saving location 'IKEv2 Certificate Request Payload'.'next payload type' in 'reply packet' | emitting length of IKEv2 Certificate Request Payload: 5 | emitting length of ISAKMP Message: 437 | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #11 complete v2 state transition from PARENT_R0 to PARENT_R1 with status STF_OK | IKEv2: transition from state STATE_PARENT_R0 to state STATE_PARENT_R1 | parent state #11: PARENT_R0(half-open IKE SA) => PARENT_R1(half-open IKE SA) | Message ID: updating counters for #11 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #11 PARENT_R1; message-request msgid=0; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0 lastreplied=0 } "ikev2-westnet-eastnet-x509-cr" #11: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending 437 bytes for STATE_PARENT_R0 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 21 20 22 20 00 00 00 00 00 00 01 b5 22 00 00 28 | 00 00 00 24 01 01 00 03 03 00 00 0c 01 00 00 14 | 80 0e 01 00 03 00 00 08 02 00 00 07 00 00 00 08 | 04 00 00 0e 28 00 01 08 00 0e 00 00 01 dc c7 83 | f6 d5 01 ad 4c ea 02 92 93 e8 89 20 9f bb 22 33 | 8a 9a 9b a1 72 52 d1 2c 0f e1 84 8f 39 7c 11 86 | 47 eb b3 6e b9 30 27 c5 5d e2 d9 c9 40 86 74 87 | f1 21 1e 3f c0 c4 cd af c3 38 e2 17 8c 3f d0 46 | d8 b9 ea 43 1e bf c8 d1 a2 b1 c4 96 b0 c0 6c ef | 7f 76 50 7e cd 1b bc 3d 0c a6 0e 10 98 a9 16 7c | d3 98 76 24 75 4d 23 54 99 fd 9f 98 c3 3b 2a 52 | 27 21 3f 15 b7 20 bb d9 98 7d 7b 5f 71 e0 07 d8 | 3b 19 c7 39 2c fb 1e a8 37 87 31 b8 19 5b ef e4 | 89 5c 0d a9 75 75 cb ca b0 7d 87 d6 64 8a a1 30 | 46 d1 eb 22 34 d3 c6 8c f8 04 24 c5 d0 3a 2d 05 | 29 9c d8 5a 9d b5 d3 0f bf 38 2b f8 c4 d7 9e f9 | 0e fd 07 9f e9 74 bc 1f e9 fd 19 a0 d0 5f 78 b1 | b6 68 2c 1b 29 10 4f 93 af b1 69 07 39 d5 11 f5 | cb fd cf b5 2a 8a 54 8f 26 3f b4 92 6c 3d ce 07 | e5 2c 6e d4 88 d2 31 35 c6 d3 5f 00 29 00 00 24 | 9a 2c 4f 8f 9d 80 0a 27 ad 5f 78 ab 3f e4 27 31 | 22 45 54 21 8e b2 23 2c 31 8b 65 26 6e f4 95 77 | 29 00 00 08 00 00 40 2e 29 00 00 1c 00 00 40 04 | 21 2e 3b f0 fb 64 b0 04 9a d4 a7 03 38 5c 31 ce | 0c b5 2d 68 26 00 00 1c 00 00 40 05 3f 55 bf b2 | 5f b4 44 77 c6 9f e0 b8 46 33 4c e6 23 e5 fa 80 | 00 00 00 05 04 | state #11 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x55795cbc7d00 | event_schedule: new EVENT_SO_DISCARD-pe@0x55795cbc7d00 | inserting event EVENT_SO_DISCARD, timeout in 200.000 seconds for #11 | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 08 00 00 00 01 00 00 02 1b 23 00 01 ff | 00 01 00 05 90 bc 8c c4 9d 1d 94 ce f1 23 f7 ed | b3 9a ea 98 54 85 b2 4e e9 08 5a 40 97 75 9a 43 | b6 00 9c 03 0b 37 09 2c 98 9e 9b 9d 73 ce 3a c5 | 2a 32 9a 5c 70 0a 73 61 fa 2f 01 b0 1b cd b6 98 | 4c 39 83 01 f6 38 c7 49 1e f2 40 c1 ed d5 c2 ea | c2 5a 5e 97 a0 49 45 6e 20 35 f3 f3 a2 ee 84 60 | 50 8c 4f 46 32 3d e6 aa f6 1d 7d 0d 52 5c 20 f3 | e4 43 6a 05 db 56 19 cf 15 ed 69 3a 46 6d 44 0c | 03 87 2e d5 84 5f 63 88 63 a7 9c ce fb 38 d7 74 | 35 a3 fd 0b bb 44 45 df a9 1c fe 82 b5 95 a0 93 | f9 eb fb 31 7e 6b e0 8f 83 f0 4c 7e 11 86 e3 2a | 09 04 78 1b 2d e7 06 c5 c7 39 cc 40 7d b6 34 7a | c8 93 f3 4a fd 56 a0 9a 3a b2 d5 61 1f a6 e6 4e | 20 7e 5e 91 a2 85 29 78 b4 97 1a 0c 3d 98 86 b8 | 01 88 bb fd b1 a2 9a 4a 1a c0 e2 76 82 e8 29 5c | da 33 37 34 43 3f 16 61 99 5f 12 b7 a3 11 6e 48 | 1c b1 ee f2 23 af 4b 0c a4 d2 50 16 64 18 98 09 | 9a 66 7b 67 9b b5 e5 89 91 21 08 e2 d0 22 ad 9d | d7 97 0d c6 f2 54 b6 c7 0d b2 b9 fb d0 69 75 6f | 14 37 77 d4 d5 b4 72 05 6f db d1 17 ef 3e 32 b8 | c1 2e 67 a2 54 9f 2e 35 f5 22 ff 40 61 7b 93 d3 | 04 e6 1d 9f dd d6 11 f1 a3 be e7 be 98 aa f9 ed | a9 fc 48 40 bf 4e 82 0f 4f 01 64 09 ad 99 ae c5 | 1e 08 c4 f9 a0 e1 ca 1b 8c 1d ed 1e 56 91 1e 3f | 4e 62 97 78 75 63 08 f1 19 d6 b9 f6 77 7b e0 dd | 8f d8 8c a7 66 35 1b e0 98 5b 77 35 ef 35 24 73 | 97 4a 20 9f 80 49 57 4d 41 20 0e 6f f6 8b 60 62 | 7b b9 0d cb ac aa bf 9c 33 19 57 da 5b 6c c7 18 | c6 d4 c1 d5 43 cb 67 8d 23 74 f6 a2 ef 73 cf 21 | c6 ad c6 a0 d1 37 ab 92 fd 10 cd 69 54 c9 bc fa | b1 9f 02 48 fd 7a 49 41 6e 02 a7 73 1a ef ec 95 | 7f 80 79 8d 80 5d a6 2a 8e 2a 6e | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R1 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #11 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDi (0x23) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 1 (0x1) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '1', total number '5', next payload '35' | updated IKE fragment state to respond using fragments without waiting for re-transmits | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 05 39 82 77 fa 12 c5 82 25 61 4f a5 71 | 67 01 31 64 c4 47 99 77 d7 b8 aa f2 00 c9 bf 7e | 75 63 b4 1b 21 12 55 2a 74 85 21 20 74 e5 d7 b1 | c4 42 43 b2 ba 24 ae e6 25 5c 64 b8 d1 68 33 7a | 91 51 fa c2 21 c0 d7 52 70 2e 3b 88 82 00 13 9b | 61 3e 72 45 8b 20 fc 32 68 d2 80 2c 49 b8 92 17 | 48 70 ae a5 47 62 f6 69 6c 96 6e 84 a7 ee 12 97 | 6a 7c c9 98 01 6c 91 ea c0 e7 0b 9c 61 7c 37 0c | 7a 1e 38 7f 85 09 1b 8a fc 0d ec 3e e2 be 83 81 | b5 60 c7 7a 6d 0d d2 07 00 15 ed e3 82 3b 13 6b | 1d 81 01 f4 6b 75 4c 80 de a9 f9 cd 45 3d e0 4f | a9 ea 10 5a 08 0b 26 e9 f7 95 a7 90 32 1d 9a 89 | 6e ba 74 0e 3b 2e 23 24 08 cd f7 bb 63 8a e8 bd | 76 73 e2 66 cb 7b b3 b9 3e 40 05 d9 67 d3 cb bc | df 15 0f 86 f4 28 23 43 27 06 56 0d 10 c7 e4 15 | 24 54 85 b9 7c 6f e6 44 ce 84 6b 3e 20 e1 9d bc | 24 eb 9c 4c 5d b3 a1 b1 2c d6 8c 86 39 ec bc 74 | 14 0c 16 bf 39 9e a0 06 a5 c1 84 be 30 1e 46 ff | c4 dc 68 27 92 ca 19 47 b1 3a 81 7f 3d 1f 20 71 | 2a 2f c1 e4 bb a4 31 62 ac d5 47 d9 e3 90 64 59 | e0 53 24 7f fe 81 cb 95 cc 96 29 4b 62 f7 d3 ad | 06 9d a3 5d 90 c2 09 be a9 3a 8b fd e8 2b 31 d1 | eb f6 bd 8b 2c b9 77 11 f1 ca 54 76 38 8d 7c fb | 12 02 23 cb 6e 6c 49 b9 73 a9 59 68 09 ad 3f 1b | 7c b3 50 f1 b6 a2 bf cf 6d 03 40 8f e3 c0 e2 c5 | c6 a4 5b 4d f0 d0 20 05 b8 9b 6a 7b 39 c4 46 21 | 46 c7 00 c3 76 8d fa 64 13 7c d6 b1 67 81 c3 eb | 1a c2 32 ea ba 43 70 24 8d 34 46 5e e1 11 88 46 | 07 98 ee fd 82 d9 81 6d a2 e9 97 5a e3 d8 cb 16 | 50 71 f4 e7 2c c0 5d 6a 5d 22 22 1c fe d0 12 6b | 21 af 59 29 32 15 3a a2 c9 39 7b 5f 87 6a b1 2c | 88 d6 28 a4 01 1f 5b 76 d2 cd 33 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R1 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #11 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 2 (0x2) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '2', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 05 2b 64 64 64 39 e0 e6 53 31 4b e3 63 | fe 2b 6c ae 4b ac 7e b1 b2 ca 99 a3 96 db 2c b6 | f4 31 2a f5 13 43 0c 2c a5 b7 0c a9 a9 bb e7 fc | d8 a4 35 d2 c3 8f ed 0c e1 ab f0 95 24 7f 5a db | a8 3c 85 d7 4f 4a f6 ab 5a 42 4e f0 ca a9 90 9a | 3f 05 fa 2d 5b 70 91 2e 28 5c dd e4 f6 48 02 9b | b9 b8 70 7a 99 dd e7 04 a5 63 11 cf 25 0c 46 97 | 92 21 b5 48 b6 88 4b 4a b3 ad 09 ad 9e 13 1e 79 | 51 4f 4d f8 eb 0d 1f 40 5c 3a 43 a9 c4 52 07 e8 | 50 64 2c fc 8f f1 ae 63 23 85 e0 02 2c 07 64 a9 | 3b 44 24 48 fd 52 2d 74 fd fb 4b 9a ce 7b 7e 92 | 9a 44 7a 39 62 92 2c a9 ab 5a 49 c1 8d 12 43 c2 | 9f e5 7a 2e 4d 8d ee d5 5b e7 47 f0 07 2c 5d 00 | 19 d9 2a ac 63 ef bc 80 30 bb e7 c5 87 8a c3 a8 | bd e7 14 23 63 33 a8 7a 1a 1a ce 1f 85 52 89 70 | 73 99 a7 81 17 5f 6e 18 97 d8 4e 37 7a 3c fc 12 | 81 26 9f e1 a5 43 49 6a ed 7f 18 f4 bb 86 bc 5e | a0 97 91 af a2 54 d5 74 6d f0 41 6b d7 19 bd 47 | 16 2b 66 67 13 30 af ad ca 82 52 b0 14 70 36 10 | 64 09 69 40 a4 c0 6a 7d 79 60 4f 7c 53 d6 1f f3 | ee 60 02 17 1e 39 ab 99 30 15 4d 43 11 0a be 55 | 15 f4 ba ad 7a 1f 66 89 cb 33 70 fe d7 37 f0 a2 | fc 7d 05 fe 3e c1 8c 61 d3 a2 51 b6 ca 2a 04 c5 | 87 25 49 ee ef 6f 21 81 87 4e 8f 29 d4 fd f2 13 | 43 17 dd a7 0a 0e af c3 56 3a aa df c6 fc 39 2e | 6a 38 fd b4 72 54 d1 3b e7 1e 94 ff f3 86 e8 94 | ca d2 92 b8 12 ce 29 f6 0c eb 6e b8 f4 e9 b8 46 | 28 98 4f 85 9a 65 a7 ae cc a9 00 ab 0f c1 bd 34 | 04 a4 76 5a 3a da 67 52 f8 76 0d 82 a0 9e 5d ea | 26 10 cd cf 08 f3 2e 08 65 28 a4 56 ab 97 ab 0a | 51 da b6 90 2c 74 0f 2e 1c 58 1a e6 4d 08 1c 4c | c0 6a 25 21 85 4b 24 04 95 12 03 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R1 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #11 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 3 (0x3) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '3', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 539 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 08 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 04 00 05 ca 6a e9 7e 8b 96 38 87 58 2f b9 77 | da 56 2d 50 d9 e4 8e 10 37 29 6c 96 11 40 41 48 | 59 a2 42 46 8a 02 b8 3c a2 f3 7b ad 20 37 20 f2 | 94 54 21 4c 1f 16 63 38 a3 d2 bd 06 9a 1a 52 02 | 97 53 ed d9 16 df 2d 7d fc ef 13 8f bf 46 29 52 | 2b 3e 68 b0 e1 3d 44 95 06 90 e2 52 86 3c 2b eb | 3a d9 cf 2c 29 0c e4 6a a6 6f e2 5d 6c db e9 ab | 53 35 b9 3f b8 af 47 7a dd 96 be da 2b e3 93 59 | ef 3d 3b a4 1c 22 59 2d 79 50 a1 6f b0 22 a9 52 | c7 09 6f b9 f6 fe 03 01 ee e5 c3 1f d7 18 6a 3f | fc 01 ae 75 26 6a d3 46 a9 47 fe 21 c9 93 fd 37 | 77 53 b2 d1 8c 6d 61 60 cd 2f 51 31 dd e8 c4 71 | 7c 7c 8e b3 4b c5 e9 ff 8b 35 e4 48 6e 04 67 60 | b0 81 73 76 52 ef 00 50 b4 14 70 2c 45 71 cf 0e | 19 50 d0 88 c5 71 a6 22 76 68 aa d1 40 a5 aa 1a | c5 18 78 22 7e c7 ce 6a 7a 04 a4 d4 7d 7d 4b 6f | d7 ec 8d ee 3a e9 2e 6b 83 c4 d0 bc 70 8a 40 df | 38 85 26 6e 65 1f 44 94 7e 86 d6 56 80 2e 45 f5 | 65 6f cc 11 fc d0 84 c1 2f bb ba 87 57 d0 c1 b3 | 84 1a 15 c1 de af 5f a5 2b b5 7a 62 4e 20 11 3b | a5 18 3c 07 0d 45 d7 13 2b 81 53 d8 39 1c e5 78 | 37 9d 78 08 65 0c 6a 69 51 2d 06 05 e8 1e 57 52 | d7 be 78 0b d1 29 28 04 d3 82 c9 b5 82 07 ae ff | 4a d8 ba 13 8f 3f 38 f8 ea 84 d3 cc 4b 71 e8 d6 | f3 c6 3d f2 7f d5 d5 2c ca 3f 44 e2 eb 2d 2d 3e | 53 03 ac c4 0d 78 cb 16 20 70 5c f5 f8 b4 18 79 | 37 0f 0c 38 bc 7e ad 46 31 ad 8d 04 af d0 3e 7c | 2a e2 ff 34 6a dd 6e 83 db e4 a3 8c e7 f7 3c 80 | ba b5 26 77 12 a4 ce f6 b9 d9 09 20 4c 40 cb a9 | 1d 95 cb 3b 21 cb cf ca 6a 85 5d 28 4e 01 80 d2 | 40 51 4e 2f 82 26 d8 36 22 71 3f 25 8a af 82 25 | f6 9c 12 d2 3b 66 09 1f cb 88 32 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 539 (0x21b) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R1 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #11 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 511 (0x1ff) | fragment number: 4 (0x4) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=503) | received