[Openswan dev] no available worker thread an issue in Feb 2nd drop
Steve Lanser
slanser at tallmaple.com
Wed Feb 15 11:45:05 EST 2012
Hi Paul,
This issue is repro'ing once again this morning, consistently every
time pluto is restarted by our process manager (which has a backoff
algorithm).
While it was down, I changed the main config file and added:
dumpdir=/var/run/pluto/
plutostderrlog=/tmp/pluto.log
So I got the error log, which I've attached, and I don't have full symbols,
and no line numbers (not sure why), but at least we know what function it
was in, and that it's related to IKEv2 state handling:
[admin at tb7 ~]# gdb --core /var/run/pluto/core.16864
/usr/libexec/ipsec/pluto
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/libexec/ipsec/pluto...(no debugging symbols
found)...done.
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols
found)...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/libgmp.so.3...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib64/libgmp.so.3
Reading symbols from /lib64/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols
found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
warning: no loadable sections found in added symbol-file system-supplied
DSO at 0x7fff83173000
Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile
/etc/ipsec.secrets --ipsecdir /'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000432b08 in complete_v2_state_transition ()
(gdb) bt
#0 0x0000000000432b08 in complete_v2_state_transition ()
#1 0x00000000004319d0 in process_v2_packet ()
#2 0x000000000044d5de in process_packet ()
#3 0x000000000044d64c in comm_handle ()
#4 0x000000000041b00f in call_server ()
#5 0x0000000000418265 in main ()
(gdb) bt full
#0 0x0000000000432b08 in complete_v2_state_transition ()
No symbol table info available.
#1 0x00000000004319d0 in process_v2_packet ()
No symbol table info available.
#2 0x000000000044d5de in process_packet ()
No symbol table info available.
#3 0x000000000044d64c in comm_handle ()
No symbol table info available.
#4 0x000000000041b00f in call_server ()
No symbol table info available.
#5 0x0000000000418265 in main ()
No symbol table info available.
(gdb)
On Mon, Feb 13, 2012 at 09:08:19PM -0500, Paul Wouters wrote:
> On Mon, 13 Feb 2012, Steve Lanser wrote:
>
> >Looks like I'm getting segfaults over this in the 2nd case:
> >
> >Feb 13 15:19:18 tb7 pluto[17495]: "10.3.0.121-to-10.3.0.113" #12:
> >STATE_PARENT_R2: received v2I2, PARENT SA established transport mode
> >{ESP=>0x7dc0a36f <0xe4c06d7f xfrm=3DES_192-HMAC_SHA1 NATOA=none NATD=none
> >DPD=none}
> >Feb 13 15:19:28 tb7 pluto[17495]: "10.3.0.121-to-10.3.0.113" #13:
> >transition from state STATE_IKEv2_START to state STATE_PARENT_R1
> >Feb 13 15:19:28 tb7 pluto[17495]: "10.3.0.121-to-10.3.0.113" #13:
> >STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2
> >cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha group=modp1024}
> >Feb 13 15:19:28 tb7 pluto[17495]: "10.3.0.121-to-10.3.0.113" #16: can not
> >start crypto helper: failed to find any available worker
> >Feb 13 15:19:28 tb7 pluto[17495]: "10.3.0.121-to-10.3.0.113" #16: system
> >too busy
>
> That's odd. This is not some embedded low power cpu device?
>
> >Feb 13 15:19:28 tb7 kernel: pluto[17495]: segfault at 0000000000000030 rip
> >0000000000432b08 rsp 00007fffed9c4fb0 error 6
>
> set dumpdir= and get a "bt full" using gdb on the core to give us more
> information please. Use a new bug since the bug you referenced that
> we closed was for openswan 2.4.x.
>
> Paul
-------------- next part --------------
[admin at tb7 ~]# gdb --core /var/run/pluto/core.16864 /usr/libexec/ipsec/pluto
GNU gdb (GDB) Red Hat Enterprise Linux (7.0.1-23.el5_5.2)
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/libexec/ipsec/pluto...(no debugging symbols found)...done.
Reading symbols from /lib64/libcrypt.so.1...(no debugging symbols found)...done.
Loaded symbols for /lib64/libcrypt.so.1
Reading symbols from /usr/lib64/libgmp.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib64/libgmp.so.3
Reading symbols from /lib64/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib64/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7fff83173000
Core was generated by `/usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /'.
Program terminated with signal 11, Segmentation fault.
#0 0x0000000000432b08 in complete_v2_state_transition ()
(gdb) bt
#0 0x0000000000432b08 in complete_v2_state_transition ()
#1 0x00000000004319d0 in process_v2_packet ()
#2 0x000000000044d5de in process_packet ()
#3 0x000000000044d64c in comm_handle ()
#4 0x000000000041b00f in call_server ()
#5 0x0000000000418265 in main ()
(gdb) bt full
#0 0x0000000000432b08 in complete_v2_state_transition ()
No symbol table info available.
#1 0x00000000004319d0 in process_v2_packet ()
No symbol table info available.
#2 0x000000000044d5de in process_packet ()
No symbol table info available.
#3 0x000000000044d64c in comm_handle ()
No symbol table info available.
#4 0x000000000041b00f in call_server ()
No symbol table info available.
#5 0x0000000000418265 in main ()
No symbol table info available.
(gdb) li
No symbol table is loaded. Use the "file" command.
(gdb)
-------------- next part --------------
Plutorun started on Wed Feb 15 08:09:01 PST 2012
adjusting ipsec.d to /etc/ipsec.d
Starting Pluto (Openswan Version 2.6.master-201205.git-g11dd7970-dirty; Vendor ID OEQ`OTpRW^\134K) pid:16864
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [disabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
| opening /dev/urandom
using /dev/urandom as source of random entropy
| inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
| event added at head of queue
| inserting event EVENT_PENDING_DDNS, timeout in 60 seconds
| event added at head of queue
| inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds
| event added after event EVENT_PENDING_DDNS
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
starting up 1 cryptographic helpers
| opening /dev/urandom
using /dev/urandom as source of random entropy
started helper pid=16867 (fd:4)
Using Linux 2.6 IPsec interface code on 2.6.18-274.7.1.el5TMSEXAMPLEuni (experimental code)
| process 16864 listening for PF_KEY_V2 on file descriptor 8
| finish_pfkey_msg: K_SADB_REGISTER message 1 for AH
| 02 07 00 02 02 00 00 00 01 00 00 00 e0 41 00 00
| pfkey_get: K_SADB_REGISTER message 1
| AH registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP
| 02 07 00 03 02 00 00 00 02 00 00 00 e0 41 00 00
! helper 0 waiting on fd: 6
| pfkey_get: K_SADB_REGISTER message 0
| pfkey_get: ignoring PF_KEY K_SADB_FLUSH message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_UNPLUMBIF message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: K_SADB_REGISTER message 2
| alg_init():memset(0x70d000, 0, 2016) memset(0x70d7e0, 0, 2048)
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19 sadb_supported_len=56
| kernel_alg_add():satype=3, exttype=14, alg_id=251
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=5
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=8
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1
| kernel_alg_add():satype=3, exttype=14, alg_id=9
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=19 sadb_supported_len=80
| kernel_alg_add():satype=3, exttype=15, alg_id=11
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=2
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=3
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=6
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=7
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=12
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=252
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=253
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=13
| kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1
| kernel_alg_add():satype=3, exttype=15, alg_id=18
| kernel_alg_add():satype=3, exttype=15, alg_id=19
| kernel_alg_add():satype=3, exttype=15, alg_id=20
| kernel_alg_add():satype=3, exttype=15, alg_id=14
| kernel_alg_add():satype=3, exttype=15, alg_id=15
| kernel_alg_add():satype=3, exttype=15, alg_id=16
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
| ESP registered with kernel.
| finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP
| 02 07 00 09 02 00 00 00 03 00 00 00 e0 41 00 00
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: ignoring PF_KEY K_SADB_X_ADDFLOW message 0 for process 16869
| pfkey_get: K_SADB_REGISTER message 3
| IPCOMP registered with kernel.
Changed path to directory '/etc/ipsec.d/cacerts'
Changed path to directory '/etc/ipsec.d/aacerts'
Changed path to directory '/etc/ipsec.d/ocspcerts'
Changing to directory '/etc/ipsec.d/crls'
| inserting event EVENT_LOG_DAILY, timeout in 57059 seconds
| event added after event EVENT_REINIT_SECRET
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection 10.2.0.27-to-10.2.0.29 with policy PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for 10.2.0.27 is 0
| counting wild cards for 10.2.0.29 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "10.2.0.27-to-10.2.0.29"
| 10.2.0.27<10.2.0.27>[+S=C]...10.2.0.29<10.2.0.29>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection 10.2.0.27-to-10.2.0.31 with policy PSK+ENCRYPT+PFS+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for 10.2.0.27 is 0
| counting wild cards for 10.2.0.31 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "10.2.0.27-to-10.2.0.31"
| 10.2.0.27<10.2.0.27>[+S=C]...10.2.0.31<10.2.0.31>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+PFS+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection 10.3.0.121-to-10.3.0.113 with policy PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for 10.3.0.121 is 0
| counting wild cards for 10.3.0.113 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "10.3.0.121-to-10.3.0.113"
| 10.3.0.121<10.3.0.121>[+S=C]...10.3.0.113<10.3.0.113>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd with policy PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for fdaa:13:cc00:2:214:22ff:feb1:1679 is 0
| counting wild cards for fdaa:13:cc00:2:214:22ff:fe09:6ffd is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd"
| fdaa:13:cc00:2:214:22ff:feb1:1679<fdaa:13:cc00:2:214:22ff:feb1:1679>[+S=C]...fdaa:13:cc00:2:214:22ff:fe09:6ffd<fdaa:13:cc00:2:214:22ff:fe09:6ffd>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2 with policy PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for fdaa:13:cc00:2:214:22ff:feb1:1679 is 0
| counting wild cards for fdaa:13:cc00:2:219:dbff:fe42:14a2 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2"
| fdaa:13:cc00:2:214:22ff:feb1:1679<fdaa:13:cc00:2:214:22ff:feb1:1679>[+S=C]...fdaa:13:cc00:2:219:dbff:fe42:14a2<fdaa:13:cc00:2:219:dbff:fe42:14a2>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d18a0, "OAKLEY_3DES")
| enum_search_ppfixi () calling enum_search(0x4d18a0, "OAKLEY_3DES_CBC")
| parser_alg_info_add() ealg_getbyname("3des")=5
| enum_search_prefix () calling enum_search(0x4d19a0, "OAKLEY_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| parser_alg_info_add() modp_getbyname("modp1024")=2
| __alg_info_ike_add() ealg=5 aalg=2 modp_id=2, cnt=1
| Added new connection fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3 with policy PSK+ENCRYPT+PFS+SAREFTRACK
| from whack: got --esp=3des-sha1;modp1024
| enum_search_prefix () calling enum_search(0x4d1ee0, "OAKLEY_GROUP_MODP1024")
| alg_info_parse_str() ealg_buf=3des aalg_buf=sha1eklen=0 aklen=0
| enum_search_prefix () calling enum_search(0x4d03c0, "ESP_3DES")
| parser_alg_info_add() ealg_getbyname("3des")=3
| enum_search_prefix () calling enum_search(0x4d1120, "AUTH_ALGORITHM_HMAC_SHA1")
| parser_alg_info_add() aalg_getbyname("sha1")=2
| __alg_info_esp_add() ealg=3 aalg=2 cnt=1
| esp string values: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
| ike (phase1) algorihtm values: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
| counting wild cards for fdaa:13:cc00:3:214:22ff:feb1:167a is 0
| counting wild cards for fdaa:13:cc00:3:219:dbff:fe42:14a3 is 0
| alg_info_addref() alg_info->ref_cnt=1
| alg_info_addref() alg_info->ref_cnt=1
added connection description "fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3"
| fdaa:13:cc00:3:214:22ff:feb1:167a<fdaa:13:cc00:3:214:22ff:feb1:167a>[+S=C]...fdaa:13:cc00:3:219:dbff:fe42:14a3<fdaa:13:cc00:3:219:dbff:fe42:14a3>[+S=C]
| ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+PFS+SAREFTRACK
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
listening for IKE messages
| found ether1 with address 10.2.0.27
| found ether2 with address 10.3.0.121
| found lo with address 127.0.0.1
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface lo/lo 127.0.0.1:4500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface ether2/ether2 10.3.0.121:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface ether2/ether2 10.3.0.121:4500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(1) setup succeeded for new style NAT-T family IPv4
adding interface ether1/ether1 10.2.0.27:500
| NAT-Traversal: Trying new style NAT-T
| NAT-Traversal: ESPINUDP(2) setup failed for new style NAT-T family IPv4 (errno=19)
| NAT-Traversal: Trying old style NAT-T
| NAT-Traversal: ESPINUDP(2) setup succeeded for new style NAT-T family IPv4
adding interface ether1/ether1 10.2.0.27:4500
| found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
| found ether1 with address fdaa:0013:cc00:0002:0214:22ff:feb1:1679
| found ether2 with address fdaa:0013:cc00:0003:0214:22ff:feb1:167a
| found ether2 with address 8675:0309:0000:0000:0214:22ff:feb1:167a
adding interface ether2/ether2 8675:309::214:22ff:feb1:167a:500
adding interface ether2/ether2 fdaa:13:cc00:3:214:22ff:feb1:167a:500
adding interface ether1/ether1 fdaa:13:cc00:2:214:22ff:feb1:1679:500
adding interface lo/lo ::1:500
| connect_to_host_pair: fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500 -> hp:none
| find_host_pair: comparing to fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500
| connect_to_host_pair: fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500 -> hp:none
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair: comparing to fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500
| connect_to_host_pair: fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:214:22ff:fe09:6ffd:500 -> hp:none
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:214:22ff:fe09:6ffd:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair: comparing to fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500
| connect_to_host_pair: 10.3.0.121:500 10.3.0.113:500 -> hp:none
| find_host_pair: comparing to 10.3.0.121:500 10.3.0.113:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:214:22ff:fe09:6ffd:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair: comparing to fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500
| connect_to_host_pair: 10.2.0.27:500 10.2.0.31:500 -> hp:none
| find_host_pair: comparing to 10.2.0.27:500 10.2.0.31:500
| find_host_pair: comparing to 10.3.0.121:500 10.3.0.113:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:214:22ff:fe09:6ffd:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair: comparing to fdaa:13:cc00:3:214:22ff:feb1:167a:500 fdaa:13:cc00:3:219:dbff:fe42:14a3:500
| connect_to_host_pair: 10.2.0.27:500 10.2.0.29:500 -> hp:none
loading secrets from "/etc/ipsec.secrets"
loading secrets from "/etc/ipsec.d/ipsec.secrets"
| id type added to secret(0x1b2e3610) PPK_PSK: 10.2.0.27
| id type added to secret(0x1b2e3610) PPK_PSK: 10.2.0.29
| Processing PSK at line 9: passed
| id type added to secret(0x1b2e4580) PPK_PSK: 10.2.0.27
| id type added to secret(0x1b2e4580) PPK_PSK: 10.2.0.31
| Processing PSK at line 11: passed
| id type added to secret(0x1b2e46c0) PPK_PSK: 10.3.0.121
| id type added to secret(0x1b2e46c0) PPK_PSK: 10.3.0.113
| Processing PSK at line 13: passed
| id type added to secret(0x1b2e4820) PPK_PSK: fdaa:13:cc00:2:214:22ff:feb1:1679
| id type added to secret(0x1b2e4820) PPK_PSK: fdaa:13:cc00:2:214:22ff:fe09:6ffd
| Processing PSK at line 15: passed
| id type added to secret(0x1b2e4980) PPK_PSK: fdaa:13:cc00:2:214:22ff:feb1:1679
| id type added to secret(0x1b2e4980) PPK_PSK: fdaa:13:cc00:2:219:dbff:fe42:14a2
| Processing PSK at line 17: passed
| id type added to secret(0x1b2e4ae0) PPK_PSK: fdaa:13:cc00:3:214:22ff:feb1:167a
| id type added to secret(0x1b2e4ae0) PPK_PSK: fdaa:13:cc00:3:219:dbff:fe42:14a3
| Processing PSK at line 17: passed
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| processing connection 10.2.0.27-to-10.2.0.29
| route owner of "10.2.0.27-to-10.2.0.29" unrouted: NULL; eroute owner: NULL
| could_route called for 10.2.0.27-to-10.2.0.29 (kind=CK_PERMANENT)
| route owner of "10.2.0.27-to-10.2.0.29" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: 10.2.0.27-to-10.2.0.29 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host
| executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT='10.2.0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 791 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-t:
| cmd( 80):o-10.2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.:
| cmd( 160):0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET:
| cmd( 240):='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_P:
| cmd( 320):ROTOCOL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT=':
| cmd( 400):10.2.0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.:
| cmd( 480):255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STAC:
| cmd( 560):K='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK' PLUTO_CONN_AD:
| cmd( 640):DRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DO:
| cmd( 720):MAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| command executing route-host
| executing route-host: 2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT='10.2.0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 789 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-:
| cmd( 80):10.2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.0.:
| cmd( 160):27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET=':
| cmd( 240):10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PRO:
| cmd( 320):TOCOL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT='10:
| cmd( 400):.2.0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.25:
| cmd( 480):5.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=:
| cmd( 560):'netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+SAREFTRACK' PLUTO_CONN_ADDR:
| cmd( 640):FAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMA:
| cmd( 720):IN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| processing connection 10.2.0.27-to-10.2.0.31
| route owner of "10.2.0.27-to-10.2.0.31" unrouted: NULL; eroute owner: NULL
| could_route called for 10.2.0.27-to-10.2.0.31 (kind=CK_PERMANENT)
| route owner of "10.2.0.27-to-10.2.0.31" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: 10.2.0.27-to-10.2.0.31 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host
| executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT='10.2.0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 784 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-t:
| cmd( 80):o-10.2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.:
| cmd( 160):0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET:
| cmd( 240):='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_P:
| cmd( 320):ROTOCOL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT=':
| cmd( 400):10.2.0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.:
| cmd( 480):255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STAC:
| cmd( 560):K='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMIL:
| cmd( 640):Y='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_IN:
| cmd( 720):FO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| command executing route-host
| executing route-host: 2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT='10.2.0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 782 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-:
| cmd( 80):10.2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.0.:
| cmd( 160):27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET=':
| cmd( 240):10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PRO:
| cmd( 320):TOCOL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT='10:
| cmd( 400):.2.0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.25:
| cmd( 480):5.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=:
| cmd( 560):'netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY=:
| cmd( 640):'ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO:
| cmd( 720):='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| processing connection 10.3.0.121-to-10.3.0.113
| route owner of "10.3.0.121-to-10.3.0.113" unrouted: NULL; eroute owner: NULL
| could_route called for 10.3.0.121-to-10.3.0.113 (kind=CK_PERMANENT)
| route owner of "10.3.0.121-to-10.3.0.113" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: 10.3.0.121-to-10.3.0.113 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host
| executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.3.0.121-to-10.3.0.113' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='10.3.0.113' PLUTO_ME='10.3.0.121' PLUTO_MY_ID='10.3.0.121' PLUTO_MY_CLIENT='10.3.0.121/32' PLUTO_MY_CLIENT_NET='10.3.0.121' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.3.0.113' PLUTO_PEER_ID='10.3.0.113' PLUTO_PEER_CLIENT='10.3.0.113/32' PLUTO_PEER_CLIENT_NET='10.3.0.113' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 823 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.3.0.121-:
| cmd( 80):to-10.3.0.113' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='10.3.0.113' PLUTO_ME='10:
| cmd( 160):.3.0.121' PLUTO_MY_ID='10.3.0.121' PLUTO_MY_CLIENT='10.3.0.121/32' PLUTO_MY_CLIE:
| cmd( 240):NT_NET='10.3.0.121' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLU:
| cmd( 320):TO_MY_PROTOCOL='0' PLUTO_PEER='10.3.0.113' PLUTO_PEER_ID='10.3.0.113' PLUTO_PEER:
| cmd( 400):_CLIENT='10.3.0.113/32' PLUTO_PEER_CLIENT_NET='10.3.0.113' PLUTO_PEER_CLIENT_MAS:
| cmd( 480):K='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='':
| cmd( 560): PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKE:
| cmd( 640):v2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_:
| cmd( 720):CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFI:
| cmd( 800):GURED='0' ipsec _updown:
| command executing route-host
| executing route-host: 2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.3.0.121-to-10.3.0.113' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='10.3.0.113' PLUTO_ME='10.3.0.121' PLUTO_MY_ID='10.3.0.121' PLUTO_MY_CLIENT='10.3.0.121/32' PLUTO_MY_CLIENT_NET='10.3.0.121' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.3.0.113' PLUTO_PEER_ID='10.3.0.113' PLUTO_PEER_CLIENT='10.3.0.113/32' PLUTO_PEER_CLIENT_NET='10.3.0.113' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 821 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.3.0.121-to:
| cmd( 80):-10.3.0.113' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='10.3.0.113' PLUTO_ME='10.3:
| cmd( 160):.0.121' PLUTO_MY_ID='10.3.0.121' PLUTO_MY_CLIENT='10.3.0.121/32' PLUTO_MY_CLIENT:
| cmd( 240):_NET='10.3.0.121' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO:
| cmd( 320):_MY_PROTOCOL='0' PLUTO_PEER='10.3.0.113' PLUTO_PEER_ID='10.3.0.113' PLUTO_PEER_C:
| cmd( 400):LIENT='10.3.0.113/32' PLUTO_PEER_CLIENT_NET='10.3.0.113' PLUTO_PEER_CLIENT_MASK=:
| cmd( 480):'255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' P:
| cmd( 560):LUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2:
| cmd( 640):Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_IS_PEER_CISCO='0' PLUTO_CI:
| cmd( 720):SCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGU:
| cmd( 800):RED='0' ipsec _updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 60 seconds
| next event EVENT_PENDING_DDNS in 60 seconds
|
| *received whack message
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd
| route owner of "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd" unrouted: NULL; eroute owner: NULL
| could_route called for fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd (kind=CK_PERMANENT)
| route owner of "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host-v6
| executing prepare-host-v6: 2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_ME='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_ID='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT='fdaa:13:cc00:2:214:22ff:fe09:6ffd/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6'
| popen(): cmd is 1129 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13::
| cmd( 80):cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_INTERFACE=:
| cmd( 160):'ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_ME='fdaa:13:cc:
| cmd( 240):00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_M:
| cmd( 320):Y_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc:
| cmd( 400):00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:fff:
| cmd( 480):f:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:214:2:
| cmd( 560):2ff:fe09:6ffd' PLUTO_PEER_ID='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIE:
| cmd( 640):NT='fdaa:13:cc00:2:214:22ff:fe09:6ffd/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:
| cmd( 720)::214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 800):ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=':
| cmd( 880):netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTR:
| cmd( 960):ACK' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO:
| cmd(1040):='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipse:
| cmd(1120):c _updown:
| command executing route-host-v6
| executing route-host-v6: 2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_ME='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_ID='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT='fdaa:13:cc00:2:214:22ff:fe09:6ffd/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6' P
| popen(): cmd is 1127 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc:
| cmd( 80):00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_INTERFACE='e:
| cmd( 160):ther1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_ME='fdaa:13:cc00:
| cmd( 240)::2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_:
| cmd( 320):CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:
| cmd( 400)::2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 480):ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:214:22f:
| cmd( 560):f:fe09:6ffd' PLUTO_PEER_ID='fdaa:13:cc00:2:214:22ff:fe09:6ffd' PLUTO_PEER_CLIENT:
| cmd( 640):='fdaa:13:cc00:2:214:22ff:fe09:6ffd/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:2:
| cmd( 720):14:22ff:fe09:6ffd' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff:
| cmd( 800):ff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='ne:
| cmd( 880):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRAC:
| cmd( 960):K' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO=':
| cmd(1040):' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec :
| cmd(1120):_updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
|
| *received whack message
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| route owner of "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" unrouted: NULL; eroute owner: NULL
| could_route called for fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2 (kind=CK_PERMANENT)
| route owner of "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host-v6
| executing prepare-host-v6: 2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_ME='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_ID='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIENT='fdaa:13:cc00:2:219:dbff:fe42:14a2/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6'
| popen(): cmd is 1129 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13::
| cmd( 80):cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_INTERFACE=:
| cmd( 160):'ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_ME='fdaa:13:cc:
| cmd( 240):00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_M:
| cmd( 320):Y_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc:
| cmd( 400):00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:fff:
| cmd( 480):f:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:219:d:
| cmd( 560):bff:fe42:14a2' PLUTO_PEER_ID='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIE:
| cmd( 640):NT='fdaa:13:cc00:2:219:dbff:fe42:14a2/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:
| cmd( 720)::219:dbff:fe42:14a2' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 800):ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=':
| cmd( 880):netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTR:
| cmd( 960):ACK' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO:
| cmd(1040):='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipse:
| cmd(1120):c _updown:
| command executing route-host-v6
| executing route-host-v6: 2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_ME='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_ID='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIENT='fdaa:13:cc00:2:219:dbff:fe42:14a2/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6' P
| popen(): cmd is 1127 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc:
| cmd( 80):00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_INTERFACE='e:
| cmd( 160):ther1' PLUTO_NEXT_HOP='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_ME='fdaa:13:cc00:
| cmd( 240)::2:214:22ff:feb1:1679' PLUTO_MY_ID='fdaa:13:cc00:2:214:22ff:feb1:1679' PLUTO_MY_:
| cmd( 320):CLIENT='fdaa:13:cc00:2:214:22ff:feb1:1679/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:
| cmd( 400)::2:214:22ff:feb1:1679' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 480):ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:2:219:dbf:
| cmd( 560):f:fe42:14a2' PLUTO_PEER_ID='fdaa:13:cc00:2:219:dbff:fe42:14a2' PLUTO_PEER_CLIENT:
| cmd( 640):='fdaa:13:cc00:2:219:dbff:fe42:14a2/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:2:2:
| cmd( 720):19:dbff:fe42:14a2' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff:
| cmd( 800):ff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='ne:
| cmd( 880):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRAC:
| cmd( 960):K' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO=':
| cmd(1040):' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec :
| cmd(1120):_updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
|
| *received 244 bytes from fdaa:13:cc00:2:219:dbff:fe42:14a2:500 on ether1 (port=500)
| 44 1d 3f e7 54 2f 4b ca 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| 6f ce 1e fe 9a 9d 97 36 29 15 a4 6a d9 70 55 d6
| dd 18 93 b1 ea 56 f4 ca ab 65 83 cc 75 75 47 b0
| 5a 9c 9e a7 71 d8 1a a2 18 88 8b 8d 86 96 79 22
| 90 8a cb 08 9a 49 a9 cb 11 8f d6 d0 20 0a f3 a6
| 85 10 81 9a 56 72 96 75 0b ea 57 a9 3f ee c5 0b
| 7a ca 60 6a 42 aa f3 f7 e8 a1 38 4b 82 e0 a5 6e
| cc 60 1c 9b c6 42 e3 bb 35 69 43 0e 42 93 d8 ec
| 4c 68 4e a8 02 b1 6e e9 25 6b be 0e 7c e3 bc f3
| 2b 00 00 14 a7 c0 2d 99 54 40 d0 d2 72 19 a7 ba
| 8e 2d 63 df 00 00 00 10 4f 45 4b 70 52 70 41 7f
| 76 5b 6b 59
| **parse ISAKMP Message:
| initiator cookie:
| 44 1d 3f e7 54 2f 4b ca
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| length: 244
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 11
| v2 state object not found
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 11
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| length: 136
| transform type: 2
| processing payload: ISAKMP_NEXT_v2KE (len=136)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=fdaa:13:cc00:2:214:22ff:feb1:1679:500 him=fdaa:13:cc00:2:219:dbff:fe42:14a2:500 policy=IKEv2ALLOW
| find_host_pair: comparing to 10.2.0.27:500 10.2.0.29:500
| find_host_pair: comparing to 10.2.0.27:500 10.2.0.31:500
| find_host_pair: comparing to 10.3.0.121:500 10.3.0.113:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:214:22ff:fe09:6ffd:500
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair_conn (find_host_connection2): fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500 -> hp:fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| searching for connection with policy = IKEv2ALLOW
| found policy = PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK (fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2)
| find_host_connection2 returns fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| found connection: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| creating state object #1 at 0x1b2e59f0
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 11
| inserting state object #1 on chain 11
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1
| event added at head of queue
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| will not send/process a dcookie
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 1 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| event added after event EVENT_PENDING_PHASE2
| complete v2 state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing build_kenonce op id: 1
! Local DH secret:
! eb fc 1c 74 41 85 93 d3 21 78 88 88 19 18 d4 ba
! 1b 1b a2 e1 ac 1a 4a c0 87 4d b3 d9 9a 29 de dc
! Public DH value sent:
! b8 8a d0 64 74 8a 38 69 c9 38 f0 25 fe 49 fa 6e
! 2c a8 79 30 8e 43 89 cc 04 be 66 33 a9 3d 5d 76
! 25 6f e8 e3 c0 98 71 53 38 43 8b 22 1a bb 73 5a
! 97 06 a7 cf 57 4b 35 07 f9 f3 2a 6f 48 11 26 bd
! d6 cc bb 1b 5d fc ee 4f 0c 5c 51 60 2f 9b 26 10
! b7 b7 34 4c 4a 46 38 e1 70 f0 48 91 22 3f 38 8b
! 81 dc d4 75 21 9e eb 3d 11 77 88 01 40 93 5d 1f
! 3d e1 42 31 5b b5 77 85 50 93 00 92 5c 5a 17 b8
! Generated nonce:
! 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9 67 21 94 7f
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#1
| calling callback function 0x4342cb
| ikev2 parent inI1outR1: calculated ke+nonce, sending R1
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| **emit ISAKMP Message:
| initiator cookie:
| 44 1d 3f e7 54 2f 4b ca
| responder cookie:
| 06 33 5b 1f 7b 81 21 17
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_RESPONSE
| message ID: 00 00 00 00
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| ****parse IKEv2 Proposal Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| prop #: 1
| proto ID: 1
| spi size: 0
| # transforms: 4
| *****parse IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| length: 8
| transform type: 1
| transform ID: 3
| *****parse IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| length: 8
| transform type: 3
| transform ID: 2
| *****parse IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| length: 8
| transform type: 2
| transform ID: 2
| *****parse IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 8
| transform type: 4
| transform ID: 2
| ****emit IKEv2 Proposal Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| prop #: 1
| proto ID: 1
| spi size: 0
| # transforms: 4
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 1
| transform ID: 3
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 3
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 2
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| transform type: 4
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 40
| emitting length of IKEv2 Security Association Payload: 44
| DH public value received:
| 6f ce 1e fe 9a 9d 97 36 29 15 a4 6a d9 70 55 d6
| dd 18 93 b1 ea 56 f4 ca ab 65 83 cc 75 75 47 b0
| 5a 9c 9e a7 71 d8 1a a2 18 88 8b 8d 86 96 79 22
| 90 8a cb 08 9a 49 a9 cb 11 8f d6 d0 20 0a f3 a6
| 85 10 81 9a 56 72 96 75 0b ea 57 a9 3f ee c5 0b
| 7a ca 60 6a 42 aa f3 f7 e8 a1 38 4b 82 e0 a5 6e
| cc 60 1c 9b c6 42 e3 bb 35 69 43 0e 42 93 d8 ec
| 4c 68 4e a8 02 b1 6e e9 25 6b be 0e 7c e3 bc f3
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| transform type: 2
| emitting 128 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x b8 8a d0 64 74 8a 38 69 c9 38 f0 25 fe 49 fa 6e
| ikev2 g^x 2c a8 79 30 8e 43 89 cc 04 be 66 33 a9 3d 5d 76
| ikev2 g^x 25 6f e8 e3 c0 98 71 53 38 43 8b 22 1a bb 73 5a
| ikev2 g^x 97 06 a7 cf 57 4b 35 07 f9 f3 2a 6f 48 11 26 bd
| ikev2 g^x d6 cc bb 1b 5d fc ee 4f 0c 5c 51 60 2f 9b 26 10
| ikev2 g^x b7 b7 34 4c 4a 46 38 e1 70 f0 48 91 22 3f 38 8b
| ikev2 g^x 81 dc d4 75 21 9e eb 3d 11 77 88 01 40 93 5d 1f
| ikev2 g^x 3d e1 42 31 5b b5 77 85 50 93 00 92 5c 5a 17 b8
| emitting length of IKEv2 Key Exchange Payload: 136
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9 67 21 94 7f
| emitting length of IKEv2 Nonce Payload: 20
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| emitting length of ISAKMP Vendor ID Payload: 16
| emitting length of ISAKMP Message: 244
| complete v2 state transition with STF_OK
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: transition from state STATE_IKEv2_START to state STATE_PARENT_R1
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=oakley_3des_cbc_192 integ=sha1_96 prf=oakley_sha group=modp1024}
| sending reply packet to fdaa:13:cc00:2:219:dbff:fe42:14a2:500 (from port 500)
| sending 244 bytes for STATE_IKEv2_START through ether1:500 to fdaa:13:cc00:2:219:dbff:fe42:14a2:500 (using #1)
| 44 1d 3f e7 54 2f 4b ca 06 33 5b 1f 7b 81 21 17
| 21 20 22 20 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| b8 8a d0 64 74 8a 38 69 c9 38 f0 25 fe 49 fa 6e
| 2c a8 79 30 8e 43 89 cc 04 be 66 33 a9 3d 5d 76
| 25 6f e8 e3 c0 98 71 53 38 43 8b 22 1a bb 73 5a
| 97 06 a7 cf 57 4b 35 07 f9 f3 2a 6f 48 11 26 bd
| d6 cc bb 1b 5d fc ee 4f 0c 5c 51 60 2f 9b 26 10
| b7 b7 34 4c 4a 46 38 e1 70 f0 48 91 22 3f 38 8b
| 81 dc d4 75 21 9e eb 3d 11 77 88 01 40 93 5d 1f
| 3d e1 42 31 5b b5 77 85 50 93 00 92 5c 5a 17 b8
| 2b 00 00 14 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9
| 67 21 94 7f 00 00 00 10 4f 45 51 60 4f 54 70 52
| 57 5e 5c 4b
| * processed 1 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
|
| *received whack message
| processing connection fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3
| route owner of "fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3" unrouted: NULL; eroute owner: NULL
| could_route called for fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3 (kind=CK_PERMANENT)
| route owner of "fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3" unrouted: NULL; eroute owner: NULL
| route_and_eroute with c: fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3 (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
| request to add a prospective erouted policy with netkey kernel --- experimental
| satype(0) is not used in netlink_raw_eroute.
| route_and_eroute: firewall_notified: true
| command executing prepare-host-v6
| executing prepare-host-v6: 2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_ME='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_ID='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_CLIENT='fdaa:13:cc00:3:214:22ff:feb1:167a/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_ID='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIENT='fdaa:13:cc00:3:219:dbff:fe42:14a3/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' P
| popen(): cmd is 1101 chars long
| cmd( 0):2>&1 PLUTO_VERB='prepare-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13::
| cmd( 80):cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_INTERFACE=:
| cmd( 160):'ether2' PLUTO_NEXT_HOP='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_ME='fdaa:13:cc:
| cmd( 240):00:3:214:22ff:feb1:167a' PLUTO_MY_ID='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_M:
| cmd( 320):Y_CLIENT='fdaa:13:cc00:3:214:22ff:feb1:167a/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc:
| cmd( 400):00:3:214:22ff:feb1:167a' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:fff:
| cmd( 480):f:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:3:219:d:
| cmd( 560):bff:fe42:14a3' PLUTO_PEER_ID='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIE:
| cmd( 640):NT='fdaa:13:cc00:3:219:dbff:fe42:14a3/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:3:
| cmd( 720)::219:dbff:fe42:14a3' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 800):ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK=':
| cmd( 880):netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY=':
| cmd( 960):ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO=:
| cmd(1040):'' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| command executing route-host-v6
| executing route-host-v6: 2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_INTERFACE='ether2' PLUTO_NEXT_HOP='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_ME='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_ID='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_CLIENT='fdaa:13:cc00:3:214:22ff:feb1:167a/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_ID='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIENT='fdaa:13:cc00:3:219:dbff:fe42:14a3/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv6' PLUTO_IS_PEER_CISCO='0' PLUTO
| popen(): cmd is 1099 chars long
| cmd( 0):2>&1 PLUTO_VERB='route-host-v6' PLUTO_VERSION='2.0' PLUTO_CONNECTION='fdaa:13:cc:
| cmd( 80):00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_INTERFACE='e:
| cmd( 160):ther2' PLUTO_NEXT_HOP='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_ME='fdaa:13:cc00:
| cmd( 240)::3:214:22ff:feb1:167a' PLUTO_MY_ID='fdaa:13:cc00:3:214:22ff:feb1:167a' PLUTO_MY_:
| cmd( 320):CLIENT='fdaa:13:cc00:3:214:22ff:feb1:167a/128' PLUTO_MY_CLIENT_NET='fdaa:13:cc00:
| cmd( 400)::3:214:22ff:feb1:167a' PLUTO_MY_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff::
| cmd( 480):ffff' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='fdaa:13:cc00:3:219:dbf:
| cmd( 560):f:fe42:14a3' PLUTO_PEER_ID='fdaa:13:cc00:3:219:dbff:fe42:14a3' PLUTO_PEER_CLIENT:
| cmd( 640):='fdaa:13:cc00:3:219:dbff:fe42:14a3/128' PLUTO_PEER_CLIENT_NET='fdaa:13:cc00:3:2:
| cmd( 720):19:dbff:fe42:14a3' PLUTO_PEER_CLIENT_MASK='ffff:ffff:ffff:ffff:ffff:ffff:ffff:ff:
| cmd( 800):ff' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='ne:
| cmd( 880):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ip:
| cmd( 960):v6' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='':
| cmd(1040): PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown:
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
|
| *received 108 bytes from fdaa:13:cc00:2:219:dbff:fe42:14a2:500 on ether1 (port=500)
| 44 1d 3f e7 54 2f 4b ca 06 33 5b 1f 7b 81 21 17
| 2e 20 23 08 00 00 00 01 00 00 00 6c 23 00 00 50
| f6 79 61 b1 64 3f 43 89 d0 b4 fa 43 4b 3d 7c 02
| 0b 97 9e e1 06 e4 af ac 76 0f de 2d 63 7a 41 b7
| 18 d5 2d 13 2d cb c6 c9 8a 28 e7 f9 ff 56 5f 44
| 8e 07 4e 8c be 39 91 48 13 c6 1c bb a0 0e 1f 50
| 44 6f b7 46 51 d8 92 a9 a9 92 e5 d1
| **parse ISAKMP Message:
| initiator cookie:
| 44 1d 3f e7 54 2f 4b ca
| responder cookie:
| 06 33 5b 1f 7b 81 21 17
| next payload type: ISAKMP_NEXT_v2E
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_AUTH
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 01
| length: 108
| processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35)
packet from fdaa:13:cc00:2:219:dbff:fe42:14a2:500: received packet that claimed to be (I)nitiator, but rcookie is not zero?