IKE encrypted fragment number '4', total number '5', next payload '0' | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 407 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 08 00 00 00 01 00 00 01 97 00 00 01 7b | 00 05 00 05 6a 9b 9e 0a 3e 67 fd 8a 53 d7 c8 82 | a1 4a 07 01 b2 27 1d b9 56 a0 b7 37 9d 05 fa 3d | 20 70 71 8b dc 39 15 19 1f 49 c7 42 49 a1 63 9e | 13 12 03 8c b6 1e b1 95 b1 99 3e 30 e5 54 d1 25 | e4 d8 76 cb be 35 83 52 b0 27 09 ee 73 8c db a1 | 5c 9d 2a 06 5d a2 c4 4a 1d 0d c3 76 54 f4 06 4d | 33 1d 7d ae 19 fc 98 98 d8 79 62 cd 84 4a de 13 | 65 32 8c 72 6b 80 4d 6f e4 1e b5 2a 11 d7 a8 18 | 49 b9 2e bb a6 a4 b4 98 ba 62 9d 23 cc 0f f4 fc | 9e 24 31 b4 45 a1 d7 ce a1 27 34 53 74 c6 7b e1 | 46 2d 8a 4e 87 12 08 15 62 8c 65 a5 84 9e ba c6 | a1 c5 fb af c3 7d 0e 7d 26 53 38 da f3 13 15 94 | e4 01 fc 94 a7 8d d9 bd 8d dd 0f c8 c5 1e 4f 64 | 70 53 2d 2a 78 10 f5 8f 82 2e 19 00 98 09 ff 4a | 7a dc 88 7c e6 b3 3d 0f 3e d7 ff 51 b1 b4 98 41 | da 2a 99 da 06 eb 38 63 e6 55 95 00 f0 bf 71 76 | 79 1b 59 16 40 eb 08 9d 7a a3 d8 55 9b a8 9c 30 | 1b 83 04 bd ab e7 10 d0 71 99 53 67 d9 21 86 be | 57 a5 66 d3 6a 94 5b 4f 17 5b 1f 7e 9b b8 95 7a | 88 f6 0e 92 5c 60 9d 6d ed 6a e8 d7 24 ec 82 9a | c0 a2 d5 14 08 bf c5 a8 7e 74 72 7b 88 a0 0d 87 | 82 db 85 56 fa b9 9f 64 c4 06 dc 9c cd 69 b7 6f | 70 75 bb 6d 67 d7 80 6e 95 e3 31 79 d8 99 7b 30 | 12 a2 f1 df 32 5d a2 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SKF (0x35) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 1 (0x1) | length: 407 (0x197) | processing version=2.0 packet with exchange type=ISAKMP_v2_IKE_AUTH (35) | I am receiving an IKEv2 Request ISAKMP_v2_IKE_AUTH | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R1 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 0 md.hdr.isa_msgid 00000001 | #11 in state PARENT_R1: received v2I1, sent v2R1 | Unpacking clear payload for svm: Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with payload (ISAKMP_NEXT_v2SKF) | ***parse IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 379 (0x17b) | fragment number: 5 (0x5) | total fragments: 5 (0x5) | processing payload: ISAKMP_NEXT_v2SKF (len=371) | received IKE encrypted fragment number '5', total number '5', next payload '0' | selected state microcode Responder: process IKE_AUTH request (no SKEYSEED) | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request (no SKEYSEED) | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | offloading IKEv2 SKEYSEED using prf=HMAC_SHA2_512 integ=NONE cipherkey=AES_GCM_16 | adding ikev2_inI2outR2 KE work-order 12 for state #11 | state #11 requesting EVENT_SO_DISCARD to be deleted | free_event_entry: release EVENT_SO_DISCARD-pe@0x55795cbc7d00 | event_schedule: new EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0002b70 | inserting event EVENT_CRYPTO_TIMEOUT, timeout in 60.000 seconds for #11 | backlog: inserting object 0x55795cbc25f0 (work-order 12 state #11) entry 0x55795cbc25f8 into list 0x55795bd2d7e0 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: inserted object 0x55795cbc25f0 (work-order 12 state #11) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: list entry 0x55795bd2d7e0 is HEAD (older 0x55795cbc25f8 newer 0x55795cbc25f8) | crypto helper 1 resuming | backlog: removing object 0x55795cbc25f0 (work-order 12 state #11) entry 0x55795cbc25f8 (older 0x55795bd2d7e0 newer 0x55795bd2d7e0) | backlog: empty | crypto helper 1 starting work-order 12 for state #11 | crypto helper 1 doing compute dh (V2); request ID 12 | calculating skeyseed using prf=sha2_512 integ=none cipherkey-size=32 salt-size=4 | crypto helper 1 finished compute dh (V2); request ID 12 time elapsed 0.006 seconds | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #11 complete v2 state transition from PARENT_R1 to PARENT_R1 with status STF_SUSPEND | suspending state #11 and saving MD | #11 is busy; has a suspended MD | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in log_stf_suspend() at ikev2.c:2895) | "ikev2-westnet-eastnet-x509-cr" #11 complete v2 state STATE_PARENT_R1 transition with STF_SUSPEND suspended from complete_v2_state_transition:3061 | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | crypto helper 1 sending results from work-order 12 for state #11 to event queue | scheduling now-event sending helper answer for #11 | executing now-event sending helper answer for 11 | serialno table: hash serialno #11 to head 0x55795bd21d80 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:546) | crypto helper 1 replies to request ID 12 | calling continuation function 0x55795ba28d00 | ikev2_parent_inI2outR2_continue for #11: calculating g^{xy}, sending R2 | #11 in state PARENT_R1: received v2I1, sent v2R1 | already have all fragments, skipping fragment collection | already have all fragments, skipping fragment collection | #11 ikev2 ISAKMP_v2_IKE_AUTH decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2IDi) | **parse IKEv2 Identification - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2CERT (0x25) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDi (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2CERT) | **parse IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1232 (0x4d0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | processing payload: ISAKMP_NEXT_v2CERT (len=1227) | Now let's proceed with payload (ISAKMP_NEXT_v2IDr) | **parse IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2AUTH (0x27) | flags: none (0x0) | length: 191 (0xbf) | ID type: ID_DER_ASN1_DN (0x9) | processing payload: ISAKMP_NEXT_v2IDr (len=183) | Now let's proceed with payload (ISAKMP_NEXT_v2AUTH) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | length: 392 (0x188) | auth method: IKEv2_AUTH_RSA (0x1) | processing payload: ISAKMP_NEXT_v2AUTH (len=384) | Now let's proceed with payload (ISAKMP_NEXT_v2SA) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi (0x2c) | flags: none (0x0) | length: 204 (0xcc) | processing payload: ISAKMP_NEXT_v2SA (len=200) | Now let's proceed with payload (ISAKMP_NEXT_v2TSi) | **parse IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2TSr (0x2d) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSi (len=16) | Now let's proceed with payload (ISAKMP_NEXT_v2TSr) | **parse IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 24 (0x18) | number of TS: 1 (0x1) | processing payload: ISAKMP_NEXT_v2TSr (len=16) | selected state microcode Responder: process IKE_AUTH request | Now let's proceed with state specific processing | calling processor Responder: process IKE_AUTH request | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 77 65 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 77 65 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | received IDr payload - extracting our alleged ID | DER ASN1 DN: 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | DER ASN1 DN: 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | DER ASN1 DN: 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | DER ASN1 DN: 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | DER ASN1 DN: 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | DER ASN1 DN: 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | DER ASN1 DN: 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | DER ASN1 DN: 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | DER ASN1 DN: 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | DER ASN1 DN: 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | DER ASN1 DN: 77 61 6e 2e 6f 72 67 | checking for known CERT payloads | saving certificate of type 'X509_SIGNATURE' in 0 | CERT payloads found: 1; calling pluto_process_certs() | decoded E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | cert_issuer_has_current_crl: looking for a CRL issued by E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | releasing crl list in cert_issuer_has_current_crl with result false | missing or expired CRL | crypto helper 1 waiting (nothing to do) | crl_strict: 0, ocsp: 0, ocsp_strict: 0, ocsp_post: 0 | certificate is valid "ikev2-westnet-eastnet-x509-cr" #11: certificate verified OK: E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | unreference key: 0x55795cbbf720 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c630d10 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c655510 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c68a6d0 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795cbce820 | get_pluto_gn_from_nss_cert: allocated pluto_gn 0x55795c54a9a0 | unreference key: 0x55795cbb0fa0 192.1.2.45 cnt 1-- | unreference key: 0x55795cbba710 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbaf9d0 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbacd0 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795c549a90 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | Verifying configured ID matches certificate | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' needs further ID comparison against 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' matched our ID | SAN ID matched, updating that.cert | Peer public key SubjectAltName matches peer ID for this connection | X509: CERT and ID matches current connection | refine_host_connection for IKEv2: starting with "ikev2-westnet-eastnet-x509-cr" | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | refine_host_connection: checking "ikev2-westnet-eastnet-x509-cr" against "ikev2-westnet-eastnet-x509-cr", best=(none) with match=1(id=1/ca=1/reqca=1) | Warning: not switching back to template of current instance | Peer expects us to be C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) according to its IDr payload | This connection's local id is C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org (ID_DER_ASN1_DN) "ikev2-westnet-eastnet-x509-cr" #11: No matching subjectAltName found | IDr payload 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' is NOT a valid certificate SAN for this connection | refine_host_connection: checked ikev2-westnet-eastnet-x509-cr against ikev2-westnet-eastnet-x509-cr, now for see if best | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | refine_host_connection: picking new best "ikev2-westnet-eastnet-x509-cr" (wild=0, peer_pathlen=7/our=0) | refine going into 2nd loop allowing instantiated conns as well | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | returning since no better match than original best_found | offered CA: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' "ikev2-westnet-eastnet-x509-cr" #11: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | required RSA CA is '%any' | checking RSA keyid 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' for match with 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | key issuer CA is 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | an RSA Sig check passed with *AwEAAbnIH [preloaded key] "ikev2-westnet-eastnet-x509-cr" #11: Authenticated using RSA | parent state #11: PARENT_R1(half-open IKE SA) => PARENT_R2(established IKE SA) | #11 will start re-keying in 3330 seconds with margin of 270 seconds (attempting re-key) | state #11 requesting EVENT_CRYPTO_TIMEOUT to be deleted | free_event_entry: release EVENT_CRYPTO_TIMEOUT-pe@0x7fa8c0002b70 | event_schedule: new EVENT_SA_REPLACE-pe@0x55795c5545c0 | inserting event EVENT_SA_REPLACE, timeout in 3330.000 seconds for #11 | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | IKEv2 CERT: send a certificate? | IKEv2 CERT: OK to send a certificate (always) | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | ****emit IKEv2 Identification - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ID type: ID_DER_ASN1_DN (0x9) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Identification - Responder - Payload (36:ISAKMP_NEXT_v2IDr) | next payload chain: saving location 'IKEv2 Identification - Responder - Payload'.'next payload type' in 'reply packet' | emitting 183 raw bytes of my identity into IKEv2 Identification - Responder - Payload | my identity 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 43 41 | my identity 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 | my identity 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 | my identity 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c | my identity 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 | my identity 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 | my identity 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 61 73 | my identity 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a 86 48 | my identity 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 61 73 | my identity 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | my identity 77 61 6e 2e 6f 72 67 | emitting length of IKEv2 Identification - Responder - Payload: 191 | assembled IDr payload | Sending [CERT] of certificate: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA | ****emit IKEv2 Certificate Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | ikev2 cert encoding: CERT_X509_SIGNATURE (0x4) | next payload chain: setting previous 'IKEv2 Identification - Responder - Payload'.'next payload type' to current IKEv2 Certificate Payload (37:ISAKMP_NEXT_v2CERT) | next payload chain: saving location 'IKEv2 Certificate Payload'.'next payload type' in 'reply packet' | emitting 1227 raw bytes of CERT into IKEv2 Certificate Payload | CERT 30 82 04 c7 30 82 04 30 a0 03 02 01 02 02 01 03 | CERT 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 | CERT 81 ac 31 0b 30 09 06 03 55 04 06 13 02 43 41 31 | CERT 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 61 72 69 | CERT 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 6f 72 6f | CERT 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c 09 4c 69 | CERT 62 72 65 73 77 61 6e 31 18 30 16 06 03 55 04 0b | CERT 0c 0f 54 65 73 74 20 44 65 70 61 72 74 6d 65 6e | CERT 74 31 25 30 23 06 03 55 04 03 0c 1c 4c 69 62 72 | CERT 65 73 77 61 6e 20 74 65 73 74 20 43 41 20 66 6f | CERT 72 20 6d 61 69 6e 63 61 31 24 30 22 06 09 2a 86 | CERT 48 86 f7 0d 01 09 01 16 15 74 65 73 74 69 6e 67 | CERT 40 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 22 | CERT 18 0f 32 30 31 38 31 32 31 38 31 39 35 36 31 33 | CERT 5a 18 0f 32 30 32 31 31 32 31 37 31 39 35 36 31 | CERT 33 5a 30 81 b4 31 0b 30 09 06 03 55 04 06 13 02 | CERT 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e 74 | CERT 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 54 | CERT 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a 0c | CERT 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 03 | CERT 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 74 | CERT 6d 65 6e 74 31 23 30 21 06 03 55 04 03 0c 1a 65 | CERT 61 73 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 31 2e 30 2c 06 09 2a | CERT 86 48 86 f7 0d 01 09 01 16 1f 75 73 65 72 2d 65 | CERT 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 62 72 | CERT 65 73 77 61 6e 2e 6f 72 67 30 82 01 a2 30 0d 06 | CERT 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 82 01 8f | CERT 00 30 82 01 8a 02 82 01 81 00 a4 96 3b d9 39 ca | CERT 30 5b d4 2e f2 c0 5f 02 2e 1e 4f 39 4e 45 58 c9 | CERT 30 32 fa 72 1b 0b 25 32 3d 1c 78 d4 bd a3 fa 93 | CERT 31 74 8e 28 54 32 50 38 5a 58 37 5d 3c 95 35 db | CERT 69 d0 78 92 9a 59 36 0f 5a d2 4c af b9 91 b2 c0 | CERT ee a5 72 4a 5e c4 ed 6b 88 92 79 3d 45 32 f3 84 | CERT 94 4a 59 f8 78 f5 1e 40 33 c7 35 df 17 a7 d7 43 | CERT 61 82 a4 c0 64 d4 19 27 82 29 66 84 45 db f7 db | CERT bc 80 b9 2f f1 dc a5 0c 9e f5 cd 87 19 26 33 c8 | CERT 87 4f d9 b1 58 9d 47 2b c3 68 e0 ca 08 0d be cd | CERT 7d df 9a 48 d0 c8 30 8d e8 a5 c5 5e 3c bb a9 f0 | CERT d6 f2 9e a1 7e 5e c6 b4 77 e7 2d b9 8c cd bc 58 | CERT 6f f6 ab 1e fb b1 f3 b3 de 87 5f ac 3e 4f 08 77 | CERT a5 fa a4 5f fb 53 a2 43 5e 30 2c 9a b0 86 28 90 | CERT 65 1e 7a 47 62 e5 d1 0d 7d ae 5b ef e5 a1 93 8d | CERT 74 d7 38 7e 55 64 39 9b 43 d9 fb e3 03 b2 d6 d2 | CERT 44 8d 86 77 e8 cb 9f e5 a6 76 d0 bb 5c 44 a7 ca | CERT 0a 9f ae dc 2e 0d 4d a1 83 48 8d 99 06 33 ef 83 | CERT 6b ab a9 05 0e e6 eb 0a 5e de 14 b4 9f b8 f4 70 | CERT 90 a3 60 de cc 55 ab 67 20 4b d8 fc 7c 0a 19 75 | CERT b7 8f e7 11 80 29 0d ae 66 ab d2 10 ba 5e c1 b8 | CERT ac 95 a2 6a 0e ac 55 1c 39 41 eb 0c 64 75 64 4b | CERT 94 4c 45 59 4b 19 c8 e1 33 30 47 09 2f 5b bd 78 | CERT 45 9b dd b6 09 37 92 81 05 0f 68 17 d6 c8 20 03 | CERT a6 a5 0b dd b8 45 85 6a b9 3b 02 03 01 00 01 a3 | CERT 81 e6 30 81 e3 30 09 06 03 55 1d 13 04 02 30 00 | CERT 30 47 06 03 55 1d 11 04 40 30 3e 82 1a 65 61 73 | CERT 74 2e 74 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 | CERT 77 61 6e 2e 6f 72 67 81 1a 65 61 73 74 40 74 65 | CERT 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e 2e | CERT 6f 72 67 87 04 c0 01 02 17 30 0b 06 03 55 1d 0f | CERT 04 04 03 02 07 80 30 41 06 08 2b 06 01 05 05 07 | CERT 01 01 04 35 30 33 30 31 06 08 2b 06 01 05 05 07 | CERT 30 01 86 25 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | CERT 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | CERT 2e 6f 72 67 3a 32 35 36 30 30 3d 06 03 55 1d 1f | CERT 04 36 30 34 30 32 a0 30 a0 2e 86 2c 68 74 74 70 | CERT 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | CERT 69 62 72 65 73 77 61 6e 2e 6f 72 67 2f 72 65 76 | CERT 6f 6b 65 64 2e 63 72 6c 30 0d 06 09 2a 86 48 86 | CERT f7 0d 01 01 0b 05 00 03 81 81 00 a1 b3 5c d8 0c | CERT 31 2a e8 80 6b 58 cf f8 4e 42 3e cd db f3 0a 8f | CERT 64 a5 fd 01 e3 b0 8c 83 29 46 18 21 63 54 39 ec | CERT e0 ef 5a 13 ce 7e 5c e4 93 e7 1b 71 25 85 a5 cd | CERT 31 4f 8f 98 a1 cc 70 c6 8b ce fa 82 a6 9c fd 5a | CERT c6 a2 63 83 17 e8 a1 50 46 07 1a 80 b1 a0 7f df | CERT bc 8d 40 78 6d 1b e7 2e bd 63 1b dc 1c e9 27 7d | CERT e8 36 9a 0f 33 26 62 dc c2 c4 12 7e 90 ac f0 b5 | CERT 85 75 77 4a 78 30 44 c5 c1 34 27 | emitting length of IKEv2 Certificate Payload: 1232 | CHILD SA proposals received | going to assemble AUTH payload | ****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA (0x21) | flags: none (0x0) | auth method: IKEv2_AUTH_RSA (0x1) | next payload chain: ignoring supplied 'IKEv2 Authentication Payload'.'next payload type' value 33:ISAKMP_NEXT_v2SA | next payload chain: setting previous 'IKEv2 Certificate Payload'.'next payload type' to current IKEv2 Authentication Payload (39:ISAKMP_NEXT_v2AUTH) | next payload chain: saving location 'IKEv2 Authentication Payload'.'next payload type' in 'reply packet' | started looking for secret for C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org->C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org of kind PKK_RSA | allocating public key using connection's certificate; only to throw it a way | finding secret using public key | searching for secret matching public key PKK_RSA:AwEAAaSWO | secret PKK_RSA:AwEAAaSWO matches public key PKK_RSA:AwEAAaSWO | RSA_sign_hash: Started using NSS | RSA_sign_hash: Ended using NSS | emitting 384 raw bytes of rsa signature into IKEv2 Authentication Payload | rsa signature 25 f7 dc c2 bd 93 90 4b 5d 5e e0 56 fb 5f 44 95 | rsa signature 4d c9 57 98 a0 01 e1 31 fa 8f 76 3a 94 20 b1 f8 | rsa signature 94 f2 a7 c0 9f 21 48 be f1 61 81 07 91 ef e0 8f | rsa signature a3 b3 1a d1 69 65 d5 a9 2a e3 f4 26 c0 4f bc cb | rsa signature b2 ad 76 a1 de 34 3b b5 74 5e 82 8e 9b 6d 74 05 | rsa signature 88 4f ef ff ee 63 99 48 5c 2f 5c 95 5b a4 2e 9b | rsa signature 46 a8 b4 09 ff d9 2a 5e db 45 ad 34 b2 f9 9a 03 | rsa signature c8 4b 67 64 b6 f6 af 6a 14 8d 43 6b 21 53 20 f5 | rsa signature 20 b8 4f e6 75 1c c9 03 40 93 d5 4e fd d7 1d 9a | rsa signature 7b d9 31 39 10 e2 07 d3 89 3c 2c 7d 32 a9 b8 8d | rsa signature d3 a0 58 17 08 47 70 44 a9 8e 3c ac 8c c7 85 67 | rsa signature e9 fd ca 6f b2 49 41 e8 5b 0d 32 52 5c e8 28 da | rsa signature eb f4 82 d2 d7 10 a0 70 7a a8 e5 91 4a f7 33 89 | rsa signature 8a 89 e1 61 2b ef 5c cb 49 a7 b8 24 27 0a 40 16 | rsa signature 33 10 d3 15 94 40 63 8b 1d a6 59 e9 e9 8b 5d c3 | rsa signature c6 75 f0 48 dd bb 88 cc 8b cf 9c a7 9a bc 28 56 | rsa signature f4 35 2a ef ab 79 e4 b5 eb f2 6a 9e e8 73 3d a4 | rsa signature e4 7b da 61 e1 20 d1 02 cd 4b 2d cb 40 be c8 21 | rsa signature 63 7b 1a 55 af 14 6d ed 3c 2c 20 8c b1 ce b2 da | rsa signature 7d 19 e5 4e 29 d7 60 9f e6 23 22 70 90 3b 78 32 | rsa signature bb bd 14 25 81 87 d8 32 f0 b7 91 c6 16 1c d2 5c | rsa signature de 3f 51 97 37 10 a8 e8 19 2a 2e 5e c5 30 6d 50 | rsa signature 67 49 7b 35 97 e7 3e 6f ef 17 d0 01 b6 bf fa b8 | rsa signature 17 1f 20 3d ff bb 47 99 33 f0 9c 06 be fd 9a ab | emitting length of IKEv2 Authentication Payload: 392 | creating state object #12 at 0x55795cbabbe0 | duplicating state