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 06 33 5b 1f 7b 81 21 17
| state hash entry 0
| v2 state object not found
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 11
| v2 peer and cookies match on #1
| v2 state object #1 found, in STATE_PARENT_R1
| ***parse IKEv2 Encryption Payload:
| next payload type: ISAKMP_NEXT_v2IDi
| critical bit: none
| length: 80
| processing payload: ISAKMP_NEXT_v2E (len=80)
| ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2
| calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=3des
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh(v2) op on seq: 2 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #1
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #1
| event added after event EVENT_PENDING_PHASE2
| complete v2 state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing compute dh(v2) op id: 2
! long term secret: eb fc 1c 74 41 85 93 d3 21 78 88 88 19 18 d4 ba
! long term secret: 1b 1b a2 e1 ac 1a 4a c0 87 4d b3 d9 9a 29 de dc
! peer's g: 6f ce 1e fe 9a 9d 97 36 29 15 a4 6a d9 70 55 d6
! peer's g: dd 18 93 b1 ea 56 f4 ca ab 65 83 cc 75 75 47 b0
! peer's g: 5a 9c 9e a7 71 d8 1a a2 18 88 8b 8d 86 96 79 22
! peer's g: 90 8a cb 08 9a 49 a9 cb 11 8f d6 d0 20 0a f3 a6
! peer's g: 85 10 81 9a 56 72 96 75 0b ea 57 a9 3f ee c5 0b
! peer's g: 7a ca 60 6a 42 aa f3 f7 e8 a1 38 4b 82 e0 a5 6e
! peer's g: cc 60 1c 9b c6 42 e3 bb 35 69 43 0e 42 93 d8 ec
! peer's g: 4c 68 4e a8 02 b1 6e e9 25 6b be 0e 7c e3 bc f3
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 2013 usec
! DH shared-secret:
! da d4 c8 52 9c 48 7d a9 01 b3 7b ca 2e 6b 34 b6
! 6a 8d ae 0f 72 05 be 43 9f 85 70 28 8f 24 1b 1d
! a4 0f c6 a8 f1 65 53 80 e2 60 a8 e5 26 7c 2b 7b
! 2a 4a 9e 43 66 72 b2 9b 7c 8a eb a8 2f 98 fe 69
! 6e 26 cc 5b e1 e0 25 72 f3 9e 8f 64 34 37 77 74
! d8 01 cc ec 48 78 fe 5f 02 99 de 2f a5 73 5d a7
! 00 90 ba 11 9b b6 24 e8 df c3 6b 8b 19 7a e3 7b
! 2c 43 d8 08 6f f6 ea a3 5f f2 6d b1 a7 88 8d 55
! calculating skeyseed using prf=prf-hmac-sha1 integ=auth-hmac-sha1-96 cipherkey=24
! Input to SKEYSEED: a7 c0 2d 99 54 40 d0 d2 72 19 a7 ba 8e 2d 63 df
! Input to SKEYSEED: 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9 67 21 94 7f
! PRF+ input
! Ni a7 c0 2d 99 54 40 d0 d2 72 19 a7 ba 8e 2d 63 df
! Nr 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9 67 21 94 7f
! SPIi 44 1d 3f e7 54 2f 4b ca
! SPIr 06 33 5b 1f 7b 81 21 17
! Total keysize needed 148
! prf+[1]: ee 0d 43 e9 16 1f 68 ad c0 e0 29 8d df 7e 7f 63
! prf+[1]: c7 5a a4 77
! prf+[2]: 99 41 88 51 18 e3 23 f1 1e 7b ca 95 91 12 8c 6c
! prf+[2]: c8 d3 df d1
! prf+[3]: 50 2e d1 20 9f b1 ba c3 3f 94 5f 94 b6 ea f3 bb
! prf+[3]: f2 59 68 28
! prf+[4]: 98 aa e1 f8 c5 91 5f f8 bf 49 dd 36 9f 64 b9 5c
! prf+[4]: 06 18 b6 90
! prf+[5]: 2f db 22 bb 19 70 3f 43 b8 80 ab 5f bb a4 62 85
! prf+[5]: 28 be f0 7e
! prf+[6]: d5 3e 18 73 64 35 ba cf 66 35 e6 05 cd ba 17 bd
! prf+[6]: 17 06 18 a5
! prf+[7]: 06 1a 19 9b 79 b2 1d a8 92 ea f4 d8 78 8e 85 01
! prf+[7]: 3a 5d 36 d2
! prf+[8]: be 32 b2 05 0e 49 bd c3 b1 bb 5a 7a 15 34 73 f7
! prf+[8]: 0c 52 f6 4c
! shared: da d4 c8 52 9c 48 7d a9 01 b3 7b ca 2e 6b 34 b6
! shared: 6a 8d ae 0f 72 05 be 43 9f 85 70 28 8f 24 1b 1d
! shared: a4 0f c6 a8 f1 65 53 80 e2 60 a8 e5 26 7c 2b 7b
! shared: 2a 4a 9e 43 66 72 b2 9b 7c 8a eb a8 2f 98 fe 69
! shared: 6e 26 cc 5b e1 e0 25 72 f3 9e 8f 64 34 37 77 74
! shared: d8 01 cc ec 48 78 fe 5f 02 99 de 2f a5 73 5d a7
! shared: 00 90 ba 11 9b b6 24 e8 df c3 6b 8b 19 7a e3 7b
! shared: 2c 43 d8 08 6f f6 ea a3 5f f2 6d b1 a7 88 8d 55
! skeyseed: 6b da ef 4a fb 9f 96 75 2a 87 38 97 cd 14 dc 02
! skeyseed: 80 cb 31 6f
! SK_d: ee 0d 43 e9 16 1f 68 ad c0 e0 29 8d df 7e 7f 63
! SK_d: c7 5a a4 77
! SK_ai: 99 41 88 51 18 e3 23 f1 1e 7b ca 95 91 12 8c 6c
! SK_ai: c8 d3 df d1
! SK_ar: 50 2e d1 20 9f b1 ba c3 3f 94 5f 94 b6 ea f3 bb
! SK_ar: f2 59 68 28
! SK_ei: 98 aa e1 f8 c5 91 5f f8 bf 49 dd 36 9f 64 b9 5c
! SK_ei: 06 18 b6 90 2f db 22 bb
! SK_er: 19 70 3f 43 b8 80 ab 5f bb a4 62 85 28 be f0 7e
! SK_er: d5 3e 18 73 64 35 ba cf
! SK_pi: 66 35 e6 05 cd ba 17 bd 17 06 18 a5 06 1a 19 9b
! SK_pi: 79 b2 1d a8
! SK_pr: 92 ea f4 d8 78 8e 85 01 3a 5d 36 d2 be 32 b2 05
! SK_pr: 0e 49 bd c3
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#2
| calling callback function 0x436719
| ikev2 parent inI2outR2: calculating g^{xy}, sending R2
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| data being hmac: 44 1d 3f e7 54 2f 4b ca 06 33 5b 1f 7b 81 21 17
| data being hmac: 2e 20 23 08 00 00 00 01 00 00 00 6c 23 00 00 50
| data being hmac: f6 79 61 b1 64 3f 43 89 d0 b4 fa 43 4b 3d 7c 02
| data being hmac: 0b 97 9e e1 06 e4 af ac 76 0f de 2d 63 7a 41 b7
| data being hmac: 18 d5 2d 13 2d cb c6 c9 8a 28 e7 f9 ff 56 5f 44
| data being hmac: 8e 07 4e 8c be 39 91 48 13 c6 1c bb a0 0e 1f 50
| R2 calculated auth: 44 6f b7 46 51 d8 92 a9 a9 92 e5 d1
| R2 provided auth: 44 6f b7 46 51 d8 92 a9 a9 92 e5 d1
| authenticator matched
| data before decryption:
| d0 b4 fa 43 4b 3d 7c 02 0b 97 9e e1 06 e4 af ac
| 76 0f de 2d 63 7a 41 b7 18 d5 2d 13 2d cb c6 c9
| 8a 28 e7 f9 ff 56 5f 44 8e 07 4e 8c be 39 91 48
| 13 c6 1c bb a0 0e 1f 50
| decrypted payload: 27 00 00 18 05 00 00 00 fd aa 00 13 cc 00 00 02
| decrypted payload: 02 19 db ff fe 42 14 a2 00 00 00 1c 02 00 00 00
| decrypted payload: cf 4f f8 67 86 45 ce b7 11 c7 d7 e3 9d f6 8f 6f
| decrypted payload: 47 c2 63 95 00 01 02 03
| striping 4 bytes as pad
| **parse IKEv2 Identification Payload:
| next payload type: ISAKMP_NEXT_v2AUTH
| critical bit: none
| length: 24
| id_type: ID_IPV6_ADDR
| processing payload: ISAKMP_NEXT_v2IDi (len=24)
| **parse IKEv2 Authentication Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 28
| auth method: v2_AUTH_SHARED
| processing payload: ISAKMP_NEXT_v2AUTH (len=28)
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 11
| rehashing state object #1, removed from chain 11
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 06 33 5b 1f 7b 81 21 17
| state hash entry 0
| inserting state object #1 on chain 0
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: IKEv2 mode peer ID is ID_IPV6_ADDR: 'fdaa:13:cc00:2:219:dbff:fe42:14a2'
| idhash verify pi 66 35 e6 05 cd ba 17 bd 17 06 18 a5 06 1a 19 9b
| idhash verify pi 79 b2 1d a8
| idhash verify I2 05 00 00 00 fd aa 00 13 cc 00 00 02 02 19 db ff
| idhash verify I2 fe 42 14 a2
| started looking for secret for fdaa:13:cc00:2:214:22ff:feb1:1679->fdaa:13:cc00:2:219:dbff:fe42:14a2 of kind PPK_PSK
| actually looking for secret for fdaa:13:cc00:2:214:22ff:feb1:1679->fdaa:13:cc00:2:219:dbff:fe42:14a2 of kind PPK_PSK
| line 17: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 4
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 12
| line 15: match=12
| best_match 0>12 best=0x1b2e4980 (line=15)
| line 13: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 8
| line 13: match=8
| line 11: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key 10.3.0.113 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| 2: compared key 10.3.0.121 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key 10.2.0.31 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| 2: compared key 10.2.0.27 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| line 9: match=0
| line 7: key type PPK_PSK(fdaa:13:cc00:2:214:22ff:feb1:1679) to type PPK_PSK
| 1: compared key 10.2.0.29 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| 2: compared key 10.2.0.27 to fdaa:13:cc00:2:214:22ff:feb1:1679 / fdaa:13:cc00:2:219:dbff:fe42:14a2 -> 0
| line 7: match=0
| concluding with best_match=12 best=0x1b2e4980 (lineno=15)
| negotiated prf: oakley_sha hash length: 20
| inner prf output f3 06 1a 8b c1 77 71 b5 55 fc 61 9b a8 6e b7 23
| inner prf output 87 7d c2 b4
| inputs to hash1 (first packet)
| 44 1d 3f e7 54 2f 4b ca 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| 6f ce 1e fe 9a 9d 97 36 29 15 a4 6a d9 70 55 d6
| dd 18 93 b1 ea 56 f4 ca ab 65 83 cc 75 75 47 b0
| 5a 9c 9e a7 71 d8 1a a2 18 88 8b 8d 86 96 79 22
| 90 8a cb 08 9a 49 a9 cb 11 8f d6 d0 20 0a f3 a6
| 85 10 81 9a 56 72 96 75 0b ea 57 a9 3f ee c5 0b
| 7a ca 60 6a 42 aa f3 f7 e8 a1 38 4b 82 e0 a5 6e
| cc 60 1c 9b c6 42 e3 bb 35 69 43 0e 42 93 d8 ec
| 4c 68 4e a8 02 b1 6e e9 25 6b be 0e 7c e3 bc f3
| 2b 00 00 14 a7 c0 2d 99 54 40 d0 d2 72 19 a7 ba
| 8e 2d 63 df 00 00 00 10 4f 45 4b 70 52 70 41 7f
| 76 5b 6b 59
| inputs to hash2 (responder nonce)
| 14 64 a4 cb 3d aa 72 a1 f9 34 d7 a9 67 21 94 7f
| idhash 9f 08 fd fb 26 21 e0 cf 82 ba 08 58 97 5d bd 8d
| idhash c4 d6 9f 26
| Received PSK auth octets
| cf 4f f8 67 86 45 ce b7 11 c7 d7 e3 9d f6 8f 6f
| 47 c2 63 95
| Calculated PSK auth octets
| e4 35 ad 25 9e e9 41 c4 46 95 d4 cd f3 85 f3 2a
| 93 08 30 d4
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: AUTH mismatch: Received AUTH != computed AUTH
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: PSK authentication failed AUTH mismatch!
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #1: sending notification v2N_AUTHENTICATION_FAILED to fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| don't send packet when notification data empty
| complete v2 state transition with STF_FATAL
| deleting event for #1
| deleting state #1
| deleting event for #1
| no suspended cryptographic state for 1
| ICOOKIE: 44 1d 3f e7 54 2f 4b ca
| RCOOKIE: 06 33 5b 1f 7b 81 21 17
| state hash entry 0
| * processed 1 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
|
| *received whack message
| processing connection 10.2.0.27-to-10.2.0.29
| kernel_alg_db_new() initial trans_cnt=90
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #2 at 0x1b2e59f0
| processing connection 10.2.0.27-to-10.2.0.29
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 23
| inserting state object #2 on chain 23
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2
| event added at head of queue
| processing connection 10.2.0.27-to-10.2.0.29
| Queuing pending Quick Mode with 10.2.0.29 "10.2.0.27-to-10.2.0.29"
"10.2.0.27-to-10.2.0.29" #2: initiating Main Mode
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 5
| [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| emitting length of ISAKMP Proposal Payload: 40
| emitting length of ISAKMP Security Association Payload: 52
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 216
| sending 216 bytes for main_outI1 through ether1:500 to 10.2.0.29:500 (using #2)
| e6 fd c8 85 01 b9 34 e7 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 d8 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01
| 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80
| 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
| 0d 00 00 10 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc
| 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6
| 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14
| 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| 0d 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc
| 68 b6 a4 48 00 00 00 14 44 85 15 2d 18 b6 bb cd
| 0b e8 a8 46 95 79 dd cc
| deleting event for #2
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| event added at head of queue
| * processed 0 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 136 bytes from 10.2.0.29:500 on ether1 (port=500)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 01 10 02 00 00 00 00 00 00 00 00 88 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01
| 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80
| 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
| 0d 00 00 10 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc
| 77 57 01 00 00 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f
| **parse ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 136
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 state object not found
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 23
| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000
| v1 state object #2 found, in STATE_MAIN_I1
| processing connection 10.2.0.27-to-10.2.0.29
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 16
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 20
"10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [Openswan (this version) 2.6.master-201205.git-g11dd7970-dirty ]
"10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [Dead Peer Detection]
"10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [RFC 3947] method set to=109
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 32
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 28800
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 5
| [5 is OAKLEY_3DES_CBC]
| ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.29 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.29 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 8
| line 9: match=8
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.29 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 12
| line 7: match=12
| best_match 0>12 best=0x1b2e3610 (line=7)
| concluding with best_match=12 best=0x1b2e3610 (lineno=7)
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| Oakley Transform 0 accepted
| sender checking NAT-t: 1 and 109
"10.2.0.27-to-10.2.0.29" #2: enabling possible NAT-traversal with method 4
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 3 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #2
! helper 0 read 2744+4/2752 bytesfd: 6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
! helper 0 doing build_kenonce op id: 3
| event added after event EVENT_PENDING_PHASE2
| peer supports dpd
| enabling sending dpd
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_PENDING_DDNS in 59 seconds
| next event EVENT_PENDING_DDNS in 59 seconds
! Local DH secret:
! f2 e4 83 68 0c 3d ef e4 40 1d 7b 6a e6 51 1b 6a
! 56 6e a3 dc b9 31 ad b0 ce 15 d4 f9 74 cc b8 1b
! Public DH value sent:
! 21 1a 3e b6 97 e3 e4 8f ea bc 8d 6e 08 b8 41 d2