object #11 "ikev2-westnet-eastnet-x509-cr" as #12 for IPSEC SA | inserting state object #12 | serialno list: inserting object 0x55795cbabbe0 (state #12) entry 0x55795cbac3b0 into list 0x55795bd2c860 (older 0x55795cbad590 newer 0x55795cbad590) | serialno list: inserted object 0x55795cbabbe0 (state #12) entry 0x55795cbac3b0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: list entry 0x55795bd2c860 is HEAD (older 0x55795cbac3b0 newer 0x55795cbad590) | serialno table: inserting object 0x55795cbabbe0 (state #12) entry 0x55795cbac3d0 into list 0x55795bd21da0 (older 0x55795bd21da0 newer 0x55795bd21da0) | serialno table: inserted object 0x55795cbabbe0 (state #12) entry 0x55795cbac3d0 (older 0x55795bd21da0 newer 0x55795bd21da0) | serialno table: list entry 0x55795bd21da0 is HEAD (older 0x55795cbac3d0 newer 0x55795cbac3d0) | serialno table: hash serialno #11 to head 0x55795bd21d80 | Child SA TS Request has ike->sa == md->st; so using parent connection | TSi: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 01 ff | TSi: parsed 1 traffic selectors | TSr: parsing 1 traffic selectors | ***parse IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | length: 16 (0x10) | start port: 0 (0x0) | end port: 65535 (0xffff) | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts low | ipv4 ts low c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selector into ipv4 ts high | ipv4 ts high c0 00 02 ff | TSr: parsed 1 traffic selectors | looking for best SPD in current connection | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | found better spd route for TSi[0],TSr[0] | looking for better host pair | find_host_pair: comparing 192.1.2.23:500 to 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is found | investigating connection "ikev2-westnet-eastnet-x509-cr" as a better match | match_id a=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | b=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org | results matched | evaluating our conn="ikev2-westnet-eastnet-x509-cr" I=192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 to their: | TSi[0] .net=192.0.1.0-192.0.1.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.1.0/24 == TSi[0]net=192.0.1.0-192.0.1.255: YES fitness 32 | narrow port end=0..65535 == TSi[0]=0..65535: 0 | TSi[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSi[0]=*0: 0 | match end->protocol=*0 == TSi[0].ipprotoid=*0: YES fitness 255 | TSr[0] .net=192.0.2.0-192.0.2.255 .iporotoid=0 .{start,end}port=0..65535 | match address end->client=192.0.2.0/24 == TSr[0]net=192.0.2.0-192.0.2.255: YES fitness 32 | narrow port end=0..65535 == TSr[0]=0..65535: 0 | TSr[0] port match: YES fitness 65536 | narrow protocol end=*0 == TSr[0]=*0: 0 | match end->protocol=*0 == TSr[0].ipprotoid=*0: YES fitness 255 | best fit so far: TSi[0] TSr[0] | did not find a better connection using host pair | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.2.0-192.0.2.255 | printing contents struct traffic_selector | ts_type: IKEv2_TS_IPV4_ADDR_RANGE | ipprotoid: 0 | port range: 0-65535 | ip range: 192.0.1.0-192.0.1.255 | serialno table: hash serialno #11 to head 0x55795bd21d80 | using existing local ESP/AH proposals for ikev2-westnet-eastnet-x509-cr (IKE_AUTH responder matching remote ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | Comparing remote proposals against IKE_AUTH responder matching remote ESP/AH proposals 5 local proposals | local proposal 1 type ENCR has 1 transforms | local proposal 1 type PRF has 0 transforms | local proposal 1 type INTEG has 1 transforms | local proposal 1 type DH has 0 transforms | local proposal 1 type ESN has 1 transforms | local proposal 1 transforms: required: ENCR+ESN; optional: INTEG | local proposal 2 type ENCR has 1 transforms | local proposal 2 type PRF has 0 transforms | local proposal 2 type INTEG has 1 transforms | local proposal 2 type DH has 0 transforms | local proposal 2 type ESN has 1 transforms | local proposal 2 transforms: required: ENCR+ESN; optional: INTEG | local proposal 3 type ENCR has 1 transforms | local proposal 3 type PRF has 0 transforms | local proposal 3 type INTEG has 2 transforms | local proposal 3 type DH has 0 transforms | local proposal 3 type ESN has 1 transforms | local proposal 3 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 4 type ENCR has 1 transforms | local proposal 4 type PRF has 0 transforms | local proposal 4 type INTEG has 2 transforms | local proposal 4 type DH has 0 transforms | local proposal 4 type ESN has 1 transforms | local proposal 4 transforms: required: ENCR+INTEG+ESN; optional: none | local proposal 5 type ENCR has 1 transforms | local proposal 5 type PRF has 0 transforms | local proposal 5 type INTEG has 1 transforms | local proposal 5 type DH has 0 transforms | local proposal 5 type ESN has 1 transforms | local proposal 5 transforms: required: ENCR+INTEG+ESN; optional: none | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 34 06 e0 5a | Comparing remote proposal 1 containing 2 transforms against local proposal [1..5] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | remote proposal 1 transform 0 (ENCR=AES_GCM_C_256) matches local proposal 1 type 1 (ENCR) transform 0 | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 1 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 2 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 3 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 4 type 5 (ESN) transform 0 | remote proposal 1 transform 1 (ESN=DISABLED) matches local proposal 5 type 5 (ESN) transform 0 | remote proposal 1 proposed transforms: ENCR+ESN; matched: ENCR+ESN; unmatched: none | comparing remote proposal 1 containing ENCR+ESN transforms to local proposal 1; required: ENCR+ESN; optional: INTEG; matched: ENCR+ESN | remote proposal 1 matches local proposal 1 | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 32 (0x20) | prop #: 2 (0x2) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 34 06 e0 5a | Comparing remote proposal 2 containing 2 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 2 proposed transforms: ENCR+ESN; matched: none; unmatched: ENCR+ESN | remote proposal 2 does not match; unmatched remote transforms: ENCR+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 3 (0x3) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 34 06 e0 5a | Comparing remote proposal 3 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 3 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 3 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_NON_LAST (0x2) | length: 48 (0x30) | prop #: 4 (0x4) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 4 (0x4) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 34 06 e0 5a | Comparing remote proposal 4 containing 4 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_512_256 (0xe) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA2_256_128 (0xc) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 4 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 4 does not match; unmatched remote transforms: ENCR+INTEG+ESN | ***parse IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | length: 40 (0x28) | prop #: 5 (0x5) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 3 (0x3) | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into remote SPI | remote SPI 34 06 e0 5a | Comparing remote proposal 5 containing 3 transforms against local proposal [1..0] of 5 local proposals | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 12 (0xc) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_CBC (0xc) | *****parse IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 128 (0x80) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_INTEG (0x3) | IKEv2 transform ID: AUTH_HMAC_SHA1_96 (0x2) | ****parse IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | length: 8 (0x8) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | remote proposal 5 proposed transforms: ENCR+INTEG+ESN; matched: none; unmatched: ENCR+INTEG+ESN | remote proposal 5 does not match; unmatched remote transforms: ENCR+INTEG+ESN "ikev2-westnet-eastnet-x509-cr" #11: proposal 1:ESP:SPI=3406e05a;ENCR=AES_GCM_C_256;ESN=DISABLED chosen from remote proposals 1:ESP:ENCR=AES_GCM_C_256;ESN=DISABLED[first-match] 2:ESP:ENCR=AES_GCM_C_128;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256;INTEG=HMAC_SHA2_256_128;ESN=DISABLED 5:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA1_96;ESN=DISABLED | IKE_AUTH responder matching remote ESP/AH proposals ikev2_proposal: 1:ESP:SPI=3406e05a;ENCR=AES_GCM_C_256;ESN=DISABLED | converting proposal to internal trans attrs | netlink_get_spi: allocated 0x5a0bde5d for esp.0@192.1.2.23 | Emitting ikev2_proposal ... | ****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'IKEv2 Authentication Payload'.'next payload type' to current IKEv2 Security Association Payload (33:ISAKMP_NEXT_v2SA) | next payload chain: saving location 'IKEv2 Security Association Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Proposal Substructure Payload: | last proposal: v2_PROPOSAL_LAST (0x0) | prop #: 1 (0x1) | proto ID: IKEv2_SEC_PROTO_ESP (0x3) | spi size: 4 (0x4) | # transforms: 2 (0x2) | last substructure: saving location 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 5a 0b de 5d | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_NON_LAST (0x3) | IKEv2 transform type: TRANS_TYPE_ENCR (0x1) | IKEv2 transform ID: AES_GCM_C (0x14) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | *******emit IKEv2 Attribute Substructure Payload: | af+type: AF+IKEv2_KEY_LENGTH (0x800e) | length/value: 256 (0x100) | emitting length of IKEv2 Transform Substructure Payload: 12 | ******emit IKEv2 Transform Substructure Payload: | last transform: v2_TRANSFORM_LAST (0x0) | IKEv2 transform type: TRANS_TYPE_ESN (0x5) | IKEv2 transform ID: ESN_DISABLED (0x0) | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is v2_TRANSFORM_NON_LAST (0x3) | last substructure: saving location 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 32 | last substructure: checking 'IKEv2 Proposal Substructure Payload'.'IKEv2 Transform Substructure Payload'.'last transform' is 0 | emitting length of IKEv2 Security Association Payload: 36 | last substructure: checking 'IKEv2 Security Association Payload'.'IKEv2 Proposal Substructure Payload'.'last proposal' is 0 | ****emit IKEv2 Traffic Selector - Initiator - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Security Association Payload'.'next payload type' to current IKEv2 Traffic Selector - Initiator - Payload (44:ISAKMP_NEXT_v2TSi) | next payload chain: saving location 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 01 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 01 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Initiator - Payload: 24 | ****emit IKEv2 Traffic Selector - Responder - Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | number of TS: 1 (0x1) | next payload chain: setting previous 'IKEv2 Traffic Selector - Initiator - Payload'.'next payload type' to current IKEv2 Traffic Selector - Responder - Payload (45:ISAKMP_NEXT_v2TSr) | next payload chain: saving location 'IKEv2 Traffic Selector - Responder - Payload'.'next payload type' in 'reply packet' | *****emit IKEv2 Traffic Selector: | TS type: IKEv2_TS_IPV4_ADDR_RANGE (0x7) | IP Protocol ID: 0 (0x0) | start port: 0 (0x0) | end port: 65535 (0xffff) | emitting 4 raw bytes of ipv4 start into IKEv2 Traffic Selector | ipv4 start c0 00 02 00 | emitting 4 raw bytes of ipv4 end into IKEv2 Traffic Selector | ipv4 end c0 00 02 ff | emitting length of IKEv2 Traffic Selector: 16 | emitting length of IKEv2 Traffic Selector - Responder - Payload: 24 | integ=none: .key_size=0 encrypt=aes_gcm_16: .key_size=32 .salt_size=4 keymat_len=36 | install_ipsec_sa() for #12: inbound and outbound | could_route called for ikev2-westnet-eastnet-x509-cr (kind=CK_PERMANENT) | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.3406e05a@192.1.2.45 included non-error error | set up outgoing SA, ref=0/0 | looking for alg with encrypt: AES_GCM_16 keylen: 256 integ: NONE | encrypt AES_GCM_16 keylen=256 transid=20, key_size=32, encryptalg=20 | AES_GCM_16 requires 4 salt bytes | st->st_esp.keymat_len=36 is encrypt_keymat_size=36 + integ_keymat_size=0 | setting IPsec SA replay-window to 32 | netlink: enabling tunnel mode | netlink: setting IPsec SA replay-window to 32 using old-style req | netlink response for Add SA esp.5a0bde5d@192.1.2.23 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | add inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => tun.10000@192.1.2.23 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | set up incoming SA, ref=0/0 | sr for #12: prospective erouted | route_and_eroute() for proto 0, and source port 0 dest port 0 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" prospective erouted: self; eroute owner: self | route_and_eroute with c: ikev2-westnet-eastnet-x509-cr (next: none) ero:ikev2-westnet-eastnet-x509-cr esr:{(nil)} ro:ikev2-westnet-eastnet-x509-cr rosr:{(nil)} and state: #12 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | eroute_connection replace eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.0@192.1.2.45>tun.0@192.1.2.45 (raw_eroute) | IPsec Sa SPD priority set to 1042407 | raw_eroute result=success | running updown command "ipsec _updown" for verb up | command executing up-client | get_sa_info esp.3406e05a@192.1.2.45 | get_sa_info esp.5a0bde5d@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing up-client: PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332913' PLUTO_C | popen cmd is 1486 chars long | cmd( 0):PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastn: | cmd( 80):et-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2: | cmd( 160):.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, : | cmd( 240):CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIEN: | cmd( 320):T='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.2: | cmd( 400):55.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TY: | cmd( 480):PE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=L: | cmd( 560):ibreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing: | cmd( 640):.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.: | cmd( 720):0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCO: | cmd( 800):L='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departmen: | cmd( 880):t, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey: | cmd( 960):' PLUTO_ADDTIME='1545332913' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_: | cmd(1040):ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CO: | cmd(1120):NN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEE: | cmd(1200):R_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER=': | cmd(1280):' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBYTE: | cmd(1360):S='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=0x: | cmd(1440):3406e05a SPI_OUT=0x5a0bde5d ipsec _updown 2>&1: | route_and_eroute: firewall_notified: true | route_and_eroute: instance "ikev2-westnet-eastnet-x509-cr", setting eroute_owner {spd=0x55795cb9cc08,sr=0x55795cb9cc08} to #12 (was #0) (newest_ipsec_sa=#0) | ISAKMP_v2_IKE_AUTH: instance ikev2-westnet-eastnet-x509-cr[0], setting IKEv2 newest_ipsec_sa to #12 (was #0) (spd.eroute=#12) cloned from #11 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 1928 | emitting length of ISAKMP Message: 1956 | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | length: 1956 (0x7a4) | **parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | length: 1928 (0x788) | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2IDr (0x24) | flags: none (0x0) | fragment number: 1 (0x1) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 36:ISAKMP_NEXT_v2IDr | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 25 00 00 bf 09 00 00 00 30 81 b4 31 0b 30 09 06 | cleartext fragment 03 55 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 | cleartext fragment 08 0c 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 27 | cleartext fragment 00 04 d0 04 30 82 04 c7 30 82 04 30 a0 03 02 01 | cleartext fragment 02 02 01 03 30 0d 06 09 2a 86 48 86 f7 0d 01 01 | cleartext fragment 0b 05 00 30 81 ac 31 0b 30 09 06 03 55 04 06 13 | cleartext fragment 02 43 41 31 10 30 0e 06 03 55 04 08 0c 07 4f 6e | cleartext fragment 74 61 72 69 6f 31 10 30 0e 06 03 55 04 07 0c 07 | cleartext fragment 54 6f 72 6f 6e 74 6f 31 12 30 10 06 03 55 04 0a | cleartext fragment 0c 09 4c 69 62 72 65 73 77 61 6e 31 18 30 16 06 | cleartext fragment 03 55 04 0b 0c 0f 54 65 73 74 20 44 65 70 61 72 | cleartext fragment 74 6d 65 6e 74 31 25 30 23 06 03 55 04 03 0c 1c | cleartext fragment 4c 69 62 72 65 73 77 61 6e 20 74 65 73 74 20 43 | cleartext fragment 41 20 66 6f 72 20 6d 61 69 6e 63 61 31 24 30 22 | cleartext fragment 06 09 2a 86 48 86 f7 0d 01 09 01 16 15 74 65 73 | cleartext fragment 74 69 6e 67 40 6c 69 62 72 65 73 77 61 6e 2e 6f | cleartext fragment 72 67 30 22 18 0f 32 30 31 38 31 32 31 38 31 39 | cleartext fragment 35 36 31 33 5a 18 0f 32 30 32 31 31 32 31 37 31 | cleartext fragment 39 35 36 31 33 5a 30 81 b4 31 0b 30 09 06 03 55 | cleartext fragment 04 06 13 02 43 41 31 10 30 0e 06 03 55 04 08 0c | cleartext fragment 07 4f 6e 74 61 72 69 6f 31 10 30 0e 06 03 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 2 (0x2) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 55 04 07 0c 07 54 6f 72 6f 6e 74 6f 31 12 30 10 | cleartext fragment 06 03 55 04 0a 0c 09 4c 69 62 72 65 73 77 61 6e | cleartext fragment 31 18 30 16 06 03 55 04 0b 0c 0f 54 65 73 74 20 | cleartext fragment 44 65 70 61 72 74 6d 65 6e 74 31 23 30 21 06 03 | cleartext fragment 55 04 03 0c 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 31 | cleartext fragment 2e 30 2c 06 09 2a 86 48 86 f7 0d 01 09 01 16 1f | cleartext fragment 75 73 65 72 2d 65 61 73 74 40 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 30 | cleartext fragment 82 01 a2 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 | cleartext fragment 05 00 03 82 01 8f 00 30 82 01 8a 02 82 01 81 00 | cleartext fragment a4 96 3b d9 39 ca 30 5b d4 2e f2 c0 5f 02 2e 1e | cleartext fragment 4f 39 4e 45 58 c9 30 32 fa 72 1b 0b 25 32 3d 1c | cleartext fragment 78 d4 bd a3 fa 93 31 74 8e 28 54 32 50 38 5a 58 | cleartext fragment 37 5d 3c 95 35 db 69 d0 78 92 9a 59 36 0f 5a d2 | cleartext fragment 4c af b9 91 b2 c0 ee a5 72 4a 5e c4 ed 6b 88 92 | cleartext fragment 79 3d 45 32 f3 84 94 4a 59 f8 78 f5 1e 40 33 c7 | cleartext fragment 35 df 17 a7 d7 43 61 82 a4 c0 64 d4 19 27 82 29 | cleartext fragment 66 84 45 db f7 db bc 80 b9 2f f1 dc a5 0c 9e f5 | cleartext fragment cd 87 19 26 33 c8 87 4f d9 b1 58 9d 47 2b c3 68 | cleartext fragment e0 ca 08 0d be cd 7d df 9a 48 d0 c8 30 8d e8 a5 | cleartext fragment c5 5e 3c bb a9 f0 d6 f2 9e a1 7e 5e c6 b4 77 e7 | cleartext fragment 2d b9 8c cd bc 58 6f f6 ab 1e fb b1 f3 b3 de 87 | cleartext fragment 5f ac 3e 4f 08 77 a5 fa a4 5f fb 53 a2 43 5e 30 | cleartext fragment 2c 9a b0 86 28 90 65 1e 7a 47 62 e5 d1 0d 7d ae | cleartext fragment 5b ef e5 a1 93 8d 74 d7 38 7e 55 64 39 9b 43 d9 | cleartext fragment fb e3 03 b2 d6 d2 44 8d 86 77 e8 cb 9f e5 a6 76 | cleartext fragment d0 bb 5c 44 a7 ca 0a 9f ae dc 2e 0d 4d a1 83 48 | cleartext fragment 8d 99 06 33 ef 83 6b ab a9 05 0e e6 eb 0a 5e de | cleartext fragment 14 b4 9f b8 f4 70 90 a3 60 de cc 55 ab 67 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 3 (0x3) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 478 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment 20 4b d8 fc 7c 0a 19 75 b7 8f e7 11 80 29 0d ae | cleartext fragment 66 ab d2 10 ba 5e c1 b8 ac 95 a2 6a 0e ac 55 1c | cleartext fragment 39 41 eb 0c 64 75 64 4b 94 4c 45 59 4b 19 c8 e1 | cleartext fragment 33 30 47 09 2f 5b bd 78 45 9b dd b6 09 37 92 81 | cleartext fragment 05 0f 68 17 d6 c8 20 03 a6 a5 0b dd b8 45 85 6a | cleartext fragment b9 3b 02 03 01 00 01 a3 81 e6 30 81 e3 30 09 06 | cleartext fragment 03 55 1d 13 04 02 30 00 30 47 06 03 55 1d 11 04 | cleartext fragment 40 30 3e 82 1a 65 61 73 74 2e 74 65 73 74 69 6e | cleartext fragment 67 2e 6c 69 62 72 65 73 77 61 6e 2e 6f 72 67 81 | cleartext fragment 1a 65 61 73 74 40 74 65 73 74 69 6e 67 2e 6c 69 | cleartext fragment 62 72 65 73 77 61 6e 2e 6f 72 67 87 04 c0 01 02 | cleartext fragment 17 30 0b 06 03 55 1d 0f 04 04 03 02 07 80 30 41 | cleartext fragment 06 08 2b 06 01 05 05 07 01 01 04 35 30 33 30 31 | cleartext fragment 06 08 2b 06 01 05 05 07 30 01 86 25 68 74 74 70 | cleartext fragment 3a 2f 2f 6e 69 63 2e 74 65 73 74 69 6e 67 2e 6c | cleartext fragment 69 62 72 65 73 