! 26 33 4c 4a b9 4c 8d a9 f1 a8 df 85 27 62 7a 1c
! 84 6b 2f d1 85 07 b3 73 fd 93 95 e1 a6 43 22 85
! d4 d1 a3 05 6b 0d b3 af aa 22 36 15 7a 92 fd b3
! 70 8f 26 2a 2c b5 ef 07 aa 10 1a 21 7b a4 be e3
! a9 34 be 03 79 4b f1 6b 67 8e 74 c7 c3 cb c9 b4
! 29 c3 e7 75 f1 43 24 e0 2f 3f e3 68 09 ab 2c 7a
! 3c 9d 53 f6 b9 88 32 40 c6 28 db 56 45 8e 51 5e
! Generated nonce:
! 41 2a 1d 67 03 6a 55 d4 3a 51 23 04 cc fa 2d 1c
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#3
| calling callback function 0x4266d3
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection 10.2.0.27-to-10.2.0.29
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 21 1a 3e b6 97 e3 e4 8f ea bc 8d 6e 08 b8 41 d2
| keyex value 26 33 4c 4a b9 4c 8d a9 f1 a8 df 85 27 62 7a 1c
| keyex value 84 6b 2f d1 85 07 b3 73 fd 93 95 e1 a6 43 22 85
| keyex value d4 d1 a3 05 6b 0d b3 af aa 22 36 15 7a 92 fd b3
| keyex value 70 8f 26 2a 2c b5 ef 07 aa 10 1a 21 7b a4 be e3
| keyex value a9 34 be 03 79 4b f1 6b 67 8e 74 c7 c3 cb c9 b4
| keyex value 29 c3 e7 75 f1 43 24 e0 2f 3f e3 68 09 ab 2c 7a
| keyex value 3c 9d 53 f6 b9 88 32 40 c6 28 db 56 45 8e 51 5e
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 41 2a 1d 67 03 6a 55 d4 3a 51 23 04 cc fa 2d 1c
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e6 fd c8 85 01 b9 34 e7
| _natd_hash: rcookie=
| ab a8 1c d7 ad 95 b3 56
| _natd_hash: ip= 0a 02 00 1d
| _natd_hash: port=500
| _natd_hash: hash= a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| _natd_hash: hash= 47 04 b0 63
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| NAT-D 47 04 b0 63
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e6 fd c8 85 01 b9 34 e7
| _natd_hash: rcookie=
| ab a8 1c d7 ad 95 b3 56
| _natd_hash: ip= 0a 02 00 1b
| _natd_hash: port=500
| _natd_hash: hash= a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| _natd_hash: hash= e0 c7 8e 48
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| NAT-D e0 c7 8e 48
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 23
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| inserting state object #2 on chain 18
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.29" #2: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #2
| sending reply packet to 10.2.0.29:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through ether1:500 to 10.2.0.29:500 (using #2)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| 21 1a 3e b6 97 e3 e4 8f ea bc 8d 6e 08 b8 41 d2
| 26 33 4c 4a b9 4c 8d a9 f1 a8 df 85 27 62 7a 1c
| 84 6b 2f d1 85 07 b3 73 fd 93 95 e1 a6 43 22 85
| d4 d1 a3 05 6b 0d b3 af aa 22 36 15 7a 92 fd b3
| 70 8f 26 2a 2c b5 ef 07 aa 10 1a 21 7b a4 be e3
| a9 34 be 03 79 4b f1 6b 67 8e 74 c7 c3 cb c9 b4
| 29 c3 e7 75 f1 43 24 e0 2f 3f e3 68 09 ab 2c 7a
| 3c 9d 53 f6 b9 88 32 40 c6 28 db 56 45 8e 51 5e
| 14 00 00 14 41 2a 1d 67 03 6a 55 d4 3a 51 23 04
| cc fa 2d 1c 14 00 00 18 a6 f8 9c 64 b5 eb a1 a4
| d5 47 a8 38 27 53 80 3b 47 04 b0 63 00 00 00 18
| a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| e0 c7 8e 48
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| event added at head of queue
"10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 228 bytes from 10.2.0.29:500 on ether1 (port=500)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| f9 2a 8f 52 97 c0 d7 48 1f 2a 86 b8 c8 27 61 93
| 58 e2 bf 7a e0 4b 2e 6b 38 6c b7 c6 59 d8 9e e0
| c7 75 81 c5 2a 1e a5 d4 98 8b 53 6e 1f 78 b2 5f
| 4c f9 35 9d 47 03 5d 86 7a 0e 81 75 a7 33 27 df
| 1d ca 4a ec 8e 79 8b e4 4b d3 16 40 23 47 44 cd
| c6 be 78 15 7b 7e 32 d3 18 3f 34 b9 8e 79 1e cf
| 96 c0 1b c4 dd a7 22 04 ab f0 a4 ff d7 1f 21 bf
| 0e 49 42 2d 99 16 e7 90 7e 6d 2b 96 e9 4b 35 9d
| 14 00 00 14 93 ad 35 1d 1b 1e 53 87 b3 cb 6a 89
| 02 0d 86 40 14 00 00 18 a1 1f dd 19 37 5d 74 7c
| fe e7 66 87 b5 b0 5a 89 e0 c7 8e 48 00 00 00 18
| a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| 47 04 b0 63
| **parse ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 228
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000
| v1 state object #2 found, in STATE_MAIN_I2
| processing connection 10.2.0.27-to-10.2.0.29
| got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 132
| got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| length: 20
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| length: 24
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| DH public value received:
| f9 2a 8f 52 97 c0 d7 48 1f 2a 86 b8 c8 27 61 93
| 58 e2 bf 7a e0 4b 2e 6b 38 6c b7 c6 59 d8 9e e0
| c7 75 81 c5 2a 1e a5 d4 98 8b 53 6e 1f 78 b2 5f
| 4c f9 35 9d 47 03 5d 86 7a 0e 81 75 a7 33 27 df
| 1d ca 4a ec 8e 79 8b e4 4b d3 16 40 23 47 44 cd
| c6 be 78 15 7b 7e 32 d3 18 3f 34 b9 8e 79 1e cf
| 96 c0 1b c4 dd a7 22 04 ab f0 a4 ff d7 1f 21 bf
| 0e 49 42 2d 99 16 e7 90 7e 6d 2b 96 e9 4b 35 9d
| started looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.29 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.29 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 8
| line 9: match=8
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.29 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 12
| line 7: match=12
| best_match 0>12 best=0x1b2e3610 (line=7)
| concluding with best_match=12 best=0x1b2e3610 (lineno=7)
| parent1 type: 7 group: 2 len: 2752
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh+iv op on seq: 4 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #2
! helper 0 read 2744+4/2752 bytesfd: 6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #2
! helper 0 doing compute dh+iv op id: 4
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
! peer's g: f9 2a 8f 52 97 c0 d7 48 1f 2a 86 b8 c8 27 61 93
| * processed 0 messages from cryptographic helpers
! peer's g: 58 e2 bf 7a e0 4b 2e 6b 38 6c b7 c6 59 d8 9e e0
| next event EVENT_PENDING_DDNS in 59 seconds
! peer's g: c7 75 81 c5 2a 1e a5 d4 98 8b 53 6e 1f 78 b2 5f
| next event EVENT_PENDING_DDNS in 59 seconds
! peer's g: 4c f9 35 9d 47 03 5d 86 7a 0e 81 75 a7 33 27 df
! peer's g: 1d ca 4a ec 8e 79 8b e4 4b d3 16 40 23 47 44 cd
! peer's g: c6 be 78 15 7b 7e 32 d3 18 3f 34 b9 8e 79 1e cf
! peer's g: 96 c0 1b c4 dd a7 22 04 ab f0 a4 ff d7 1f 21 bf
! peer's g: 0e 49 42 2d 99 16 e7 90 7e 6d 2b 96 e9 4b 35 9d
! long term secret: f2 e4 83 68 0c 3d ef e4 40 1d 7b 6a e6 51 1b 6a
! long term secret: 56 6e a3 dc b9 31 ad b0 ce 15 d4 f9 74 cc b8 1b
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 1263 usec
! DH shared-secret:
! b6 93 da 5c 29 45 e1 07 fb 49 05 d1 3b 80 af 60
! fb 06 6e f9 dc 79 0b 85 45 a0 6a 32 34 49 ea ed
! ba 51 13 a4 97 7d ea 17 5e 05 0e 3d aa b5 65 95
! f6 4a 92 e6 1c de 67 0b 2f b6 d0 4f 3e dc 40 28
! 08 8d 91 a3 0a 4f 50 fc e1 ca c9 02 a8 b8 f8 81
! f3 0c d6 f1 dc 59 38 33 00 72 9d d0 e2 7b 6b cf
! 8e e8 d9 5b 2d e0 79 76 70 4d 18 40 52 7f b2 f4
! ee b5 d6 1d 1a 4a 12 e5 9d 27 e6 81 35 66 5b 2a
! Skey inputs (PSK+NI+NR)
! ni: 41 2a 1d 67 03 6a 55 d4 3a 51 23 04 cc fa 2d 1c
! nr: 93 ad 35 1d 1b 1e 53 87 b3 cb 6a 89 02 0d 86 40
! keyid: a8 6e d2 a5 5d 2f d5 b1 97 87 7f ce 07 7e 86 7f
! keyid: b9 24 60 71
! NSS: end of key computation
! DH_i: 21 1a 3e b6 97 e3 e4 8f ea bc 8d 6e 08 b8 41 d2
! DH_i: 26 33 4c 4a b9 4c 8d a9 f1 a8 df 85 27 62 7a 1c
! DH_i: 84 6b 2f d1 85 07 b3 73 fd 93 95 e1 a6 43 22 85
! DH_i: d4 d1 a3 05 6b 0d b3 af aa 22 36 15 7a 92 fd b3
! DH_i: 70 8f 26 2a 2c b5 ef 07 aa 10 1a 21 7b a4 be e3
! DH_i: a9 34 be 03 79 4b f1 6b 67 8e 74 c7 c3 cb c9 b4
! DH_i: 29 c3 e7 75 f1 43 24 e0 2f 3f e3 68 09 ab 2c 7a
! DH_i: 3c 9d 53 f6 b9 88 32 40 c6 28 db 56 45 8e 51 5e
! DH_r: f9 2a 8f 52 97 c0 d7 48 1f 2a 86 b8 c8 27 61 93
! DH_r: 58 e2 bf 7a e0 4b 2e 6b 38 6c b7 c6 59 d8 9e e0
! DH_r: c7 75 81 c5 2a 1e a5 d4 98 8b 53 6e 1f 78 b2 5f
! DH_r: 4c f9 35 9d 47 03 5d 86 7a 0e 81 75 a7 33 27 df
! DH_r: 1d ca 4a ec 8e 79 8b e4 4b d3 16 40 23 47 44 cd
! DH_r: c6 be 78 15 7b 7e 32 d3 18 3f 34 b9 8e 79 1e cf
! DH_r: 96 c0 1b c4 dd a7 22 04 ab f0 a4 ff d7 1f 21 bf
! DH_r: 0e 49 42 2d 99 16 e7 90 7e 6d 2b 96 e9 4b 35 9d
! end of IV generation
! Skeyid: a8 6e d2 a5 5d 2f d5 b1 97 87 7f ce 07 7e 86 7f
! Skeyid: b9 24 60 71
! Skeyid_d: a0 86 31 42 fa 63 f2 38 43 87 6d e0 cd 8f 86 24
! Skeyid_d: 8f b1 c5 3f
! Skeyid_a: 90 31 f4 d8 cf 41 70 03 45 0b b5 12 df 2c 81 55
! Skeyid_a: 19 47 79 05
! Skeyid_e: 6e 06 58 00 a9 83 2d 86 35 80 87 8d f4 8e 1c e0
! Skeyid_e: 23 d3 f6 75
! enc key: ac 0e 8f 62 29 8a 63 c3 00 f8 4f 60 3b 5e 1b d3
! enc key: 3d 3b 97 20 90 5c 3f 7e
! IV: cf b9 5d 0e 79 02 df a7 4d db 3d a5 c7 28 3c bc
! IV: f6 48 a0 20
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#4
| calling callback function 0x427fba
| main inR2_outI3: calculated DH, sending R1
| processing connection 10.2.0.27-to-10.2.0.29
| thinking about whether to send my certificate:
| I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
| sendcert: CERT_ALWAYSSEND and I did not get a certificate request
| so do not send cert.
| I did not send a certificate because digital signatures are not being used. (PSK)
| I am not sending a certificate request
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e6 fd c8 85 01 b9 34 e7
| _natd_hash: rcookie=
| ab a8 1c d7 ad 95 b3 56
| _natd_hash: ip= 0a 02 00 1b
| _natd_hash: port=500
| _natd_hash: hash= a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| _natd_hash: hash= e0 c7 8e 48
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e6 fd c8 85 01 b9 34 e7
| _natd_hash: rcookie=
| ab a8 1c d7 ad 95 b3 56
| _natd_hash: ip= 0a 02 00 1d
| _natd_hash: port=500
| _natd_hash: hash= a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| _natd_hash: hash= 47 04 b0 63
| NAT_TRAVERSAL hash=0 (me:0) (him:0)
| expected NAT-D(me): a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| expected NAT-D(me): e0 c7 8e 48
| expected NAT-D(him):
| a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| 47 04 b0 63
| received NAT-D: a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| received NAT-D: e0 c7 8e 48
| NAT_TRAVERSAL hash=1 (me:1) (him:0)
| expected NAT-D(me): a1 1f dd 19 37 5d 74 7c fe e7 66 87 b5 b0 5a 89
| expected NAT-D(me): e0 c7 8e 48
| expected NAT-D(him):
| a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| 47 04 b0 63
| received NAT-D: a6 f8 9c 64 b5 eb a1 a4 d5 47 a8 38 27 53 80 3b
| received NAT-D: 47 04 b0 63
| NAT_TRAVERSAL hash=2 (me:1) (him:1)
"10.2.0.27-to-10.2.0.29" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| event added at head of queue
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_HASH
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
| my identity 0a 02 00 1b
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| hashing 48 bytes of SA
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of HASH_I into ISAKMP Hash Payload
| HASH_I f4 51 10 d8 0f 2b a9 19 8e 0c 3d aa e4 8d e7 b0
| HASH_I e2 d6 09 3e
| emitting length of ISAKMP Hash Payload: 24
| encrypting:
| 08 00 00 0c 01 00 00 00 0a 02 00 1b 00 00 00 18
| f4 51 10 d8 0f 2b a9 19 8e 0c 3d aa e4 8d e7 b0
| e2 d6 09 3e
| IV:
| cf b9 5d 0e 79 02 df a7 4d db 3d a5 c7 28 3c bc
| f6 48 a0 20
| unpadded size is: 36
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting 40 using OAKLEY_3DES_CBC
| next IV: 1e 79 c8 f6 ec ca 0e 09
| emitting length of ISAKMP Message: 68
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.29" #2: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| deleting event for #2
| sending reply packet to 10.2.0.29:500 (from port 500)
| sending 68 bytes for STATE_MAIN_I2 through ether1:500 to 10.2.0.29:500 (using #2)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 05 10 02 01 00 00 00 00 00 00 00 44 53 32 5c 3d
| 8b 84 17 95 c8 d1 aa 5d c2 8f b8 7f 69 6d 2a db
| 20 9f 01 cf 3d f5 73 f7 60 1b 77 e7 1e 79 c8 f6
| ec ca 0e 09
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2
| event added at head of queue
"10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I3: sent MI3, expecting MR3
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_RETRANSMIT in 10 seconds for #2
| next event EVENT_RETRANSMIT in 10 seconds for #2
|
| *received 68 bytes from 10.2.0.29:500 on ether1 (port=500)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 05 10 02 01 00 00 00 00 00 00 00 44 9c 16 7b 5d
| aa aa 5d 68 ad e2 e4 76 0d 79 9a b5 d7 09 dd 26
| 37 d4 67 ef 86 fc bb 42 6e 87 60 85 42 17 98 80
| f8 9e ec 04
| **parse ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000
| v1 state object #2 found, in STATE_MAIN_I3
| processing connection 10.2.0.27-to-10.2.0.29
| received encrypted packet from 10.2.0.29:500
| decrypting 40 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 08 00 00 0c 01 00 00 00 0a 02 00 1d 00 00 00 18
| 7a 9f ae 68 c6 63 75 5a 38 6a 0e 00 99 45 fc 48
| 85 69 a4 0d 00 00 00 00
| next IV: 42 17 98 80 f8 9e ec 04
| got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
| ***parse ISAKMP Identification Payload:
| next payload type: ISAKMP_NEXT_HASH
| length: 12
| ID type: ID_IPV4_ADDR
| DOI specific A: 0
| DOI specific B: 0
| obj: 0a 02 00 1d
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x2080
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| removing 4 bytes of padding
"10.2.0.27-to-10.2.0.29" #2: Main mode peer ID is ID_IPV4_ADDR: '10.2.0.29'
| hashing 48 bytes of SA
| authentication succeeded
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.29" #2: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
| deleting event for #2
| inserting event EVENT_SA_REPLACE, timeout in 27917 seconds for #2
| event added after event EVENT_REINIT_SECRET
"10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000
| v1 state object #2 found, in STATE_MAIN_I4
"10.2.0.27-to-10.2.0.29" #2: Dead Peer Detection (RFC 3706): enabled
| state: 2 requesting event none to be deleted by /root/openswan.git/programs/pluto/dpd.c:162
| inserting event EVENT_DPD, timeout in 5 seconds for #2
| event added at head of queue