77 61 6e 2e 6f 72 67 3a 32 35 36 | cleartext fragment 30 30 3d 06 03 55 1d 1f 04 36 30 34 30 32 a0 30 | cleartext fragment a0 2e 86 2c 68 74 74 70 3a 2f 2f 6e 69 63 2e 74 | cleartext fragment 65 73 74 69 6e 67 2e 6c 69 62 72 65 73 77 61 6e | cleartext fragment 2e 6f 72 67 2f 72 65 76 6f 6b 65 64 2e 63 72 6c | cleartext fragment 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 | cleartext fragment 81 81 00 a1 b3 5c d8 0c 31 2a e8 80 6b 58 cf f8 | cleartext fragment 4e 42 3e cd db f3 0a 8f 64 a5 fd 01 e3 b0 8c 83 | cleartext fragment 29 46 18 21 63 54 39 ec e0 ef 5a 13 ce 7e 5c e4 | cleartext fragment 93 e7 1b 71 25 85 a5 cd 31 4f 8f 98 a1 cc 70 c6 | cleartext fragment 8b ce fa 82 a6 9c fd 5a c6 a2 63 83 17 e8 a1 50 | cleartext fragment 46 07 1a 80 b1 a0 7f df bc 8d 40 78 6d 1b e7 2e | cleartext fragment bd 63 1b dc 1c e9 27 7d e8 36 9a 0f 33 26 62 dc | cleartext fragment c2 c4 12 7e 90 ac f0 b5 85 75 77 4a 78 30 44 c5 | cleartext fragment c1 34 27 21 00 01 88 01 00 00 00 25 f7 dc | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 511 | emitting length of ISAKMP Message: 539 | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_IKE_AUTH (0x23) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 1 (0x1) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encrypted Fragment: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | fragment number: 4 (0x4) | total fragments: 4 (0x4) | next payload chain: using supplied v2SKF 'IKEv2 Encrypted Fragment'.'next payload type' value 0:ISAKMP_NEXT_v2NONE | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encrypted Fragment (53:ISAKMP_NEXT_v2SKF) | next payload chain: saving location 'IKEv2 Encrypted Fragment'.'next payload type' in 'reply frag packet' | emitting 8 zero bytes of IV into IKEv2 Encrypted Fragment | emitting 465 raw bytes of cleartext fragment into IKEv2 Encrypted Fragment | cleartext fragment c2 bd 93 90 4b 5d 5e e0 56 fb 5f 44 95 4d c9 57 | cleartext fragment 98 a0 01 e1 31 fa 8f 76 3a 94 20 b1 f8 94 f2 a7 | cleartext fragment c0 9f 21 48 be f1 61 81 07 91 ef e0 8f a3 b3 1a | cleartext fragment d1 69 65 d5 a9 2a e3 f4 26 c0 4f bc cb b2 ad 76 | cleartext fragment a1 de 34 3b b5 74 5e 82 8e 9b 6d 74 05 88 4f ef | cleartext fragment ff ee 63 99 48 5c 2f 5c 95 5b a4 2e 9b 46 a8 b4 | cleartext fragment 09 ff d9 2a 5e db 45 ad 34 b2 f9 9a 03 c8 4b 67 | cleartext fragment 64 b6 f6 af 6a 14 8d 43 6b 21 53 20 f5 20 b8 4f | cleartext fragment e6 75 1c c9 03 40 93 d5 4e fd d7 1d 9a 7b d9 31 | cleartext fragment 39 10 e2 07 d3 89 3c 2c 7d 32 a9 b8 8d d3 a0 58 | cleartext fragment 17 08 47 70 44 a9 8e 3c ac 8c c7 85 67 e9 fd ca | cleartext fragment 6f b2 49 41 e8 5b 0d 32 52 5c e8 28 da eb f4 82 | cleartext fragment d2 d7 10 a0 70 7a a8 e5 91 4a f7 33 89 8a 89 e1 | cleartext fragment 61 2b ef 5c cb 49 a7 b8 24 27 0a 40 16 33 10 d3 | cleartext fragment 15 94 40 63 8b 1d a6 59 e9 e9 8b 5d c3 c6 75 f0 | cleartext fragment 48 dd bb 88 cc 8b cf 9c a7 9a bc 28 56 f4 35 2a | cleartext fragment ef ab 79 e4 b5 eb f2 6a 9e e8 73 3d a4 e4 7b da | cleartext fragment 61 e1 20 d1 02 cd 4b 2d cb 40 be c8 21 63 7b 1a | cleartext fragment 55 af 14 6d ed 3c 2c 20 8c b1 ce b2 da 7d 19 e5 | cleartext fragment 4e 29 d7 60 9f e6 23 22 70 90 3b 78 32 bb bd 14 | cleartext fragment 25 81 87 d8 32 f0 b7 91 c6 16 1c d2 5c de 3f 51 | cleartext fragment 97 37 10 a8 e8 19 2a 2e 5e c5 30 6d 50 67 49 7b | cleartext fragment 35 97 e7 3e 6f ef 17 d0 01 b6 bf fa b8 17 1f 20 | cleartext fragment 3d ff bb 47 99 33 f0 9c 06 be fd 9a ab 2c 00 00 | cleartext fragment 24 00 00 00 20 01 03 04 02 5a 0b de 5d 03 00 00 | cleartext fragment 0c 01 00 00 14 80 0e 01 00 00 00 00 08 05 00 00 | cleartext fragment 00 2d 00 00 18 01 00 00 00 07 00 00 10 00 00 ff | cleartext fragment ff c0 00 01 00 c0 00 01 ff 00 00 00 18 01 00 00 | cleartext fragment 00 07 00 00 10 00 00 ff ff c0 00 02 00 c0 00 02 | cleartext fragment ff | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encrypted Fragment | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encrypted Fragment | emitting length of IKEv2 Encrypted Fragment: 498 | emitting length of ISAKMP Message: 526 | ikev2_parent_inI2outR2_continue_tail returned STF_OK | processing: suspend state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | processing: start state #12 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #12 complete v2 state transition from UNDEFINED md.from_state=PARENT_R1 svm.state=PARENT_R1 to V2_IPSEC_R with status STF_OK | serialno table: hash serialno #11 to head 0x55795bd21d80 | IKEv2: transition from state STATE_PARENT_R1 to state STATE_V2_IPSEC_R | child state #12: UNDEFINED(ignore) => V2_IPSEC_R(established CHILD SA) | Message ID: updating counters for #12 after switching state | serialno table: hash serialno #11 to head 0x55795bd21d80 | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #11 PARENT_R2; CHILD #12 V2_IPSEC_R; message-request msgid=1; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=0->1 lastreplied=1 } "ikev2-westnet-eastnet-x509-cr" #12: negotiated connection [192.0.2.0-192.0.2.255:0-65535 0] -> [192.0.1.0-192.0.1.255:0-65535 0] | NAT-T: encaps is 'auto' "ikev2-westnet-eastnet-x509-cr" #12: STATE_V2_IPSEC_R: IPsec SA established tunnel mode {ESP=>0x3406e05a <0x5a0bde5d xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} | sending V2 reply packet to 192.1.2.45:500 (from port 500) | sending fragments ... | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 20 00 00 00 01 00 00 02 1b 24 00 01 ff | 00 01 00 04 fa df 5c 98 95 5e 2a 09 9c a8 77 7c | d3 9d 32 a1 34 4b 0b 57 94 70 9c 41 69 76 a2 22 | 6c 3b 92 58 3a 11 b5 ca 39 2b c1 86 1d 4c 72 8f | b4 a4 24 57 bc 0a 73 c1 6c 99 f7 34 41 10 59 f1 | 21 92 eb e4 96 58 59 8a 60 39 29 5d 4c 5b 4c b1 | 3f 66 5f e0 aa 9a d5 31 97 46 ab 0f 4f 69 b4 e3 | 24 94 db 35 b4 06 6f cd a8 37 5f e2 02 b5 cb d3 | 37 52 c0 04 dd f6 c2 0f 9d 31 8e 87 b2 6a 52 52 | f2 75 2f dd 1c 79 ed 28 31 fe f5 5d f6 92 51 2e | ee 59 76 8e 3d 12 5b 05 93 3b 22 93 07 f8 ce c9 | e5 b8 e0 29 16 4a 03 28 61 be 45 30 9c 63 7f 61 | 64 28 06 e0 99 0d 54 85 2f b6 f9 36 30 01 79 6b | 37 c6 ab e4 62 7c da 0b a2 2a 42 30 2b df c8 26 | 7b 5d 20 bf 7e 8d 29 57 06 43 a8 57 29 ba 71 05 | f5 c9 58 aa e3 4f 1e b3 2f be dc 16 57 1b 3a 37 | f0 bd 20 a4 73 93 e6 14 ae f9 b8 b0 5e 12 f0 ca | 3a 50 f4 e8 9d b2 13 6e 57 80 3f de bd df bc 84 | 9d c6 14 fa 2f 2c 16 88 7a a2 ab 03 46 2a 88 9d | b4 5d e3 b4 28 80 e4 71 87 c7 cf 8a 1b 7b d3 6e | eb 09 7d 23 94 b8 f4 d4 1b 15 b4 bb 02 86 ff c5 | d6 97 d3 4e 95 06 59 53 76 74 5e 0d a2 7a 46 18 | 10 8b c6 2f 9f 87 86 33 ef 6f 59 91 49 8f c9 fb | 2e aa 5f 57 fa 85 e4 62 04 87 99 11 58 1a 18 5e | f0 0e 66 96 c9 30 fb ba 51 11 a5 92 37 a8 e0 48 | 3f 88 67 28 02 e6 f5 07 e8 a3 ac db de b1 ab 42 | d7 b6 ef 5d 6b 09 02 23 61 3f b7 16 18 40 ca ea | 8e 7e cd 3d 78 36 26 f0 b5 8e b2 98 7b 59 6f 3d | ba a2 96 0f 43 9e c5 22 8c 7a 71 20 19 e8 0b 16 | 27 7c 45 23 8a d0 5c 23 61 fc c5 ff 7e ca 2a 8f | a2 3e db a8 8c 37 36 5f bf 03 37 6a c1 d7 ce 73 | c9 f9 9e 20 80 1c 11 ee 55 5f 39 da 12 2c bc 86 | 0f 40 da 3d 82 5d 5a a9 92 78 6f | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 02 00 04 4c ce 21 05 d4 04 a4 1f 00 20 1f cf | 00 c8 65 d7 71 4a 1d 90 85 6d 40 15 d1 dd e9 1c | 02 6d 59 e8 07 ba b6 a4 14 9f 7e 71 fc 57 28 1b | 22 2f 12 27 62 d5 c5 36 6e d2 7e 90 5e 60 9a ec | 32 3f 05 a0 26 5b ce ee da b5 64 a4 2e 78 90 81 | bb 65 36 13 4a 87 91 17 ed 2a d7 58 b1 f0 dd de | b8 5f 65 bd e3 a7 e8 77 5b 77 dc bc a6 55 0e 39 | a8 5e 5d f0 35 68 47 7f 27 c6 09 88 36 2c b9 57 | 18 a6 b4 0c e6 b6 81 d1 00 83 09 a7 1f 1c 9a e2 | 1c 88 62 a2 a7 f1 7b a8 8f da 70 91 11 32 80 09 | a6 6e 2b 52 2b fd 7a bc 5e 3f fb da 2b 2c 66 d8 | 7d 41 f5 a1 24 f4 7d 5f ff 1f 0c 70 e1 d3 6d 4c | b6 46 5e 2e 75 2f 16 60 5b 50 5a 34 5d ce b4 fb | f9 28 67 9d 05 88 06 b1 a0 85 de fc 8b 9f 3b 5d | 10 03 13 f5 9f 1a 7c da b2 68 94 71 94 fd af 61 | 54 95 ad b8 1a 80 ed 29 d7 42 14 86 b7 61 89 df | 5e 76 d2 68 f9 26 73 b3 81 50 0a 07 94 27 97 ee | 4b 20 a2 20 a0 7b e2 9c 9f 0b 6f c7 96 42 f7 0b | f7 2c 5e 7d f7 64 4e dc 1d 3f d8 30 78 10 82 e3 | ab 88 57 58 38 02 05 13 a7 f1 1a 8c c6 a3 62 56 | 52 f0 44 cf 63 a5 6f 6d 4c 56 50 e3 d4 e2 0c 77 | 58 85 c5 fe 4b d8 47 0a 80 0f b6 22 aa 62 d3 1c | 82 63 b0 c7 e7 3f ab 55 5d f3 d8 a3 c5 a1 12 ad | be 99 08 d7 ce fc 65 0b 3d d2 44 90 9b a1 ba 9e | 6e 94 71 1e f3 a7 e3 07 64 85 43 d1 e8 d8 07 9d | 0c 88 c0 7e ed 80 b1 3c 2d e0 63 ba 96 ef a6 ca | 08 f6 1b e2 8f 03 e1 05 18 c6 d3 58 5d 88 a1 12 | fe 07 e6 22 ea 79 5a 5d d1 b5 bc 28 47 42 b6 6e | 86 a8 d9 5e ec f4 12 e9 d4 74 6e c3 06 15 d0 b6 | 7d d9 15 4d c6 78 d4 00 06 c7 84 cb 9e fc c9 50 | 21 1f b8 b6 e6 97 41 24 4c 27 75 3e 2f b0 81 79 | 6a e2 a7 a9 15 4e 08 44 27 5c bf | sending 539 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 20 00 00 00 01 00 00 02 1b 00 00 01 ff | 00 03 00 04 20 38 16 69 dc f8 60 ca 65 75 a8 4a | 31 8e 6a 18 f7 cc 47 50 de 94 54 0d d6 7e af 96 | 70 a0 ad f3 90 a8 e9 3a 49 7e 99 f1 0b fa 6d d2 | b9 9c ed 12 a8 5b ba 1a 04 f9 ff a1 34 94 d3 16 | 3c 2c dc 71 1b 2d cb a6 50 a7 8f 36 51 4a c1 5f | b8 6b fb 6a 77 45 0b 56 8d 22 a1 17 4b 5a 2c 1f | 63 7f 33 74 ab ea 2e d3 0f 87 ce b3 6b 5a 54 b1 | 6c 74 bb cc b5 d4 86 9e 9d db 2f 3e 4d f8 21 5b | fb 5c 83 78 a7 f5 cb 1e d0 c0 16 89 8b 33 fc 78 | 66 0b 78 32 ac 49 0b 7f d2 76 83 ad c4 ba c4 eb | 30 4a 04 83 02 d0 8a 5d 3c f9 b7 a6 33 d7 87 b0 | 1d 05 34 e1 bb f1 79 95 4e d5 a3 24 6d cf 78 85 | a3 c9 7b a2 62 8a 93 25 a4 f8 d8 6e 54 e4 e4 ae | 17 97 1e 77 c7 72 b2 bd b8 6c 10 b8 0a 14 dc 95 | fe 80 09 54 d4 c6 39 67 ad 32 8f 29 cc 52 7c cc | bb c0 59 7a bc 0f 3c ab 35 6e d6 06 34 fd 46 a2 | 80 26 45 d2 78 34 a4 19 47 f2 3d e5 ee 34 02 20 | 76 98 9b fe 21 33 6d 75 e2 11 6c 48 b8 07 93 7a | 14 ca 9a 0d 75 dc 98 3e 71 8e 08 4d a6 59 24 c1 | c9 97 98 b8 3a e0 96 5f 7c d0 de 0a a7 19 10 f5 | dd fc 6e d4 e0 fb c7 85 b8 e4 6c 84 ac ae 0d 2c | 4d ec b9 c1 35 a5 e5 0d 0a 60 a9 50 f4 4c 9b bc | d7 e4 54 cf b5 01 4c ff 90 d7 3a 02 3e 41 89 e1 | 90 c3 d2 75 03 7e d6 4a 78 ac 68 c0 9f b7 d2 1f | 6e ef 42 db d7 52 bd 21 7f 39 d9 28 60 44 ca 74 | 38 2f 9c b7 ec 68 fd ca db 28 4d cb ea 8e 7f c3 | d5 5e b1 9c 63 cb 3b a6 36 f8 7c 5a da da 2a 3c | 8b e1 9e 4e d8 67 9c 61 ae 66 78 3b 15 ab 14 82 | 46 9a b7 18 b8 03 5a f4 1d 3a 51 4e ce 14 72 d2 | 