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| unpending state #2
| unqueuing pending Quick Mode with 10.2.0.29 "10.2.0.27-to-10.2.0.29" import:admin initiate
| duplicating state object #2
| creating state object #3 at 0x1b2e7290
| processing connection 10.2.0.27-to-10.2.0.29
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| inserting state object #3 on chain 18
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3
| event added at head of queue
| kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_esp_enc_keylen():alg_id=3, keylen=24
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
"10.2.0.27-to-10.2.0.29" #3: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK {using isakmp#2 msgid:9e32542f proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 5 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #3
! helper 0 read 2744+4/2752 bytesfd: 6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #3
! helper 0 doing build_kenonce op id: 5
| event added after event EVENT_PENDING_PHASE2
| removing pending policy for "none" {0x1b2e4370}
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #2
| next event EVENT_DPD in 5 seconds for #2
! Local DH secret:
! 60 ec 3f 14 f9 65 fe a1 16 08 51 39 2b 53 52 8c
! 9b 4f db 71 d3 fb 01 4e f4 fe af 89 ca f1 c3 fa
! Public DH value sent:
! 2a 0e e4 b2 54 58 fa 75 7d 1a 47 90 8a 84 77 4a
! 79 cd a4 bd b4 6d 4b a3 59 e0 b4 c9 2f e6 19 f7
! 5d 45 8b 19 8d d3 7e 9a 56 43 17 67 e9 cc 8a 1c
! a6 c9 48 e8 fa f7 02 47 f5 77 0e ea 91 7d b2 4b
! e1 70 69 94 37 71 bf 86 cc c4 9e fa ba 8f b0 61
! 28 64 19 10 6f 62 99 cd f2 96 61 79 ca ff de 01
! 83 6b 1e c3 6b 66 56 f3 b3 ff 56 46 47 55 43 04
! 4f 80 f6 42 cf 01 8e 3e 0d 48 eb 53 8c 14 8e 8c
! Generated nonce:
! d8 fe 65 11 a3 ff a4 2c 26 80 24 4b f6 3d 12 0f
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#5
| calling callback function 0x42caac
| quick outI1: calculated ke+nonce, sending I1
| processing connection 10.2.0.27-to-10.2.0.29
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 2f 54 32 9e
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| kernel_alg_db_new() initial trans_cnt=90
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| netlink_get_spi: allocated 0x6d602c58 for esp.0 at 10.2.0.27
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI 6d 60 2c 58
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 1
| [1 is ENCAPSULATION_MODE_TUNNEL]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 3600
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| emitting length of ISAKMP Proposal Payload: 40
| emitting length of ISAKMP Security Association Payload: 52
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni d8 fe 65 11 a3 ff a4 2c 26 80 24 4b f6 3d 12 0f
| emitting length of ISAKMP Nonce Payload: 20
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 2a 0e e4 b2 54 58 fa 75 7d 1a 47 90 8a 84 77 4a
| keyex value 79 cd a4 bd b4 6d 4b a3 59 e0 b4 c9 2f e6 19 f7
| keyex value 5d 45 8b 19 8d d3 7e 9a 56 43 17 67 e9 cc 8a 1c
| keyex value a6 c9 48 e8 fa f7 02 47 f5 77 0e ea 91 7d b2 4b
| keyex value e1 70 69 94 37 71 bf 86 cc c4 9e fa ba 8f b0 61
| keyex value 28 64 19 10 6f 62 99 cd f2 96 61 79 ca ff de 01
| keyex value 83 6b 1e c3 6b 66 56 f3 b3 ff 56 46 47 55 43 04
| keyex value 4f 80 f6 42 cf 01 8e 3e 0d 48 eb 53 8c 14 8e 8c
| emitting length of ISAKMP Key Exchange Payload: 132
| HASH(1) computed:
| 93 eb 9b a3 0c fe 2a 1c 1c 3b f8 3d 7d 67 7f 2f
| d6 75 ce 60
| last Phase 1 IV: 42 17 98 80 f8 9e ec 04
| current Phase 1 IV: 42 17 98 80 f8 9e ec 04
| computed Phase 2 IV:
| 95 6b 30 48 df 90 e4 ca e2 73 8e a9 43 d8 8a 6d
| 39 ec 07 65
| encrypting:
| 01 00 00 18 93 eb 9b a3 0c fe 2a 1c 1c 3b f8 3d
| 7d 67 7f 2f d6 75 ce 60 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 6d 60 2c 58
| 00 00 00 1c 00 03 00 00 80 03 00 02 80 04 00 01
| 80 01 00 01 80 02 0e 10 80 05 00 02 04 00 00 14
| d8 fe 65 11 a3 ff a4 2c 26 80 24 4b f6 3d 12 0f
| 00 00 00 84 2a 0e e4 b2 54 58 fa 75 7d 1a 47 90
| 8a 84 77 4a 79 cd a4 bd b4 6d 4b a3 59 e0 b4 c9
| 2f e6 19 f7 5d 45 8b 19 8d d3 7e 9a 56 43 17 67
| e9 cc 8a 1c a6 c9 48 e8 fa f7 02 47 f5 77 0e ea
| 91 7d b2 4b e1 70 69 94 37 71 bf 86 cc c4 9e fa
| ba 8f b0 61 28 64 19 10 6f 62 99 cd f2 96 61 79
| ca ff de 01 83 6b 1e c3 6b 66 56 f3 b3 ff 56 46
| 47 55 43 04 4f 80 f6 42 cf 01 8e 3e 0d 48 eb 53
| 8c 14 8e 8c
| IV:
| 95 6b 30 48 df 90 e4 ca e2 73 8e a9 43 d8 8a 6d
| 39 ec 07 65
| unpadded size is: 228
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting 232 using OAKLEY_3DES_CBC
| next IV: 74 08 67 7d 28 01 a0 d0
| emitting length of ISAKMP Message: 260
| sending 260 bytes for quick_outI1 through ether1:500 to 10.2.0.29:500 (using #3)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 08 10 20 01 2f 54 32 9e 00 00 01 04 e8 ad e9 dd
| ee 82 4d b3 75 f6 33 98 e0 3a c9 02 e8 ba e1 3b
| a2 a8 dd a0 e5 54 73 05 13 5b 68 48 d1 80 a0 99
| fe 7f 94 f9 45 99 2e c5 92 dc 5c 85 93 c3 f9 02
| 22 a6 82 2b 5a 33 1e 25 b4 6e eb 1b 72 1f bd 89
| 85 56 f1 ef aa 36 7e f9 82 35 d8 4c 97 5e 7e 59
| 56 a3 6a c0 3e f0 b1 b8 20 6e a9 65 b8 78 97 4b
| 37 0e 7d c9 4f 33 09 94 bd 86 b7 a0 c4 b4 ab b4
| ea e9 ee 8c 3c 17 4f a8 30 9d b8 c1 22 3c 0b 53
| 11 fb ae 36 69 df e6 0a e9 23 f9 a6 b8 16 cf 0b
| e1 7a 88 c9 00 71 e6 95 c8 cd 99 c8 52 52 28 f4
| 72 ba 5b 89 54 11 7e d7 17 e1 94 d2 ae 9f 7a 41
| db fc cb b0 7b 7e cd e0 26 ba 44 a5 4e fb 09 3b
| 6d ef 32 83 9e 7f c2 96 62 96 0d 28 f2 60 3f 4a
| 55 70 03 39 76 16 7d ed 4c f4 6c 60 74 08 67 7d
| 28 01 a0 d0
| deleting event for #3
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3
| event added after event EVENT_DPD for #2
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #2
| next event EVENT_DPD in 5 seconds for #2
|
| *received 260 bytes from 10.2.0.29:500 on ether1 (port=500)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 08 10 20 01 2f 54 32 9e 00 00 01 04 15 d1 d8 f4
| 9f 52 76 11 5b c2 1a 8a 2c 62 9b d9 b2 fa ad c9
| 18 29 d0 81 a1 22 b6 8f bc d4 6d 19 54 06 ad 32
| 87 42 66 8f 37 eb 3c c0 45 6f 5a 46 cf e3 62 0f
| e8 cf 3d 45 16 6d 79 13 c5 1e 87 ca 5b 68 86 1b
| 33 1b 40 fc 32 7a 7d e0 31 0f 7d 17 d8 f8 29 36
| f6 cf 3c e5 53 69 31 3d 91 9c eb 3a bb 65 25 9a
| c3 df 68 af a7 15 8b d9 b1 e8 80 48 fd bd f9 dc
| f5 6c 67 00 67 b4 e5 17 f7 80 3d 67 48 a5 7d b4
| 6c 77 ba 00 c5 14 6b 8c 33 2a 12 5e 09 fe 44 48
| c1 70 8a b8 cd 02 1f d4 a1 60 78 b9 2a fc dc 9a
| 56 69 f5 e1 42 58 ff ec 93 b7 3e 14 90 6f 23 42
| e1 82 d6 7e 46 fa f9 b7 97 16 6c 00 fe 3d 82 56
| 34 1c bd a7 ff a2 4f 74 79 83 e7 8c db 60 f4 83
| e1 bd 09 4d 13 3d 84 0f 5c 54 ab 42 28 9c 1e 1a
| 24 20 dc 60
| **parse ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 2f 54 32 9e
| length: 260
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 peer and cookies match on #3, provided msgid 2f54329e vs 2f54329e
| v1 state object #3 found, in STATE_QUICK_I1
| processing connection 10.2.0.27-to-10.2.0.29
| received encrypted packet from 10.2.0.29:500
| decrypting 232 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 01 00 00 18 f0 d3 30 4b 86 01 79 f7 c7 cb 4d 43
| 71 63 79 e3 ff 53 55 d6 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 28 5a b2 a2
| 00 00 00 1c 00 03 00 00 80 03 00 02 80 04 00 01
| 80 01 00 01 80 02 0e 10 80 05 00 02 04 00 00 14
| 4e 49 a8 c1 69 3d 86 7f ac ee 30 64 a3 d6 92 68
| 00 00 00 84 31 ce 08 b6 bf 7d 76 7f 68 de c5 a6
| d2 45 49 2a 62 9c 80 9d a9 1a e8 23 91 8a f3 14
| 60 d0 e4 51 6a 36 71 e2 42 e6 40 87 28 5f 38 83
| 85 3b b6 60 55 71 39 00 56 7a 06 5c ae 70 99 b9
| bb 0a 2e 21 d3 52 e0 73 b8 60 cb 09 66 3e 2b af
| d3 f3 d4 7f 10 66 6a 5d 02 69 94 77 53 2c ff e7
| 21 3c f3 8a ec 1e d5 98 05 b6 59 fe 78 b9 41 a8
| 3c fa 39 d0 ab 27 af b4 42 7e 1b 17 99 b0 92 b0
| b0 a8 e1 30 00 00 00 00
| next IV: 28 9c 1e 1a 24 20 dc 60
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| length: 24
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| length: 20
| got payload 0x10(ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 132
| removing 4 bytes of padding
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 2f 54 32 9e
| HASH(2) computed:
| f0 d3 30 4b 86 01 79 f7 c7 cb 4d 43 71 63 79 e3
| ff 53 55 d6
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI 28 5a b2 a2
| *****parse ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| length: 28
| transform number: 0
| transform ID: ESP_3DES
| ******parse ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 1
| [1 is ENCAPSULATION_MODE_TUNNEL]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 3600
| ******parse ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_esp_enc_keylen():alg_id=3, keylen=24
| DH public value received:
| 31 ce 08 b6 bf 7d 76 7f 68 de c5 a6 d2 45 49 2a
| 62 9c 80 9d a9 1a e8 23 91 8a f3 14 60 d0 e4 51
| 6a 36 71 e2 42 e6 40 87 28 5f 38 83 85 3b b6 60
| 55 71 39 00 56 7a 06 5c ae 70 99 b9 bb 0a 2e 21
| d3 52 e0 73 b8 60 cb 09 66 3e 2b af d3 f3 d4 7f
| 10 66 6a 5d 02 69 94 77 53 2c ff e7 21 3c f3 8a
| ec 1e d5 98 05 b6 59 fe 78 b9 41 a8 3c fa 39 d0
| ab 27 af b4 42 7e 1b 17 99 b0 92 b0 b0 a8 e1 30
| started looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.29 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.29 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.29 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.29 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.29 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 8
| line 9: match=8
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.29 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.29 -> 12
| line 7: match=12
| best_match 0>12 best=0x1b2e3610 (line=7)
| concluding with best_match=12 best=0x1b2e3610 (lineno=7)
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh(p2) op on seq: 6 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #3
! helper 0 read 2744+4/2752 bytesfd: 6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #3
! helper 0 doing compute dh(p2) op id: 6
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
! peer's g: 31 ce 08 b6 bf 7d 76 7f 68 de c5 a6 d2 45 49 2a
| * processed 0 messages from cryptographic helpers
! peer's g: 62 9c 80 9d a9 1a e8 23 91 8a f3 14 60 d0 e4 51
| next event EVENT_DPD in 5 seconds for #2
! peer's g: 6a 36 71 e2 42 e6 40 87 28 5f 38 83 85 3b b6 60
| next event EVENT_DPD in 5 seconds for #2
! peer's g: 55 71 39 00 56 7a 06 5c ae 70 99 b9 bb 0a 2e 21
! peer's g: d3 52 e0 73 b8 60 cb 09 66 3e 2b af d3 f3 d4 7f
! peer's g: 10 66 6a 5d 02 69 94 77 53 2c ff e7 21 3c f3 8a
! peer's g: ec 1e d5 98 05 b6 59 fe 78 b9 41 a8 3c fa 39 d0
! peer's g: ab 27 af b4 42 7e 1b 17 99 b0 92 b0 b0 a8 e1 30
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 1266 usec
! DH shared-secret:
! 91 18 1f cc 34 7e 4a a5 1b a4 79 78 2c 89 2b 7c
! 5d 43 96 c5 d0 83 10 61 14 7e 38 c0 d5 5a c5 22
! 95 e6 fe 47 b9 23 ad c1 56 f5 b1 98 ae 4d d2 61
! cd 1c 43 db db d7 83 29 03 57 56 90 f5 37 49 11
! 22 27 7f 1e f0 a0 44 17 c9 fe 97 90 32 de d0 ad
! f6 d2 d8 eb 5f 79 16 b7 30 6e 9e dc 0d 88 36 3d
! e7 0a 0e 21 c6 2c 9c d4 a1 7a 86 35 1b 94 45 70
! 7a d2 93 39 e6 19 81 08 7d bf 78 fe a3 69 dc 05
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#6
| calling callback function 0x4307d1
| quick inI1_outR1: calculated ke+nonce, calculating DH
| processing connection 10.2.0.27-to-10.2.0.29
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| HASH(3) computed: 1e cb a5 9c 9d 0e ad d8 c7 dd 92 f8 ae 2d 1f aa
| HASH(3) computed: 0e af 2c 84
| compute_proto_keymat:needed_len (after ESP enc)=24
| compute_proto_keymat:needed_len (after ESP auth)=44
| ESP KEYMAT
| KEYMAT computed:
| db f3 70 0d ee fb 68 14 2e c2 a4 84 91 c3 0d 7a
| b0 a3 78 dd 10 f9 df f9 60 7f 20 f8 51 00 94 72
| 8e dd 5c dc ed 14 73 96 12 ae ef cc
| Peer KEYMAT computed:
| 9d fc cc 19 39 4b ad ca 89 ab 28 a6 55 93 bc c7
| c8 d7 be 16 18 fd 37 2a 9c 48 61 6c c2 1c ec be
| fe 8f 74 e1 fd f4 7d 55 85 3d cf f8
| install_ipsec_sa() for #3: inbound and outbound
| route owner of "10.2.0.27-to-10.2.0.29" prospective erouted: self; eroute owner: self
| could_route called for 10.2.0.27-to-10.2.0.29 (kind=CK_PERMANENT)
| looking for alg with transid: 3 keylen: 0 auth: 2
| checking transid: 11 keylen: 0 auth: 1
| checking transid: 11 keylen: 0 auth: 2
| checking transid: 2 keylen: 8 auth: 0
| checking transid: 2 keylen: 8 auth: 1
| checking transid: 2 keylen: 8 auth: 2
| checking transid: 3 keylen: 24 auth: 0
| checking transid: 3 keylen: 24 auth: 1
| checking transid: 3 keylen: 24 auth: 2
| esp enckey: 9d fc cc 19 39 4b ad ca 89 ab 28 a6 55 93 bc c7
| esp enckey: c8 d7 be 16 18 fd 37 2a
| esp authkey: 9c 48 61 6c c2 1c ec be fe 8f 74 e1 fd f4 7d 55
| esp authkey: 85 3d cf f8
| set up outoing SA, ref=0/4294901761
| looking for alg with transid: 3 keylen: 0 auth: 2
| checking transid: 11 keylen: 0 auth: 1
| checking transid: 11 keylen: 0 auth: 2
| checking transid: 2 keylen: 8 auth: 0
| checking transid: 2 keylen: 8 auth: 1
| checking transid: 2 keylen: 8 auth: 2
| checking transid: 3 keylen: 24 auth: 0
| checking transid: 3 keylen: 24 auth: 1
| checking transid: 3 keylen: 24 auth: 2
| esp enckey: db f3 70 0d ee fb 68 14 2e c2 a4 84 91 c3 0d 7a
| esp enckey: b0 a3 78 dd 10 f9 df f9
| esp authkey: 60 7f 20 f8 51 00 94 72 8e dd 5c dc ed 14 73 96
| esp authkey: 12 ae ef cc
| add inbound eroute 10.2.0.29/32:0 --0-> 10.2.0.27/32:0 => tun.10000 at 10.2.0.27 (raw_eroute)
| satype(9) is not used in netlink_raw_eroute.
| raw_eroute result=1
| set up incoming SA, ref=0/4294901761
| sr for #3: prospective erouted
| route owner of "10.2.0.27-to-10.2.0.29" prospective erouted: self; eroute owner: self
| route_and_eroute with c: 10.2.0.27-to-10.2.0.29 (next: none) ero:10.2.0.27-to-10.2.0.29 esr:{(nil)} ro:10.2.0.27-to-10.2.0.29 rosr:{(nil)} and state: 3
| eroute_connection replace eroute 10.2.0.27/32:0 --0-> 10.2.0.29/32:0 => tun.0 at 10.2.0.29 (raw_eroute)
| satype(9) is not used in netlink_raw_eroute.
| raw_eroute result=1
| command executing up-host
| executing up-host: 2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT='10.2.0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 812 chars long
| cmd( 0):2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.:
| cmd( 80):2.0.29' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.29' PLUTO_ME='10.2.0.27':
| cmd( 160): PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.:
| cmd( 240):2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_PEER='10.2.0.29' PLUTO_PEER_ID='10.2.0.29' PLUTO_PEER_CLIENT='10.2.:
| cmd( 400):0.29/32' PLUTO_PEER_CLIENT_NET='10.2.0.29' PLUTO_PEER_CLIENT_MASK='255.255.255.2:
| cmd( 480):55' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='ne:
| cmd( 560):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+SAREFTRACK' PLUTO_CONN_ADDR:
| cmd( 640):FAMILY='ipv4' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_I:
| cmd( 720):NFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' i:
| cmd( 800):psec _updown:
| route_and_eroute: firewall_notified: true
| route_and_eroute: instance "10.2.0.27-to-10.2.0.29", setting eroute_owner {spd=0x1b2dbea8,sr=0x1b2dbea8} to #3 (was #0) (newest_ipsec_sa=#0)
| encrypting:
| 00 00 00 18 1e cb a5 9c 9d 0e ad d8 c7 dd 92 f8
| ae 2d 1f aa 0e af 2c 84
| IV:
| 28 9c 1e 1a 24 20 dc 60
| unpadded size is: 24
| encrypting 24 using OAKLEY_3DES_CBC
| next IV: 5c dc 53 1f 28 5e 16 c0
| emitting length of ISAKMP Message: 52
| inR1_outI2: instance 10.2.0.27-to-10.2.0.29[0], setting newest_ipsec_sa to #3 (was #0) (spd.eroute=#3)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| v1 peer and cookies match on #3, provided msgid 00000000 vs 2f54329e
| v1 peer and cookies match on #2, provided msgid 00000000 vs 00000000
| v1 state object #2 found, in STATE_MAIN_I4
"10.2.0.27-to-10.2.0.29" #3: Dead Peer Detection (RFC 3706): enabled
| state: 3 requesting event none to be deleted by /root/openswan.git/programs/pluto/dpd.c:162
| inserting event EVENT_DPD, timeout in 5 seconds for #3
| event added at head of queue
| state: 2 requesting event EVENT_DPD to be deleted by /root/openswan.git/programs/pluto/dpd.c:174
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.29" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
| deleting event for #3
| sending reply packet to 10.2.0.29:500 (from port 500)
| sending 52 bytes for STATE_QUICK_I1 through ether1:500 to 10.2.0.29:500 (using #3)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 08 10 20 01 2f 54 32 9e 00 00 00 34 59 81 ea 8e
| 6f 8c 4c fd 61 8c e9 2f 09 e4 0f 42 5c dc 53 1f
| 28 5e 16 c0
| inserting event EVENT_SA_REPLACE, timeout in 2957 seconds for #3
| event added after event EVENT_PENDING_PHASE2
"10.2.0.27-to-10.2.0.29" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x285ab2a2 <0x6d602c58 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
|
| *received whack message
| processing connection 10.2.0.27-to-10.2.0.31
| kernel_alg_db_new() initial trans_cnt=90
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #4 at 0x1b2e7f60
| processing connection 10.2.0.27-to-10.2.0.31
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 4
| inserting state object #4 on chain 4
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #4
| event added at head of queue
| processing connection 10.2.0.27-to-10.2.0.31
| Queuing pending Quick Mode with 10.2.0.31 "10.2.0.27-to-10.2.0.31"
"10.2.0.27-to-10.2.0.31" #4: initiating Main Mode
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****emit ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: KEY_IKE
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 28800
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 5
| [5 is OAKLEY_3DES_CBC]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| ******emit ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| emitting length of ISAKMP Transform Payload (ISAKMP): 32
| emitting length of ISAKMP Proposal Payload: 40
| emitting length of ISAKMP Security Association Payload: 52
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| emitting length of ISAKMP Vendor ID Payload: 16
| out_vendorid(): sending [Dead Peer Detection]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00
| emitting length of ISAKMP Vendor ID Payload: 20
| nat traversal enabled: 1
| nat add vid. port: 1 nonike: 1
| out_vendorid(): sending [RFC 3947]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 4a 13 1c 81 07 03 58 45 5c 57 28 f2 0e 95 45 2f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-03]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 7d 94 19 a6 53 10 ca 6f 2c 17 9d 92 15 52 9d 56
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID cd 60 46 43 35 df 21 f8 7c fd b2 fc 68 b6 a4 48
| emitting length of ISAKMP Vendor ID Payload: 20
| out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-00]
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload
| V_ID 44 85 15 2d 18 b6 bb cd 0b e8 a8 46 95 79 dd cc
| emitting length of ISAKMP Vendor ID Payload: 20
| emitting length of ISAKMP Message: 216
| sending 216 bytes for main_outI1 through ether1:500 to 10.2.0.31:500 (using #4)
| e2 e4 22 2b ce 0e 80 29 00 00 00 00 00 00 00 00
| 01 10 02 00 00 00 00 00 00 00 00 d8 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01
| 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80
| 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
| 0d 00 00 10 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc
| 77 57 01 00 0d 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f 0d 00 00 14 7d 94 19 a6
| 53 10 ca 6f 2c 17 9d 92 15 52 9d 56 0d 00 00 14
| 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f
| 0d 00 00 14 cd 60 46 43 35 df 21 f8 7c fd b2 fc
| 68 b6 a4 48 00 00 00 14 44 85 15 2d 18 b6 bb cd
| 0b e8 a8 46 95 79 dd cc
| deleting event for #4
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4
| event added after event EVENT_DPD for #3
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
|
| *received 136 bytes from 10.2.0.31:500 on ether1 (port=500)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 01 10 02 00 00 00 00 00 00 00 00 88 0d 00 00 34
| 00 00 00 01 00 00 00 01 00 00 00 28 00 01 00 01
| 00 00 00 20 00 01 00 00 80 0b 00 01 80 0c 70 80
| 80 01 00 05 80 02 00 02 80 03 00 01 80 04 00 02
| 0d 00 00 10 4f 45 4b 70 52 70 41 7f 76 5b 6b 59
| 0d 00 00 14 af ca d7 13 68 a1 f1 c9 6b 86 96 fc
| 77 57 01 00 00 00 00 14 4a 13 1c 81 07 03 58 45
| 5c 57 28 f2 0e 95 45 2f
| **parse ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_SA
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 136
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 state object not found
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 4
| v1 peer and cookies match on #4, provided msgid 00000000 vs 00000000
| v1 state object #4 found, in STATE_MAIN_I1
| processing connection 10.2.0.27-to-10.2.0.31
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 16
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_VID
| length: 20
| got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080
| ***parse ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 20
"10.2.0.27-to-10.2.0.31" #4: ignoring unknown Vendor ID payload [4f454b705270417f765b6b59]
"10.2.0.27-to-10.2.0.31" #4: received Vendor ID payload [Dead Peer Detection]
"10.2.0.27-to-10.2.0.31" #4: received Vendor ID payload [RFC 3947] method set to=109
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_ISAKMP
| SPI size: 0
| number of transforms: 1
| *****parse ISAKMP Transform Payload (ISAKMP):
| next payload type: ISAKMP_NEXT_NONE
| length: 32
| transform number: 0
| transform ID: KEY_IKE
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_TYPE
| length/value: 1
| [1 is OAKLEY_LIFE_SECONDS]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_LIFE_DURATION
| length/value: 28800
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_ENCRYPTION_ALGORITHM
| length/value: 5
| [5 is OAKLEY_3DES_CBC]
| ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_HASH_ALGORITHM
| length/value: 2
| [2 is OAKLEY_SHA1]
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_AUTHENTICATION_METHOD
| length/value: 1
| [1 is OAKLEY_PRESHARED_KEY]
| started looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.31 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.31 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.31 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 12
| line 9: match=12
| best_match 0>12 best=0x1b2e4580 (line=9)
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 8
| line 7: match=8
| concluding with best_match=12 best=0x1b2e4580 (lineno=9)
| ******parse ISAKMP Oakley attribute:
| af+type: OAKLEY_GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| Oakley Transform 0 accepted
| sender checking NAT-t: 1 and 109
"10.2.0.27-to-10.2.0.31" #4: enabling possible NAT-traversal with method 4
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 7 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #4
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #4
| event added after event EVENT_PENDING_PHASE2
| peer supports dpd
| enabling sending dpd
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing build_kenonce op id: 7
! Local DH secret:
! eb d9 68 73 ba a3 90 7e 58 2e 0b b9 53 b5 4e e0
! 0f 44 a8 3a 92 30 68 b9 74 6e 01 65 81 12 53 f7
! Public DH value sent:
! a2 6e 19 17 1b 95 fc 41 10 a2 64 cb 72 b1 9f 09
! 9a 10 66 53 f2 6d a4 32 55 6c 80 99 c1 6c 47 59
! 01 a0 2a 46 91 c3 2e c5 d0 4d de d4 de 8d a8 31
! 35 00 cd 90 64 18 94 c5 c7 1b d3 a1 92 27 be 75
! 92 70 fb 54 a8 c2 bb b1 7e 31 2f a7 73 cc 41 22
! 50 b4 8a 7c 5c a7 a9 95 75 c0 85 30 f9 7f 71 f0
! 99 89 e7 88 70 9d 30 fd 21 4a c7 8f b5 7b 88 3a
! 5f 53 a8 ed ad 24 39 ce 07 4c 7f d7 89 b5 30 a3
! Generated nonce:
! 6e bc 78 64 24 8a 44 68 e8 9e 05 8d 15 42 4f 82
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#7
| calling callback function 0x4266d3
| main inR1_outI2: calculated ke+nonce, sending I2
| processing connection 10.2.0.27-to-10.2.0.31
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value a2 6e 19 17 1b 95 fc 41 10 a2 64 cb 72 b1 9f 09
| keyex value 9a 10 66 53 f2 6d a4 32 55 6c 80 99 c1 6c 47 59
| keyex value 01 a0 2a 46 91 c3 2e c5 d0 4d de d4 de 8d a8 31
| keyex value 35 00 cd 90 64 18 94 c5 c7 1b d3 a1 92 27 be 75
| keyex value 92 70 fb 54 a8 c2 bb b1 7e 31 2f a7 73 cc 41 22
| keyex value 50 b4 8a 7c 5c a7 a9 95 75 c0 85 30 f9 7f 71 f0
| keyex value 99 89 e7 88 70 9d 30 fd 21 4a c7 8f b5 7b 88 3a
| keyex value 5f 53 a8 ed ad 24 39 ce 07 4c 7f d7 89 b5 30 a3
| emitting length of ISAKMP Key Exchange Payload: 132
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 6e bc 78 64 24 8a 44 68 e8 9e 05 8d 15 42 4f 82
| emitting length of ISAKMP Nonce Payload: 20
| sending NATD payloads
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e2 e4 22 2b ce 0e 80 29
| _natd_hash: rcookie=
| da 88 c6 24 a9 13 5a b2
| _natd_hash: ip= 0a 02 00 1f
| _natd_hash: port=500
| _natd_hash: hash= e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| _natd_hash: hash= fd 3c 97 04
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| NAT-D fd 3c 97 04
| emitting length of ISAKMP NAT-D Payload: 24
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e2 e4 22 2b ce 0e 80 29
| _natd_hash: rcookie=
| da 88 c6 24 a9 13 5a b2
| _natd_hash: ip= 0a 02 00 1b
| _natd_hash: port=500
| _natd_hash: hash= 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| _natd_hash: hash= 80 a2 00 cd
| ***emit ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of NAT-D into ISAKMP NAT-D Payload
| NAT-D 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| NAT-D 80 a2 00 cd
| emitting length of ISAKMP NAT-D Payload: 24
| emitting length of ISAKMP Message: 228
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 4
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| inserting state object #4 on chain 26
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.31" #4: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
| deleting event for #4
| sending reply packet to 10.2.0.31:500 (from port 500)
| sending 228 bytes for STATE_MAIN_I1 through ether1:500 to 10.2.0.31:500 (using #4)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| a2 6e 19 17 1b 95 fc 41 10 a2 64 cb 72 b1 9f 09
| 9a 10 66 53 f2 6d a4 32 55 6c 80 99 c1 6c 47 59
| 01 a0 2a 46 91 c3 2e c5 d0 4d de d4 de 8d a8 31
| 35 00 cd 90 64 18 94 c5 c7 1b d3 a1 92 27 be 75
| 92 70 fb 54 a8 c2 bb b1 7e 31 2f a7 73 cc 41 22
| 50 b4 8a 7c 5c a7 a9 95 75 c0 85 30 f9 7f 71 f0
| 99 89 e7 88 70 9d 30 fd 21 4a c7 8f b5 7b 88 3a
| 5f 53 a8 ed ad 24 39 ce 07 4c 7f d7 89 b5 30 a3
| 14 00 00 14 6e bc 78 64 24 8a 44 68 e8 9e 05 8d
| 15 42 4f 82 14 00 00 18 e4 64 c5 28 20 78 de 2d
| 0c 27 a0 32 20 a4 77 76 fd 3c 97 04 00 00 00 18
| 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| 80 a2 00 cd
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4
| event added after event EVENT_DPD for #3
"10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I2: sent MI2, expecting MR2
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
|
| *received 228 bytes from 10.2.0.31:500 on ether1 (port=500)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 04 10 02 00 00 00 00 00 00 00 00 e4 0a 00 00 84
| d6 6c 7b 57 f1 7f b9 95 f8 05 77 e7 58 59 c7 a3
| 84 a2 6a e4 1c 5d 11 a4 91 88 82 b0 31 e4 a5 1e
| ab 96 89 95 49 97 44 6f c5 db 46 05 e9 b3 7b 21
| 14 c4 8c 79 08 02 e7 3b e1 64 e1 67 93 8b 92 df
| fa 61 5a 9f 93 c4 10 11 e0 bb e6 d7 70 ed 58 6b
| 4c 9a 0a 59 74 e9 ef 23 de 1e 8c 87 ce 7d 40 1d
| 05 f9 ec 45 cb cd 32 9d 4b 66 79 14 b5 3f 69 7e
| 0c 24 14 39 34 a7 93 d3 f1 8e ab 2d 74 79 03 0d
| 14 00 00 14 17 a9 f1 57 13 fe 0b e8 48 db 86 05
| a6 96 1c d4 14 00 00 18 7e be f9 cc d0 1f 9e 97
| e9 d5 b2 fc 05 79 9d 61 80 a2 00 cd 00 00 00 18
| e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| fd 3c 97 04
| **parse ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_KE
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: none
| message ID: 00 00 00 00
| length: 228
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 peer and cookies match on #4, provided msgid 00000000 vs 00000000
| v1 state object #4 found, in STATE_MAIN_I2
| processing connection 10.2.0.27-to-10.2.0.31
| got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 132
| got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| length: 20
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NAT-D
| length: 24
| got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080
| ***parse ISAKMP NAT-D Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| DH public value received:
| d6 6c 7b 57 f1 7f b9 95 f8 05 77 e7 58 59 c7 a3
| 84 a2 6a e4 1c 5d 11 a4 91 88 82 b0 31 e4 a5 1e
| ab 96 89 95 49 97 44 6f c5 db 46 05 e9 b3 7b 21
| 14 c4 8c 79 08 02 e7 3b e1 64 e1 67 93 8b 92 df
| fa 61 5a 9f 93 c4 10 11 e0 bb e6 d7 70 ed 58 6b
| 4c 9a 0a 59 74 e9 ef 23 de 1e 8c 87 ce 7d 40 1d
| 05 f9 ec 45 cb cd 32 9d 4b 66 79 14 b5 3f 69 7e
| 0c 24 14 39 34 a7 93 d3 f1 8e ab 2d 74 79 03 0d
| started looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.31 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.31 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.31 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 12
| line 9: match=12
| best_match 0>12 best=0x1b2e4580 (line=9)
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 8
| line 7: match=8
| concluding with best_match=12 best=0x1b2e4580 (lineno=9)
| parent1 type: 7 group: 2 len: 2752
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh+iv op on seq: 8 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #4
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #4
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing compute dh+iv op id: 8
! peer's g: d6 6c 7b 57 f1 7f b9 95 f8 05 77 e7 58 59 c7 a3
! peer's g: 84 a2 6a e4 1c 5d 11 a4 91 88 82 b0 31 e4 a5 1e
! peer's g: ab 96 89 95 49 97 44 6f c5 db 46 05 e9 b3 7b 21
! peer's g: 14 c4 8c 79 08 02 e7 3b e1 64 e1 67 93 8b 92 df
! peer's g: fa 61 5a 9f 93 c4 10 11 e0 bb e6 d7 70 ed 58 6b
! peer's g: 4c 9a 0a 59 74 e9 ef 23 de 1e 8c 87 ce 7d 40 1d
! peer's g: 05 f9 ec 45 cb cd 32 9d 4b 66 79 14 b5 3f 69 7e
! peer's g: 0c 24 14 39 34 a7 93 d3 f1 8e ab 2d 74 79 03 0d
! long term secret: eb d9 68 73 ba a3 90 7e 58 2e 0b b9 53 b5 4e e0
! long term secret: 0f 44 a8 3a 92 30 68 b9 74 6e 01 65 81 12 53 f7
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 1244 usec
! DH shared-secret:
! 1e 3a 34 86 17 b0 46 57 38 41 86 a2 a1 dd ef 1f
! 03 b6 73 2b 29 01 ed 4f 05 3c 7c f3 58 59 6d d9
! be ac c8 01 98 a3 07 58 ea 8d 53 42 26 8f de b3
! a3 66 e4 ef fc ff a7 79 8a 6e 4d e0 44 27 23 8b
! 7c cf 3e c3 ab d3 d2 75 16 be 08 12 2f d2 53 ea
! b7 20 f4 cc a7 47 8d aa 66 0c bc 9b 26 cd 88 de
! 38 ff 0a 2b e1 a4 36 e8 fe 3e 63 fb 73 4a fd 02
! 97 6c e0 47 f6 52 ac 86 9c 53 6f 1c c0 77 a3 a8
! Skey inputs (PSK+NI+NR)
! ni: 6e bc 78 64 24 8a 44 68 e8 9e 05 8d 15 42 4f 82
! nr: 17 a9 f1 57 13 fe 0b e8 48 db 86 05 a6 96 1c d4
! keyid: 3c b3 a9 34 ca 0e 3a 79 1d 09 52 99 95 36 a3 61
! keyid: 41 a0 ef 76
! NSS: end of key computation
! DH_i: a2 6e 19 17 1b 95 fc 41 10 a2 64 cb 72 b1 9f 09
! DH_i: 9a 10 66 53 f2 6d a4 32 55 6c 80 99 c1 6c 47 59
! DH_i: 01 a0 2a 46 91 c3 2e c5 d0 4d de d4 de 8d a8 31
! DH_i: 35 00 cd 90 64 18 94 c5 c7 1b d3 a1 92 27 be 75
! DH_i: 92 70 fb 54 a8 c2 bb b1 7e 31 2f a7 73 cc 41 22
! DH_i: 50 b4 8a 7c 5c a7 a9 95 75 c0 85 30 f9 7f 71 f0
! DH_i: 99 89 e7 88 70 9d 30 fd 21 4a c7 8f b5 7b 88 3a
! DH_i: 5f 53 a8 ed ad 24 39 ce 07 4c 7f d7 89 b5 30 a3
! DH_r: d6 6c 7b 57 f1 7f b9 95 f8 05 77 e7 58 59 c7 a3
! DH_r: 84 a2 6a e4 1c 5d 11 a4 91 88 82 b0 31 e4 a5 1e
! DH_r: ab 96 89 95 49 97 44 6f c5 db 46 05 e9 b3 7b 21
! DH_r: 14 c4 8c 79 08 02 e7 3b e1 64 e1 67 93 8b 92 df
! DH_r: fa 61 5a 9f 93 c4 10 11 e0 bb e6 d7 70 ed 58 6b
! DH_r: 4c 9a 0a 59 74 e9 ef 23 de 1e 8c 87 ce 7d 40 1d
! DH_r: 05 f9 ec 45 cb cd 32 9d 4b 66 79 14 b5 3f 69 7e
! DH_r: 0c 24 14 39 34 a7 93 d3 f1 8e ab 2d 74 79 03 0d
! end of IV generation
! Skeyid: 3c b3 a9 34 ca 0e 3a 79 1d 09 52 99 95 36 a3 61
! Skeyid: 41 a0 ef 76
! Skeyid_d: be 45 2c 31 b6 65 32 42 4d 7e 5f 17 45 9d 4a 8f
! Skeyid_d: 40 8f 0d fe
! Skeyid_a: 69 6d ff 75 33 e8 1f 5b df 26 fb cb 93 37 9a ca
! Skeyid_a: f9 44 2e e4
! Skeyid_e: b9 d2 15 52 3a 5b cd f4 12 30 78 ef e8 bb 12 f4
! Skeyid_e: 7a 7a e8 3c
! enc key: 8f 4c 83 fc 54 0c 37 59 a0 2a 9e c9 4a db 6c de
! enc key: 99 98 9c 29 57 86 7b 5c
! IV: b6 dd f3 dc ae 50 15 e8 8b 41 c8 1a f0 a9 d9 e4
! IV: e1 70 26 00
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#8
| calling callback function 0x427fba
| main inR2_outI3: calculated DH, sending R1
| processing connection 10.2.0.27-to-10.2.0.31
| thinking about whether to send my certificate:
| I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE
| sendcert: CERT_ALWAYSSEND and I did not get a certificate request
| so do not send cert.