54 27 46 93 58 41 8c c8 63 5c b5 18 46 6a 36 68 | 75 92 cb d6 c9 7d fd fb cd 1b 60 48 9a e8 20 a5 | 43 ff 44 3d 80 df b1 d5 4c e3 b9 | sending 526 bytes for STATE_PARENT_R1 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 35 20 23 20 00 00 00 01 00 00 02 0e 00 00 01 f2 | 00 04 00 04 1f 4d 7f 92 4a f9 18 98 0a 27 70 55 | 9d bb 59 04 a1 d4 d0 aa 93 c6 fe e4 67 23 6f 97 | cf 8c 13 da 5e 36 be 86 0a f9 16 01 92 05 be 63 | c1 87 cc bb 35 1f 8c 27 43 2c ee bb 6e 11 5b 15 | 91 04 85 23 92 be 4a b7 69 3f 02 1a 4e b6 40 10 | 8d c6 d0 b3 4c 07 a4 bd b6 92 4a b9 c3 8b 6e 7a | c6 2b 53 3a f3 51 d8 1a 50 b5 2d 5a 06 6b 2a d7 | 91 76 cd 06 cf ba 70 64 5b 49 1d 7e a1 cd 5d 0e | d9 06 9e 93 93 79 c9 dd 15 91 83 75 c2 6a 8e 6f | 19 59 f5 aa e4 58 b3 bc 46 1a 2a 38 ad 6e b6 f5 | fe 55 00 41 11 06 44 45 61 3b e9 f5 70 54 ce 69 | c3 dc dd 14 aa c3 fe f6 d6 7a f0 73 85 d0 74 6b | f2 4d c2 52 4e 0e 67 2f e8 6b 2a b4 17 67 65 ec | 88 de 88 f8 aa c0 f9 1d 58 1e fa e8 e4 84 31 65 | 10 04 de 2e 3e d2 e7 43 6a ab a7 f8 88 8f 1c 5b | 08 5d a5 a7 e1 97 36 5b 83 89 5b f6 69 57 86 21 | db 45 4b ca 1c d8 10 ff dd 83 44 10 93 cb 12 15 | 27 f7 f8 be db 9e 87 67 fe c3 8b f9 25 d1 70 27 | 1d d5 aa fd f8 9a 72 00 20 75 bb 35 69 0c 7d 3d | b2 ad 9d eb 7f 3d fe 3d 00 c0 0e 95 d0 e3 c5 43 | a1 15 35 78 0e 80 4d 81 5a 76 cf fc eb 71 e7 39 | f0 49 73 46 8f c7 29 ec 34 da 8a cf 4a 6f d2 65 | 3f 05 8a b4 15 4d 2b 6e 56 b5 0b 3a d5 64 81 f9 | c0 00 fe 2a 6a 98 f5 4a 51 9a 82 37 a3 7d b7 21 | 28 72 7e c6 a9 42 5a ea 36 8e d6 bb 04 8a 46 a9 | ca 95 7c b7 e4 ab d8 bc 9e 86 b1 7c 3e 9d e5 92 | a2 5c f1 f8 bf 31 16 ec 5d d6 d3 fc f0 41 60 5f | 6f 07 96 af e1 66 cf 60 4e 62 83 3b 2c fe da cf | 84 06 79 f2 90 fa 73 34 0e 7c 61 06 cb 22 0e de | 19 c2 03 fc 4d 18 aa d2 87 07 ff 7a 93 e4 8d 8d | 6d 1e 27 3a 87 6c d7 90 d1 e5 f2 cc 8c 75 | sent 4 fragments | releasing whack for #12 (sock=fd@-1) | serialno table: hash serialno #11 to head 0x55795bd21d80 | releasing whack and unpending for parent #11 | unpending state #11 connection "ikev2-westnet-eastnet-x509-cr" | #12 will start re-keying in 28530 seconds with margin of 270 seconds (attempting re-key) | event_schedule: new EVENT_SA_REPLACE-pe@0x55795cbb5e60 | inserting event EVENT_SA_REPLACE, timeout in 28530.000 seconds for #12 | processing: stop state #12 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in schedule_event_now_cb() at server.c:549) | serialno table: hash serialno #0 to head 0x55795bd21c20 | waitpid returned ECHILD (no child processes left) | *received 69 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 2e 20 25 08 00 00 00 02 00 00 00 45 2a 00 00 29 | 59 ba 7b c4 7e 2c 1a e5 60 db ae d1 50 17 9b 97 | 36 d0 10 b6 10 3e 31 0c 97 52 df 9a 5b 0f 8e a5 | 1c 18 a1 e3 1d | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 2 (0x2) | length: 69 (0x45) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R2 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 1 md.hdr.isa_msgid 00000002 | #11 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 41 (0x29) | processing payload: ISAKMP_NEXT_v2SK (len=37) | #11 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 12 (0xc) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | processing payload: ISAKMP_NEXT_v2D (len=4) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 2 (0x2) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | parsing 4 raw bytes of IKEv2 Delete Payload into SPI | SPI 34 06 e0 5a | delete PROTO_v2_ESP SA(0x3406e05a) | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 CHILD SA #12 found using their inbound (our outbound) SPI, in STATE_V2_IPSEC_R | our side SPI that needs to be deleted: PROTO_v2_ESP SA(0x3406e05a) "ikev2-westnet-eastnet-x509-cr" #11: received Delete SA payload: delete IPSEC State #12 now | processing: suspend state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | processing: start state #12 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #11 to head 0x55795bd21d80 "ikev2-westnet-eastnet-x509-cr" #12: deleting other state #12 (STATE_V2_IPSEC_R) aged 0.202s and NOT sending notification | child state #12: V2_IPSEC_R(established CHILD SA) => delete | get_sa_info esp.3406e05a@192.1.2.45 | get_sa_info esp.5a0bde5d@192.1.2.23 "ikev2-westnet-eastnet-x509-cr" #12: ESP traffic information: in=0B out=0B | child state #12: V2_IPSEC_R(established CHILD SA) => CHILDSA_DEL(informational) | state #12 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795cbb5e60 | serialno list: removing object 0x55795cbabbe0 (state #12) entry 0x55795cbac3b0 (older 0x55795cbad590 newer 0x55795bd2c860) | serialno list: updated older object 0x55795cbacdc0 (state #11) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: updated newer entry 0x55795bd2c860 is HEAD (older 0x55795cbad590 newer 0x55795cbad590) | serialno table: removing object 0x55795cbabbe0 (state #12) entry 0x55795cbac3d0 (older 0x55795bd21da0 newer 0x55795bd21da0) | serialno table: empty | running updown command "ipsec _updown" for verb down | command executing down-client | get_sa_info esp.3406e05a@192.1.2.45 | get_sa_info esp.5a0bde5d@192.1.2.23 | trusted_ca_nss: trustee A = 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' | executing down-client: PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netkey' PLUTO_ADDTIME='1545332913' PLU | popen cmd is 1488 chars long | cmd( 0):PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eas: | cmd( 80):tnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1: | cmd( 160):.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department: | cmd( 240):, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLI: | cmd( 320):ENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255: | cmd( 400):.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_: | cmd( 480):TYPE='ESP' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O: | cmd( 560):=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testi: | cmd( 640):ng.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.: | cmd( 720):1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTO: | cmd( 800):COL='0' PLUTO_PEER_CA='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 880):ent, CN=Libreswan test CA for mainca, E=testing@libreswan.org' PLUTO_STACK='netk: | cmd( 960):ey' PLUTO_ADDTIME='1545332913' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV: | cmd(1040):2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_: | cmd(1120):CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_MY_SOURCEIP='192.0.2.254' PLUTO_IS_P: | cmd(1200):EER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER: | cmd(1280):='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' PLUTO_INBY: | cmd(1360):TES='0' PLUTO_OUTBYTES='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1440):0x3406e05a SPI_OUT=0x5a0bde5d ipsec _updown 2>&1: | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'replace with shunt' for rt_kind 'prospective erouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | IPsec Sa SPD priority set to 1042407 | delete esp.3406e05a@192.1.2.45 | netlink response for Del SA esp.3406e05a@192.1.2.45 included non-error error | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | delete inbound eroute 192.0.1.0/24:0 --0-> 192.0.2.0/24:0 => unk255.10000@192.1.2.23 (raw_eroute) | raw_eroute result=success | delete esp.5a0bde5d@192.1.2.23 | netlink response for Del SA esp.5a0bde5d@192.1.2.23 included non-error error | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | child state #12: CHILDSA_DEL(informational) => UNDEFINED(ignore) | processing: stop state #12 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #11 to head 0x55795bd21d80 | processing: resume state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:972) | ****emit IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | protocol ID: PROTO_v2_ESP (0x3) | SPI size: 4 (0x4) | number of SPIs: 1 (0x1) | next payload chain: setting previous 'IKEv2 Encryption Payload'.'next payload type' to current IKEv2 Delete Payload (42:ISAKMP_NEXT_v2D) | next payload chain: saving location 'IKEv2 Delete Payload'.'next payload type' in 'information exchange reply packet' | emitting 4 raw bytes of local SPIs into IKEv2 Delete Payload | local SPIs 5a 0b de 5d | emitting length of IKEv2 Delete Payload: 12 | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 41 | emitting length of ISAKMP Message: 69 | sending 69 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 2e 20 25 20 00 00 00 02 00 00 00 45 2a 00 00 29 | cb 58 19 7b 13 cc 67 e5 2d 70 42 57 76 c7 6f 43 | be 35 cc cc 71 9f 4f 02 8e c1 cb ac fe da 3e 0a | ac b2 ac c9 c0 | Message ID: processing a informational | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #11 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=1->2 lastreplied=2 } | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in complete_v2_state_transition() at ikev2.c:2998) | #11 complete v2 state transition from PARENT_R2 to PARENT_R2 with status STF_OK | Message ID: updating counters for #11 after switching state | Message ID: 'ikev2-westnet-eastnet-x509-cr' IKE #11 PARENT_R2; message-request msgid=2; initiator { lastack=4294967295 nextuse=0 } responder { lastrecv=2 lastreplied=2 } "ikev2-westnet-eastnet-x509-cr" #11: STATE_PARENT_R2: received v2I2, PARENT SA established | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: stop state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | *received 65 bytes from 192.1.2.45:500 on eth1 (port=500) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 2e 20 25 08 00 00 00 03 00 00 00 41 2a 00 00 25 | e0 c9 82 da b5 81 b3 9d 66 77 06 ca d3 c1 d0 23 | 32 0b 8c c6 06 3d 07 d9 68 56 ba 9b 7a 1e 00 5b | 98 | processing: start from 192.1.2.45:500 (in process_md() at demux.c:391) | **parse ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_v2SK (0x2e) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_IKE_INIT (0x8) | Message ID: 3 (0x3) | length: 65 (0x41) | processing version=2.0 packet with exchange type=ISAKMP_v2_INFORMATIONAL (37) | I am receiving an IKEv2 Request ISAKMP_v2_INFORMATIONAL | I am the IKE SA Original Responder | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | v2 IKE SA #11 found, in state STATE_PARENT_R2 | found state #11 | processing: start state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in