| I did not send a certificate because digital signatures are not being used. (PSK)
| I am not sending a certificate request
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e2 e4 22 2b ce 0e 80 29
| _natd_hash: rcookie=
| da 88 c6 24 a9 13 5a b2
| _natd_hash: ip= 0a 02 00 1b
| _natd_hash: port=500
| _natd_hash: hash= 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| _natd_hash: hash= 80 a2 00 cd
| _natd_hash: hasher=0x6f1780(20)
| _natd_hash: icookie=
| e2 e4 22 2b ce 0e 80 29
| _natd_hash: rcookie=
| da 88 c6 24 a9 13 5a b2
| _natd_hash: ip= 0a 02 00 1f
| _natd_hash: port=500
| _natd_hash: hash= e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| _natd_hash: hash= fd 3c 97 04
| NAT_TRAVERSAL hash=0 (me:0) (him:0)
| expected NAT-D(me): 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| expected NAT-D(me): 80 a2 00 cd
| expected NAT-D(him):
| e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| fd 3c 97 04
| received NAT-D: 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| received NAT-D: 80 a2 00 cd
| NAT_TRAVERSAL hash=1 (me:1) (him:0)
| expected NAT-D(me): 7e be f9 cc d0 1f 9e 97 e9 d5 b2 fc 05 79 9d 61
| expected NAT-D(me): 80 a2 00 cd
| expected NAT-D(him):
| e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| fd 3c 97 04
| received NAT-D: e4 64 c5 28 20 78 de 2d 0c 27 a0 32 20 a4 77 76
| received NAT-D: fd 3c 97 04
| NAT_TRAVERSAL hash=2 (me:1) (him:1)
"10.2.0.27-to-10.2.0.31" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
| ***emit ISAKMP Identification Payload (IPsec DOI):
| next payload type: ISAKMP_NEXT_HASH
| ID type: ID_IPV4_ADDR
| Protocol ID: 0
| port: 0
| emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
| my identity 0a 02 00 1b
| emitting length of ISAKMP Identification Payload (IPsec DOI): 12
| hashing 48 bytes of SA
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 raw bytes of HASH_I into ISAKMP Hash Payload
| HASH_I db a1 66 09 0c 65 55 4d a5 e6 ac 1e d8 ca 3e 35
| HASH_I 04 b1 8d 7e
| emitting length of ISAKMP Hash Payload: 24
| encrypting:
| 08 00 00 0c 01 00 00 00 0a 02 00 1b 00 00 00 18
| db a1 66 09 0c 65 55 4d a5 e6 ac 1e d8 ca 3e 35
| 04 b1 8d 7e
| IV:
| b6 dd f3 dc ae 50 15 e8 8b 41 c8 1a f0 a9 d9 e4
| e1 70 26 00
| unpadded size is: 36
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting 40 using OAKLEY_3DES_CBC
| next IV: 12 ca 12 36 30 ee 76 1f
| emitting length of ISAKMP Message: 68
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.31" #4: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
| deleting event for #4
| sending reply packet to 10.2.0.31:500 (from port 500)
| sending 68 bytes for STATE_MAIN_I2 through ether1:500 to 10.2.0.31:500 (using #4)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 05 10 02 01 00 00 00 00 00 00 00 44 27 d4 89 c9
| 80 03 b5 28 a5 a2 fa e7 48 dc c7 bc 9f 08 c5 fb
| 39 9d b8 24 e5 b3 9c 5c 3c ba 08 3e 12 ca 12 36
| 30 ee 76 1f
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #4
| event added after event EVENT_DPD for #3
"10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I3: sent MI3, expecting MR3
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
|
| *received 68 bytes from 10.2.0.31:500 on ether1 (port=500)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 05 10 02 01 00 00 00 00 00 00 00 44 b5 26 13 2b
| 18 66 b7 62 da ae 8c 7e 32 3b 36 a1 24 1d ee 1e
| 1a 31 42 3f 5a 74 5c ed 23 9a c0 b9 1f 2c 75 23
| 09 6b 5e fc
| **parse ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_ID
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_IDPROT
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 00 00 00 00
| length: 68
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 peer and cookies match on #4, provided msgid 00000000 vs 00000000
| v1 state object #4 found, in STATE_MAIN_I3
| processing connection 10.2.0.27-to-10.2.0.31
| received encrypted packet from 10.2.0.31:500
| decrypting 40 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 08 00 00 0c 01 00 00 00 0a 02 00 1f 00 00 00 18
| 10 7d 0c c2 57 5d 46 ce 59 c8 8e 4d d5 05 23 be
| 8c 19 bd 49 00 00 00 00
| next IV: 1f 2c 75 23 09 6b 5e fc
| got payload 0x20(ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
| ***parse ISAKMP Identification Payload:
| next payload type: ISAKMP_NEXT_HASH
| length: 12
| ID type: ID_IPV4_ADDR
| DOI specific A: 0
| DOI specific B: 0
| obj: 0a 02 00 1f
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x2080
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 24
| removing 4 bytes of padding
"10.2.0.27-to-10.2.0.31" #4: Main mode peer ID is ID_IPV4_ADDR: '10.2.0.31'
| hashing 48 bytes of SA
| authentication succeeded
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.31" #4: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
| deleting event for #4
| inserting event EVENT_SA_REPLACE, timeout in 27991 seconds for #4
| event added after event EVENT_SA_REPLACE for #2
"10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 peer and cookies match on #4, provided msgid 00000000 vs 00000000
| v1 state object #4 found, in STATE_MAIN_I4
"10.2.0.27-to-10.2.0.31" #4: Dead Peer Detection (RFC 3706): enabled
| state: 4 requesting event none to be deleted by /root/openswan.git/programs/pluto/dpd.c:162
| inserting event EVENT_DPD, timeout in 5 seconds for #4
| event added at head of queue
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| unpending state #4
| unqueuing pending Quick Mode with 10.2.0.31 "10.2.0.27-to-10.2.0.31" import:admin initiate
| duplicating state object #4
| creating state object #5 at 0x1b2e8920
| processing connection 10.2.0.27-to-10.2.0.31
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| inserting state object #5 on chain 26
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #5
| event added at head of queue
| kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_esp_enc_keylen():alg_id=3, keylen=24
| kernel_alg_esp_auth_keylen(auth=2, sadb_aalg=3): a_keylen=20
"10.2.0.27-to-10.2.0.31" #5: initiating Quick Mode PSK+ENCRYPT+PFS+UP+SAREFTRACK {using isakmp#4 msgid:85ab2889 proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 9 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #5
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #5
| event added after event EVENT_PENDING_PHASE2
| removing pending policy for "none" {0x1b2e6df0}
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #4
| next event EVENT_DPD in 5 seconds for #4
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing build_kenonce op id: 9
! Local DH secret:
! 21 a5 5d 30 1c 24 64 85 18 95 d9 0b 24 a9 6e 09
! e8 ec 8f a2 fb eb aa 0b bc f2 7f b7 88 80 fe 45
! Public DH value sent:
! 84 b3 3b cb 3f 3d 66 0c 32 23 78 c6 24 41 2f e5
! 20 3e d2 49 9a fd fa df 0b 8e 2f c6 b0 b0 e4 51
! 15 12 4d 4c a8 9b 6b 69 84 ee ed b7 36 d0 7b 75
! 00 86 27 36 3f b9 23 ab 83 eb 8c f8 af 23 5b 15
! 8a 73 a9 a3 1c 1a 9d 39 a6 f1 61 02 0b d4 a5 65
! 1c 7a 2b 47 61 96 39 30 82 2d 63 92 74 69 af ae
! 1d 8c 79 18 30 26 da 0e 2a 6c 0a f4 1a 45 dc 0a
! 29 83 ef 72 5d 97 7e 3e 5f 9d 5d bf 54 5e 44 85
! Generated nonce:
! 93 d3 51 0c 54 44 e4 58 62 da db b1 11 b9 4b a7
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#9
| calling callback function 0x42caac
| quick outI1: calculated ke+nonce, sending I1
| processing connection 10.2.0.27-to-10.2.0.31
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 89 28 ab 85
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| kernel_alg_db_new() initial trans_cnt=90
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| ***emit ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| DOI: ISAKMP_DOI_IPSEC
| ****emit IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| out_sa pcn: 0 has 1 valid proposals
| out_sa pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 1
| ****emit ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| netlink_get_spi: allocated 0x2f0c0dfd for esp.0 at 10.2.0.27
| emitting 4 raw bytes of SPI into ISAKMP Proposal Payload
| SPI 2f 0c 0d fd
| *****emit ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| transform number: 0
| transform ID: ESP_3DES
| ******emit ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 2
| [2 is ENCAPSULATION_MODE_TRANSPORT]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******emit ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 3600
| ******emit ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| emitting length of ISAKMP Transform Payload (ESP): 28
| emitting length of ISAKMP Proposal Payload: 40
| emitting length of ISAKMP Security Association Payload: 52
| ***emit ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| emitting 16 raw bytes of Ni into ISAKMP Nonce Payload
| Ni 93 d3 51 0c 54 44 e4 58 62 da db b1 11 b9 4b a7
| emitting length of ISAKMP Nonce Payload: 20
| ***emit ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 128 raw bytes of keyex value into ISAKMP Key Exchange Payload
| keyex value 84 b3 3b cb 3f 3d 66 0c 32 23 78 c6 24 41 2f e5
| keyex value 20 3e d2 49 9a fd fa df 0b 8e 2f c6 b0 b0 e4 51
| keyex value 15 12 4d 4c a8 9b 6b 69 84 ee ed b7 36 d0 7b 75
| keyex value 00 86 27 36 3f b9 23 ab 83 eb 8c f8 af 23 5b 15
| keyex value 8a 73 a9 a3 1c 1a 9d 39 a6 f1 61 02 0b d4 a5 65
| keyex value 1c 7a 2b 47 61 96 39 30 82 2d 63 92 74 69 af ae
| keyex value 1d 8c 79 18 30 26 da 0e 2a 6c 0a f4 1a 45 dc 0a
| keyex value 29 83 ef 72 5d 97 7e 3e 5f 9d 5d bf 54 5e 44 85
| emitting length of ISAKMP Key Exchange Payload: 132
| HASH(1) computed:
| bd 2b 94 9a cc db f1 fc 49 80 46 9f db b1 5e d1
| ce 8e e9 ad
| last Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| current Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| computed Phase 2 IV:
| e5 64 3c 1d 58 21 d1 a7 a0 c6 2a c7 b4 b5 28 c6
| 8f a5 85 d9
| encrypting:
| 01 00 00 18 bd 2b 94 9a cc db f1 fc 49 80 46 9f
| db b1 5e d1 ce 8e e9 ad 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 2f 0c 0d fd
| 00 00 00 1c 00 03 00 00 80 03 00 02 80 04 00 02
| 80 01 00 01 80 02 0e 10 80 05 00 02 04 00 00 14
| 93 d3 51 0c 54 44 e4 58 62 da db b1 11 b9 4b a7
| 00 00 00 84 84 b3 3b cb 3f 3d 66 0c 32 23 78 c6
| 24 41 2f e5 20 3e d2 49 9a fd fa df 0b 8e 2f c6
| b0 b0 e4 51 15 12 4d 4c a8 9b 6b 69 84 ee ed b7
| 36 d0 7b 75 00 86 27 36 3f b9 23 ab 83 eb 8c f8
| af 23 5b 15 8a 73 a9 a3 1c 1a 9d 39 a6 f1 61 02
| 0b d4 a5 65 1c 7a 2b 47 61 96 39 30 82 2d 63 92
| 74 69 af ae 1d 8c 79 18 30 26 da 0e 2a 6c 0a f4
| 1a 45 dc 0a 29 83 ef 72 5d 97 7e 3e 5f 9d 5d bf
| 54 5e 44 85
| IV:
| e5 64 3c 1d 58 21 d1 a7 a0 c6 2a c7 b4 b5 28 c6
| 8f a5 85 d9
| unpadded size is: 228
| emitting 4 zero bytes of encryption padding into ISAKMP Message
| encrypting 232 using OAKLEY_3DES_CBC
| next IV: 82 ff 59 82 66 5f 84 6f
| emitting length of ISAKMP Message: 260
| sending 260 bytes for quick_outI1 through ether1:500 to 10.2.0.31:500 (using #5)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 08 10 20 01 89 28 ab 85 00 00 01 04 5d 4c d7 d6
| 33 5b b7 25 93 ce 43 9f a6 8c 80 d4 49 66 12 57
| dd 6a 2c 90 21 08 a3 c1 06 10 b6 d9 1d d2 f8 6a
| 07 9d 60 d3 5f 0e 7c bf 7f 91 15 f5 ae 5d 27 f3
| a1 4c dd a1 3d 84 b6 0e 24 70 ae 10 77 56 60 4a
| 5b 40 9c 93 22 44 59 3c 82 25 1f e4 c8 c7 1f b7
| 4c 63 c6 0d 4a cb 55 7e 96 ea 5c c6 c4 72 51 65
| a3 56 0a 66 96 39 70 33 6b 1d 8e 87 54 ec 04 4b
| 31 45 e2 8e 2c 99 40 0c 8b 62 d6 62 3c 75 7d c6
| bd a6 f8 49 e0 5b 4f 50 0e 6d 77 da cb c3 5f 88
| 02 6f b1 34 b1 33 77 de 9f b4 a7 00 3a 10 58 32
| 97 0b 3f 68 c7 ad ba c1 7d 92 42 a8 a4 e8 81 f8
| 2e 98 25 07 50 cf ae 28 59 e3 4c 56 d1 44 21 13
| 86 24 ed 45 86 0c aa 6e 4e 64 1f 6f fa 96 cf 14
| df 22 d3 e1 06 ff 92 91 0f 0f fa e6 82 ff 59 82
| 66 5f 84 6f
| deleting event for #5
| inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #5
| event added after event EVENT_DPD for #3
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #4
| next event EVENT_DPD in 5 seconds for #4
|
| *received 260 bytes from 10.2.0.31:500 on ether1 (port=500)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 08 10 20 01 89 28 ab 85 00 00 01 04 19 c4 62 72
| 1c 97 35 3e 38 55 99 98 18 47 0f b1 1a a3 e9 bd
| 83 33 f3 d0 6d 9a 54 df 6a 19 6c 1a e5 fc fe 21
| 32 83 47 fb b0 b5 cc 19 28 a1 c6 83 94 5a 32 69
| 3f 67 11 6f 06 5d 37 af 54 bc 1e e2 9d 54 73 1c
| 39 c7 92 a8 8a 20 3d 7e d0 02 71 dc 84 95 e2 4b
| 4d f3 5a fa e4 34 6d e0 a0 bb 97 e6 79 42 6a 53
| 87 13 a6 5a 39 0e 13 bf 64 99 4a 5d cc fa cc dd
| 3d 63 e6 39 e2 2c 4b 58 a2 21 e4 53 3f 88 6c 88
| ef a6 29 71 bb 4b 78 e9 87 c4 80 42 b9 03 c2 9e
| e0 d5 00 1e 2c bf f9 ae e4 23 5c a7 33 e6 b1 85
| f4 fd 61 55 02 48 64 49 2f 0e 1a f7 02 fe 99 95
| 63 82 4e b8 66 f1 66 cb af f6 e2 b0 0a 38 af 68
| 45 2b 8d b2 42 9b 70 e7 82 ac 22 53 c9 3e ba a2
| 3a 54 a7 d6 d4 95 d2 79 d9 97 c2 20 bc b4 74 89
| bb ea 52 e6
| **parse ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 89 28 ab 85
| length: 260
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 peer and cookies match on #5, provided msgid 8928ab85 vs 8928ab85
| v1 state object #5 found, in STATE_QUICK_I1
| processing connection 10.2.0.27-to-10.2.0.31
| received encrypted packet from 10.2.0.31:500
| decrypting 232 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 01 00 00 18 21 97 b4 57 e0 c5 44 88 b1 56 da 1a
| 6a fd e1 00 47 f1 a8 8e 0a 00 00 34 00 00 00 01
| 00 00 00 01 00 00 00 28 00 03 04 01 c8 30 46 91
| 00 00 00 1c 00 03 00 00 80 03 00 02 80 04 00 02
| 80 01 00 01 80 02 0e 10 80 05 00 02 04 00 00 14
| 7c 0e 30 81 1c 72 f6 fe 39 ac a2 8b e0 b7 a0 9c
| 00 00 00 84 3d c8 4d 3b 00 24 55 25 bb 15 f6 41
| 5c 5a ad 6d 59 31 98 f8 64 cf f2 6a 4e ed 9a 9a
| a0 36 3f 1a 14 1b f1 f2 e5 6f 81 6a 70 aa 6b 0d
| 3e b7 f9 a2 32 78 85 e4 43 57 3f a1 e7 3b c2 db
| e4 42 26 b0 56 1e 58 be b7 30 ea 87 bc 89 8c 19
| bc 84 25 e5 f7 28 13 bf 25 71 f4 40 da e6 33 5c
| ad 0e e9 4b 2c 11 81 7e ae 61 c2 ad 2f c7 a3 26
| c2 eb e9 5f 7d 7a 7b 09 56 42 79 45 81 0c a3 97
| 1d 1d 8a e3 00 00 00 00
| next IV: bc b4 74 89 bb ea 52 e6
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_SA
| length: 24
| got payload 0x2(ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030
| ***parse ISAKMP Security Association Payload:
| next payload type: ISAKMP_NEXT_NONCE
| length: 52
| DOI: ISAKMP_DOI_IPSEC
| got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030
| ***parse ISAKMP Nonce Payload:
| next payload type: ISAKMP_NEXT_KE
| length: 20
| got payload 0x10(ISAKMP_NEXT_KE) needed: 0x0 opt: 0x200030
| ***parse ISAKMP Key Exchange Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 132
| removing 4 bytes of padding
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_QUICK
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: 89 28 ab 85
| HASH(2) computed:
| 21 97 b4 57 e0 c5 44 88 b1 56 da 1a 6a fd e1 00
| 47 f1 a8 8e
| ****parse IPsec DOI SIT:
| IPsec DOI SIT: SIT_IDENTITY_ONLY
| ****parse ISAKMP Proposal Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 40
| proposal number: 0
| protocol ID: PROTO_IPSEC_ESP
| SPI size: 4
| number of transforms: 1
| parsing 4 raw bytes of ISAKMP Proposal Payload into SPI
| SPI c8 30 46 91
| *****parse ISAKMP Transform Payload (ESP):
| next payload type: ISAKMP_NEXT_NONE
| length: 28
| transform number: 0
| transform ID: ESP_3DES
| ******parse ISAKMP IPsec DOI attribute:
| af+type: GROUP_DESCRIPTION
| length/value: 2
| [2 is OAKLEY_GROUP_MODP1024]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: ENCAPSULATION_MODE
| length/value: 2
| [2 is ENCAPSULATION_MODE_TRANSPORT]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_TYPE
| length/value: 1
| [1 is SA_LIFE_TYPE_SECONDS]
| ******parse ISAKMP IPsec DOI attribute:
| af+type: SA_LIFE_DURATION
| length/value: 3600
| ******parse ISAKMP IPsec DOI attribute:
| af+type: AUTH_ALGORITHM
| length/value: 2
| [2 is AUTH_ALGORITHM_HMAC_SHA1]
| kernel_alg_esp_enc_ok(3,0): alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1
| kernel_alg_esp_enc_keylen():alg_id=3, keylen=24
| DH public value received:
| 3d c8 4d 3b 00 24 55 25 bb 15 f6 41 5c 5a ad 6d
| 59 31 98 f8 64 cf f2 6a 4e ed 9a 9a a0 36 3f 1a
| 14 1b f1 f2 e5 6f 81 6a 70 aa 6b 0d 3e b7 f9 a2
| 32 78 85 e4 43 57 3f a1 e7 3b c2 db e4 42 26 b0
| 56 1e 58 be b7 30 ea 87 bc 89 8c 19 bc 84 25 e5
| f7 28 13 bf 25 71 f4 40 da e6 33 5c ad 0e e9 4b
| 2c 11 81 7e ae 61 c2 ad 2f c7 a3 26 c2 eb e9 5f
| 7d 7a 7b 09 56 42 79 45 81 0c a3 97 1d 1d 8a e3
| started looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| actually looking for secret for 10.2.0.27->10.2.0.31 of kind PPK_PSK
| line 17: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:3:219:dbff:fe42:14a3 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:3:214:22ff:feb1:167a to 10.2.0.27 / 10.2.0.31 -> 0
| line 17: match=0
| line 15: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:219:dbff:fe42:14a2 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 15: match=0
| line 13: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key fdaa:13:cc00:2:214:22ff:fe09:6ffd to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key fdaa:13:cc00:2:214:22ff:feb1:1679 to 10.2.0.27 / 10.2.0.31 -> 0
| line 13: match=0
| line 11: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.3.0.113 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.3.0.121 to 10.2.0.27 / 10.2.0.31 -> 0
| line 11: match=0
| line 9: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.31 to 10.2.0.27 / 10.2.0.31 -> 4
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 12
| line 9: match=12
| best_match 0>12 best=0x1b2e4580 (line=9)
| line 7: key type PPK_PSK(10.2.0.27) to type PPK_PSK
| 1: compared key 10.2.0.29 to 10.2.0.27 / 10.2.0.31 -> 0
| 2: compared key 10.2.0.27 to 10.2.0.27 / 10.2.0.31 -> 8
| line 7: match=8
| concluding with best_match=12 best=0x1b2e4580 (lineno=9)
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do compute dh(p2) op on seq: 10 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #5
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #5
| event added after event EVENT_PENDING_PHASE2
| complete state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #4
| next event EVENT_DPD in 5 seconds for #4
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing compute dh(p2) op id: 10
! peer's g: 3d c8 4d 3b 00 24 55 25 bb 15 f6 41 5c 5a ad 6d
! peer's g: 59 31 98 f8 64 cf f2 6a 4e ed 9a 9a a0 36 3f 1a
! peer's g: 14 1b f1 f2 e5 6f 81 6a 70 aa 6b 0d 3e b7 f9 a2
! peer's g: 32 78 85 e4 43 57 3f a1 e7 3b c2 db e4 42 26 b0
! peer's g: 56 1e 58 be b7 30 ea 87 bc 89 8c 19 bc 84 25 e5
! peer's g: f7 28 13 bf 25 71 f4 40 da e6 33 5c ad 0e e9 4b
! peer's g: 2c 11 81 7e ae 61 c2 ad 2f c7 a3 26 c2 eb e9 5f
! peer's g: 7d 7a 7b 09 56 42 79 45 81 0c a3 97 1d 1d 8a e3
! calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP1024): 1249 usec
! DH shared-secret:
! b0 43 c1 86 6c e8 6c 2e 9f 7a 61 7f ad b8 8b 70
! 26 ba 12 3c 01 f8 20 7e f2 e5 51 bc 94 4e e7 8b
! 28 2d 51 e5 8c bd bc d3 b1 f4 42 17 69 40 66 46
! 25 b0 68 ee aa 25 d8 f6 88 b8 49 c2 90 fa 51 e7
! 6c 7b 0a a2 2b 34 bb 29 54 5c 9c 7f f9 80 48 28
! 93 95 80 fd 2e 23 2b 8f 43 86 32 08 c6 04 c9 05
! 60 03 27 9b fd 72 2b 9e a0 3b 8a f5 63 6a f1 c8
! 73 b2 1a d4 ed c3 98 b1 8b e7 4e e2 40 b6 20 67
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#10
| calling callback function 0x4307d1
| quick inI1_outR1: calculated ke+nonce, calculating DH
| processing connection 10.2.0.27-to-10.2.0.31
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| HASH(3) computed: 5c 5c d0 79 b9 58 82 b1 bb be fc e4 3d e1 81 c9
| HASH(3) computed: 30 b2 56 a0
| compute_proto_keymat:needed_len (after ESP enc)=24
| compute_proto_keymat:needed_len (after ESP auth)=44
| ESP KEYMAT
| KEYMAT computed:
| ae 9c f3 31 41 d7 5b ea 40 6c f8 1b 30 38 70 ed
| 83 b4 41 a5 54 32 3a a0 15 e1 d0 a0 cf b9 e9 52
| 86 02 f9 99 71 08 45 e2 ed a9 0d 7b
| Peer KEYMAT computed:
| fa f4 88 f0 35 f4 ff df 55 4e 70 3c 8a 11 f4 16
| 3e b4 6b 57 30 f5 98 02 28 66 ea 61 72 7a 2a 42
| d5 e0 a7 18 a7 9d cc 4f 5c 85 ef d9
| install_ipsec_sa() for #5: inbound and outbound
| route owner of "10.2.0.27-to-10.2.0.31" prospective erouted: self; eroute owner: self
| could_route called for 10.2.0.27-to-10.2.0.31 (kind=CK_PERMANENT)
| looking for alg with transid: 3 keylen: 0 auth: 2
| checking transid: 11 keylen: 0 auth: 1
| checking transid: 11 keylen: 0 auth: 2
| checking transid: 2 keylen: 8 auth: 0
| checking transid: 2 keylen: 8 auth: 1
| checking transid: 2 keylen: 8 auth: 2
| checking transid: 3 keylen: 24 auth: 0
| checking transid: 3 keylen: 24 auth: 1
| checking transid: 3 keylen: 24 auth: 2
| esp enckey: fa f4 88 f0 35 f4 ff df 55 4e 70 3c 8a 11 f4 16
| esp enckey: 3e b4 6b 57 30 f5 98 02
| esp authkey: 28 66 ea 61 72 7a 2a 42 d5 e0 a7 18 a7 9d cc 4f
| esp authkey: 5c 85 ef d9
| set up outoing SA, ref=0/4294901761
| looking for alg with transid: 3 keylen: 0 auth: 2
| checking transid: 11 keylen: 0 auth: 1
| checking transid: 11 keylen: 0 auth: 2
| checking transid: 2 keylen: 8 auth: 0
| checking transid: 2 keylen: 8 auth: 1
| checking transid: 2 keylen: 8 auth: 2
| checking transid: 3 keylen: 24 auth: 0
| checking transid: 3 keylen: 24 auth: 1
| checking transid: 3 keylen: 24 auth: 2
| esp enckey: ae 9c f3 31 41 d7 5b ea 40 6c f8 1b 30 38 70 ed
| esp enckey: 83 b4 41 a5 54 32 3a a0
| esp authkey: 15 e1 d0 a0 cf b9 e9 52 86 02 f9 99 71 08 45 e2
| esp authkey: ed a9 0d 7b
| add inbound eroute 10.2.0.31/32:0 --0-> 10.2.0.27/32:0 => tun.10000 at 10.2.0.27 (raw_eroute)
| satype(9) is not used in netlink_raw_eroute.