ikev2_process_packet() at ikev2.c:1681) | processing: start connection "ikev2-westnet-eastnet-x509-cr" (BACKGROUND) (in ikev2_process_packet() at ikev2.c:1686) | #11 is idle | #11 idle | #11 st.st_msgid_lastrecv 2 md.hdr.isa_msgid 00000003 | #11 in state PARENT_R2: received v2I2, PARENT SA established | Unpacking clear payload for svm: R2: process INFORMATIONAL Request | Now let's proceed with payload (ISAKMP_NEXT_v2SK) | ***parse IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2D (0x2a) | flags: none (0x0) | length: 37 (0x25) | processing payload: ISAKMP_NEXT_v2SK (len=33) | #11 ikev2 ISAKMP_v2_INFORMATIONAL decrypt success | Now let's proceed with payload (ISAKMP_NEXT_v2D) | **parse IKEv2 Delete Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | length: 8 (0x8) | protocol ID: PROTO_v2_IKE (0x1) | SPI size: 0 (0x0) | number of SPIs: 0 (0x0) | processing payload: ISAKMP_NEXT_v2D (len=0) | selected state microcode R2: process INFORMATIONAL Request | Now let's proceed with state specific processing | calling processor R2: process INFORMATIONAL Request | an informational request should send a response | Received an INFORMATIONAL response, updating st_last_liveness, no pending_liveness | **emit ISAKMP Message: | initiator cookie: | f5 8e 4e a3 4a fc 73 01 | responder cookie: | a1 01 e3 82 98 f1 df 1e | next payload type: ISAKMP_NEXT_NONE (0x0) | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) | exchange type: ISAKMP_v2_INFORMATIONAL (0x25) | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) | Message ID: 3 (0x3) | next payload chain: saving message location 'ISAKMP Message'.'next payload type' | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2NONE (0x0) | flags: none (0x0) | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current IKEv2 Encryption Payload (46:ISAKMP_NEXT_v2SK) | next payload chain: saving location 'IKEv2 Encryption Payload'.'next payload type' in 'information exchange reply packet' | emitting 8 zero bytes of IV into IKEv2 Encryption Payload | adding 1 bytes of padding (including 1 byte padding-length) | emitting 1 0x00 repeated bytes of padding and length into IKEv2 Encryption Payload | emitting 16 zero bytes of length of truncated HMAC/KEY into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 29 | emitting length of ISAKMP Message: 57 | sending 57 bytes for reply packet for process_encrypted_informational_ikev2 through eth1:500 to 192.1.2.45:500 (using #11) | f5 8e 4e a3 4a fc 73 01 a1 01 e3 82 98 f1 df 1e | 2e 20 25 20 00 00 00 03 00 00 00 39 00 00 00 1d | ee 4b c6 3f cb 8e 3f db 60 d1 19 04 e4 36 8f e3 | 6e 9c f1 1c 34 bb 15 61 48 | IKE SPIi:SPIr table: hash IKE SPIi f5 8e 4e a3 4a fc 73 01 SPIr a1 01 e3 82 98 f1 df 1e to 8970062994394852727 slot 0x55795bd1aae0 | parent state #11: PARENT_R2(established IKE SA) => IKESA_DEL(established IKE SA) | processing: [RE]START state #11 connection "ikev2-westnet-eastnet-x509-cr" 192.1.2.45:500 (in delete_state() at state.c:760) | serialno table: hash serialno #11 to head 0x55795bd21d80 "ikev2-westnet-eastnet-x509-cr" #11: deleting state (STATE_IKESA_DEL) aged 0.384s and NOT sending notification | parent state #11: IKESA_DEL(established IKE SA) => delete | state #11 requesting EVENT_SA_REPLACE to be deleted | free_event_entry: release EVENT_SA_REPLACE-pe@0x55795c5545c0 | serialno list: removing object 0x55795cbacdc0 (state #11) entry 0x55795cbad590 (older 0x55795bd2c860 newer 0x55795bd2c860) | serialno list: empty | serialno table: removing object 0x55795cbacdc0 (state #11) entry 0x55795cbad5b0 (older 0x55795bd21d80 newer 0x55795bd21d80) | serialno table: empty | in connection_discard for connection ikev2-westnet-eastnet-x509-cr | parent state #11: IKESA_DEL(established IKE SA) => UNDEFINED(ignore) | unreference key: 0x55795cbbae50 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 2-- | processing: stop state #11 192.1.2.45:500 (in delete_state() at state.c:972) | serialno table: hash serialno #11 to head 0x55795bd21d80 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in delete_state() at state.c:972) | Message ID: processing a informational | Message ID: current processor deleted the state nothing to update | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2998) | #0 complete v2 state transition from UNDEFINED md.from_state=PARENT_R2 svm.state=PARENT_R2 to PARENT_R2 with status STF_OK | STF_OK but no state object remains | processing: stop from 192.1.2.45:500 (BACKGROUND) (in process_md() at demux.c:393) | processing: STOP state #0 (in process_md() at demux.c:395) | serialno table: hash serialno #0 to head 0x55795bd21c20 | processing: resume connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:395) | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in process_md() at demux.c:396) | waitpid returned ECHILD (no child processes left) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:700) | serialno table: hash serialno #0 to head 0x55795bd21c20 | serialno table: hash serialno #0 to head 0x55795bd21c20 | close_any(fd@16) (in whack_process() at rcv_whack.c:680) | accept(whackctlfd, (struct sockaddr *)&whackaddr, &whackaddrlen) -> fd@16 (in whack_handle() at rcv_whack.c:700) shutting down | processing: RESET whack log_fd (was fd@16) (in exit_pluto() at plutomain.c:1813) | pluto_sd: executing action action: stopping(6), status 0 | certs and keys locked by 'free_preshared_secrets' forgetting secrets | certs and keys unlocked by 'free_preshared_secrets' | unreference key: 0x55795cbbae50 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbab50 user-west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbbb640 @west.testing.libreswan.org cnt 1-- | unreference key: 0x55795cbae3a0 west@testing.libreswan.org cnt 1-- | unreference key: 0x55795cbae5e0 192.1.2.45 cnt 1-- | unreference key: 0x55795cba5410 C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55795cba5100 user-east@testing.libreswan.org cnt 1-- | unreference key: 0x55795cba4d20 @east.testing.libreswan.org cnt 1-- | unreference key: 0x55795cba1030 east@testing.libreswan.org cnt 1-- | unreference key: 0x55795cb9db80 192.1.2.23 cnt 1-- | processing: start connection "ikev2-westnet-eastnet-x509-cr" (in delete_connection() at connections.c:264) "ikev2-westnet-eastnet-x509-cr": deleting non-instance connection | Deleting states for connection - including all other IPsec SA's of this IKE SA | pass 0 | pass 1 | shunt_eroute() called for connection 'ikev2-westnet-eastnet-x509-cr' to 'delete' for rt_kind 'unrouted' using protoports 0--0->-0 | netlink_shunt_eroute for proto 0, and source port 0 dest port 0 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | priority calculation of connection "ikev2-westnet-eastnet-x509-cr" is 0xfe7e7 | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 vs | conn ikev2-westnet-eastnet-x509-cr mark 0/00000000, 0/00000000 | route owner of "ikev2-westnet-eastnet-x509-cr" unrouted: NULL | running updown command "ipsec _updown" for verb unroute | command executing unroute-client | executing unroute-client: PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' PLUTO_CONN_KIND='CK_PERMANENT' | popen cmd is 1314 chars long | cmd( 0):PLUTO_VERB='unroute-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='ikev2-westnet-: | cmd( 80):eastnet-x509-cr' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='19: | cmd( 160):2.1.2.23' PLUTO_MY_ID='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Departm: | cmd( 240):ent, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' PLUTO_MY_: | cmd( 320):CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.: | cmd( 400):255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16388' PLUTO_: | cmd( 480):SA_TYPE='none' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='C=CA, ST=Ontario, L=Toront: | cmd( 560):o, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@t: | cmd( 640):esting.libreswan.org' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='19: | cmd( 720):2.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_P: | cmd( 800):ROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_ADDTIME='0' PLUTO_CONN_P: | cmd( 880):OLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' : | cmd( 960):PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO: | cmd(1040):_MY_SOURCEIP='192.0.2.254' PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_: | cmd(1120):PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT=': | cmd(1200):0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' VTI_ROUTING='no' VTI_SHARED='no' SPI_IN=: | cmd(1280):0x0 SPI_OUT=0x0 ipsec _updown 2>&1: | processing: stop connection "ikev2-westnet-eastnet-x509-cr" (in delete_connection() at connections.c:314) | crl fetch request list locked by 'free_crl_fetch' | crl fetch request list unlocked by 'free_crl_fetch' shutting down interface lo/lo 127.0.0.1:4500 shutting down interface lo/lo 127.0.0.1:500 shutting down interface eth0/eth0 192.0.2.254:4500 shutting down interface eth0/eth0 192.0.2.254:500 shutting down interface eth1/eth1 192.1.2.23:4500 shutting down interface eth1/eth1 192.1.2.23:500 shutting down interface eth2/eth2 192.9.2.23:4500 shutting down interface eth2/eth2 192.9.2.23:500 | free_event_entry: release EVENT_NULL-pe@0x55795c68cd90 | free_event_entry: release EVENT_NULL-pe@0x55795c65e130 | free_event_entry: release EVENT_NULL-pe@0x55795c68c790 | free_event_entry: release EVENT_NULL-pe@0x55795c65cf70 | free_event_entry: release EVENT_NULL-pe@0x55795c68cb90 | free_event_entry: release EVENT_NULL-pe@0x55795c8d8860 | free_event_entry: release EVENT_NULL-pe@0x55795c8c1fa0 | free_event_entry: release EVENT_NULL-pe@0x55795c68c590 | free_event_entry: release EVENT_NULL-pe@0x55795c68df60 | free_event_entry: release EVENT_NULL-pe@0x55795c66c750 | free_event_entry: release EVENT_NULL-pe@0x55795c68e390 | free_event_entry: release EVENT_NULL-pe@0x55795c66d1e0 | free_event_entry: release EVENT_NULL-pe@0x55795c68e660 | free_event_entry: release EVENT_NULL-pe@0x55795c68e890 | free_event_entry: release EVENT_NULL-pe@0x55795c999e50 | free_event_entry: release EVENT_SHUNT_SCAN-pe@0x55795c9a8610 | free_event_entry: release EVENT_PENDING_PHASE2-pe@0x55795cb87cb0 | free_event_entry: release EVENT_PENDING_DDNS-pe@0x55795cb86380 | free_event_entry: release EVENT_REINIT_SECRET-pe@0x55795ca65560