| raw_eroute result=1
| set up incoming SA, ref=0/4294901761
| sr for #5: prospective erouted
| route owner of "10.2.0.27-to-10.2.0.31" prospective erouted: self; eroute owner: self
| route_and_eroute with c: 10.2.0.27-to-10.2.0.31 (next: none) ero:10.2.0.27-to-10.2.0.31 esr:{(nil)} ro:10.2.0.27-to-10.2.0.31 rosr:{(nil)} and state: 5
| eroute_connection replace eroute 10.2.0.27/32:0 --0-> 10.2.0.31/32:0 => esp.c8304691 at 10.2.0.31 (raw_eroute)
| satype(3) is not used in netlink_raw_eroute.
| raw_eroute result=1
| command executing up-host
| executing up-host: 2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.0.27' PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT='10.2.0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+UP+SAREFTRACK' PLUTO_CONN_ADDRFAMILY='ipv4' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
| popen(): cmd is 805 chars long
| cmd( 0):2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='10.2.0.27-to-10.:
| cmd( 80):2.0.31' PLUTO_INTERFACE='ether1' PLUTO_NEXT_HOP='10.2.0.31' PLUTO_ME='10.2.0.27':
| cmd( 160): PLUTO_MY_ID='10.2.0.27' PLUTO_MY_CLIENT='10.2.0.27/32' PLUTO_MY_CLIENT_NET='10.:
| cmd( 240):2.0.27' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='0' PLUTO_MY_PROTOC:
| cmd( 320):OL='0' PLUTO_PEER='10.2.0.31' PLUTO_PEER_ID='10.2.0.31' PLUTO_PEER_CLIENT='10.2.:
| cmd( 400):0.31/32' PLUTO_PEER_CLIENT_NET='10.2.0.31' PLUTO_PEER_CLIENT_MASK='255.255.255.2:
| cmd( 480):55' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='ne:
| cmd( 560):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+PFS+UP+SAREFTRACK' PLUTO_CONN_ADDRFAMILY=:
| cmd( 640):'ipv4' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' :
| cmd( 720):PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _u:
| cmd( 800):pdown:
| route_and_eroute: firewall_notified: true
| route_and_eroute: instance "10.2.0.27-to-10.2.0.31", setting eroute_owner {spd=0x1b2ddb48,sr=0x1b2ddb48} to #5 (was #0) (newest_ipsec_sa=#0)
| encrypting:
| 00 00 00 18 5c 5c d0 79 b9 58 82 b1 bb be fc e4
| 3d e1 81 c9 30 b2 56 a0
| IV:
| bc b4 74 89 bb ea 52 e6
| unpadded size is: 24
| encrypting 24 using OAKLEY_3DES_CBC
| next IV: 41 96 d7 6e 44 a9 92 6e
| emitting length of ISAKMP Message: 52
| inR1_outI2: instance 10.2.0.27-to-10.2.0.31[0], setting newest_ipsec_sa to #5 (was #0) (spd.eroute=#5)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| v1 peer and cookies match on #5, provided msgid 00000000 vs 8928ab85
| v1 peer and cookies match on #4, provided msgid 00000000 vs 00000000
| v1 state object #4 found, in STATE_MAIN_I4
"10.2.0.27-to-10.2.0.31" #5: Dead Peer Detection (RFC 3706): enabled
| state: 5 requesting event none to be deleted by /root/openswan.git/programs/pluto/dpd.c:162
| inserting event EVENT_DPD, timeout in 5 seconds for #5
| event added at head of queue
| state: 4 requesting event EVENT_DPD to be deleted by /root/openswan.git/programs/pluto/dpd.c:174
| complete state transition with STF_OK
"10.2.0.27-to-10.2.0.31" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
| deleting event for #5
| sending reply packet to 10.2.0.31:500 (from port 500)
| sending 52 bytes for STATE_QUICK_I1 through ether1:500 to 10.2.0.31:500 (using #5)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 08 10 20 01 89 28 ab 85 00 00 00 34 28 2e 14 58
| 7c 5e 2c 1b 41 ac 95 2b af 58 e3 16 41 96 d7 6e
| 44 a9 92 6e
| inserting event EVENT_SA_REPLACE, timeout in 2723 seconds for #5
| event added after event EVENT_PENDING_PHASE2
"10.2.0.27-to-10.2.0.31" #5: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xc8304691 <0x2f0c0dfd xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
| modecfg pull: noquirk policy:push not-client
| phase 1 is done, looking for phase 2 to unpend
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #5
| next event EVENT_DPD in 5 seconds for #5
|
| *received whack message
| processing connection 10.3.0.121-to-10.3.0.113
| kernel_alg_db_new() initial trans_cnt=90
| kernel_alg_db_new() will return p_new->protoid=3, p_new->trans_cnt=1
| kernel_alg_db_new() trans[0]: transid=3, attr_cnt=1, attrs[0].type=5, attrs[0].val=2
| returning new proposal from esp_info
| creating state object #6 at 0x1b2e96c0
| processing connection 10.3.0.121-to-10.3.0.113
| ICOOKIE: b6 66 d5 9e 29 12 60 0d
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 31
| inserting state object #6 on chain 31
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #6
| event added at head of queue
| processing connection 10.3.0.121-to-10.3.0.113
| Queuing pending Quick Mode with 10.3.0.113 "10.3.0.121-to-10.3.0.113"
"10.3.0.121-to-10.3.0.113" #6: initiating v2 parent SA
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 11 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #6
| event added after event EVENT_PENDING_PHASE2
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #5
| next event EVENT_DPD in 5 seconds for #5
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing build_kenonce op id: 11
! Local DH secret:
! de bf 86 17 a3 7f 1f 26 c7 f2 fe 52 05 21 a6 55
! 32 f7 ca 9a ef 1b 28 4c 9a e3 f1 bd 7a fc ef 8f
! Public DH value sent:
! fb 86 9e cf b9 8b 57 ad 51 9a f2 c8 74 f0 a1 98
! 24 14 5f f0 9d 95 0a 9e 6c c4 9e 2b 3b 23 db 5c
! c3 9f bf 9c 13 5f 32 f5 1b 71 76 83 3c b8 b5 03
! d8 e5 4a 0a 4e 55 5c ee 48 fd 06 c3 c4 c2 e0 43
! 91 eb 0d 31 d7 c6 82 b3 50 9e 3b 23 8d 95 01 b5
! da e2 81 8b 26 36 15 09 f2 1f 3d 38 61 7a 4e 63
! 2f 05 22 86 e9 e5 f7 76 7a 77 b5 4a a1 1a f3 43
! e3 0e 95 23 3a 70 1a 9e 73 8a 5f cc 25 86 2b 37
! Generated nonce:
! da 87 d8 bf 72 20 4b 1b 81 f2 40 f6 f3 4b 2c 0c
|
| helper 0 has finished work (cnt now 1)
| helper 0 replies to id: q#11
| calling callback function 0x43325b
| ikev2 parent outI1: calculated ke+nonce, sending I1
| processing connection 10.3.0.121-to-10.3.0.113
| **emit ISAKMP Message:
| initiator cookie:
| b6 66 d5 9e 29 12 60 0d
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| ***emit IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| ****emit IKEv2 Proposal Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| prop #: 1
| proto ID: 1
| spi size: 0
| # transforms: 4
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 1
| transform ID: 3
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 3
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_T
| transform type: 2
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| *****emit IKEv2 Transform Substructure Payload:
| next payload type: ISAKMP_NEXT_NONE
| transform type: 4
| transform ID: 2
| emitting length of IKEv2 Transform Substructure Payload: 8
| emitting length of IKEv2 Proposal Substructure Payload: 40
| emitting length of IKEv2 Security Association Payload: 44
| ***emit IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| transform type: 2
| emitting 128 raw bytes of ikev2 g^x into IKEv2 Key Exchange Payload
| ikev2 g^x fb 86 9e cf b9 8b 57 ad 51 9a f2 c8 74 f0 a1 98
| ikev2 g^x 24 14 5f f0 9d 95 0a 9e 6c c4 9e 2b 3b 23 db 5c
| ikev2 g^x c3 9f bf 9c 13 5f 32 f5 1b 71 76 83 3c b8 b5 03
| ikev2 g^x d8 e5 4a 0a 4e 55 5c ee 48 fd 06 c3 c4 c2 e0 43
| ikev2 g^x 91 eb 0d 31 d7 c6 82 b3 50 9e 3b 23 8d 95 01 b5
| ikev2 g^x da e2 81 8b 26 36 15 09 f2 1f 3d 38 61 7a 4e 63
| ikev2 g^x 2f 05 22 86 e9 e5 f7 76 7a 77 b5 4a a1 1a f3 43
| ikev2 g^x e3 0e 95 23 3a 70 1a 9e 73 8a 5f cc 25 86 2b 37
| emitting length of IKEv2 Key Exchange Payload: 136
| ***emit IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| emitting 16 raw bytes of IKEv2 nonce into IKEv2 Nonce Payload
| IKEv2 nonce da 87 d8 bf 72 20 4b 1b 81 f2 40 f6 f3 4b 2c 0c
| emitting length of IKEv2 Nonce Payload: 20
| ***emit ISAKMP Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload
| Vendor ID 4f 45 51 60 4f 54 70 52 57 5e 5c 4b
| emitting length of ISAKMP Vendor ID Payload: 16
| emitting length of ISAKMP Message: 244
| sending 244 bytes for ikev2_parent_outI1_common through ether2:500 to 10.3.0.113:500 (using #6)
| b6 66 d5 9e 29 12 60 0d 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| fb 86 9e cf b9 8b 57 ad 51 9a f2 c8 74 f0 a1 98
| 24 14 5f f0 9d 95 0a 9e 6c c4 9e 2b 3b 23 db 5c
| c3 9f bf 9c 13 5f 32 f5 1b 71 76 83 3c b8 b5 03
| d8 e5 4a 0a 4e 55 5c ee 48 fd 06 c3 c4 c2 e0 43
| 91 eb 0d 31 d7 c6 82 b3 50 9e 3b 23 8d 95 01 b5
| da e2 81 8b 26 36 15 09 f2 1f 3d 38 61 7a 4e 63
| 2f 05 22 86 e9 e5 f7 76 7a 77 b5 4a a1 1a f3 43
| e3 0e 95 23 3a 70 1a 9e 73 8a 5f cc 25 86 2b 37
| 2b 00 00 14 da 87 d8 bf 72 20 4b 1b 81 f2 40 f6
| f3 4b 2c 0c 00 00 00 10 4f 45 51 60 4f 54 70 52
| 57 5e 5c 4b
| deleting event for #6
| inserting event EVENT_v2_RETRANSMIT, timeout in 10 seconds for #6
| event added after event EVENT_DPD for #3
| complete v2 state transition with STF_OK
"10.3.0.121-to-10.3.0.113" #6: transition from state STATE_IKEv2_START to state STATE_PARENT_I1
"10.3.0.121-to-10.3.0.113" #6: STATE_PARENT_I1: sent v2I1, expected v2R1
| * processed 1 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #5
| next event EVENT_DPD in 5 seconds for #5
|
| rejected packet:
| b6 66 d5 9e 29 12 60 0d 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| fb 86 9e cf b9 8b 57 ad 51 9a f2 c8 74 f0 a1 98
| 24 14 5f f0 9d 95 0a 9e 6c c4 9e 2b 3b 23 db 5c
| c3 9f bf 9c 13 5f 32 f5 1b 71 76 83 3c b8 b5 03
| d8 e5 4a 0a 4e 55 5c ee 48 fd 06 c3 c4 c2 e0 43
| 91 eb 0d 31 d7 c6 82 b3 50 9e 3b 23 8d 95 01 b5
| da e2 81 8b 26 36 15 09 f2 1f 3d 38 61 7a 4e 63
| 2f 05 22 86 e9 e5 f7 76 7a 77 b5 4a a1 1a f3 43
| e3 0e 95 23 3a 70 1a 9e 73 8a 5f cc 25 86 2b 37
| 2b 00 00 14 da 87 d8 bf 72 20 4b 1b 81 f2 40 f6
| f3 4b 2c 0c 00 00 00 10 4f 45 51 60 4f 54 70 52
| 57 5e 5c 4b
| control:
| 1c 00 00 00 00 00 00 00 00 00 00 00 08 00 00 00
| 03 00 00 00 0a 03 00 79 0a 03 00 79 00 00 00 00
| 30 00 00 00 00 00 00 00 00 00 00 00 0b 00 00 00
| 71 00 00 00 02 03 01 00 00 00 00 00 00 00 00 00
| 02 00 00 00 0a 03 00 79 00 00 00 00 00 00 00 00
| name:
| 02 00 01 f4 0a 03 00 71 00 00 00 00 00 00 00 00
"10.3.0.121-to-10.3.0.113" #6: ERROR: asynchronous network error report on ether2 (sport=500) for message to 10.3.0.113 port 500, complainant 10.3.0.121: No route to host [errno 113, origin ICMP type 3 code 1 (not authenticated)]
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 2 seconds for #5
| next event EVENT_DPD in 2 seconds for #5
|
| *received 84 bytes from 10.2.0.29:500 on ether1 (port=500)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 08 10 05 01 f0 b9 60 3a 00 00 00 54 4b 3a 54 19
| db 7f 6d a2 7b b9 6e 1b 88 34 db 7b 30 22 33 18
| 42 45 f2 5a cc 44 be ac a6 da ea 19 f9 a5 a5 b8
| 22 2e c8 61 63 12 10 8b d3 3d 77 85 0c 9e 08 a1
| 4a e4 de 7f
| **parse ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: f0 b9 60 3a
| length: 84
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: e6 fd c8 85 01 b9 34 e7
| RCOOKIE: ab a8 1c d7 ad 95 b3 56
| state hash entry 18
| peer and cookies match on #3, provided msgid 00000000 vs 2f54329e/00000000
| peer and cookies match on #2, provided msgid 00000000 vs 00000000/00000000
| p15 state object #2 found, in STATE_MAIN_I4
| processing connection 10.2.0.27-to-10.2.0.29
| last Phase 1 IV: 42 17 98 80 f8 9e ec 04
| current Phase 1 IV: 42 17 98 80 f8 9e ec 04
| computed Phase 2 IV:
| 65 2d 7a b8 ca 56 d9 37 9b 08 17 38 e3 d2 94 c8
| a8 30 4a 14
| received encrypted packet from 10.2.0.29:500
| decrypting 56 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 0b 00 00 18 2b fa 7e 6a a6 a7 bb 68 08 5f b8 60
| 0d a9 66 d5 fe 53 18 0e 00 00 00 20 00 00 00 01
| 01 10 8d 28 e6 fd c8 85 01 b9 34 e7 ab a8 1c d7
| ad 95 b3 56 00 00 49 78
| next IV: 0c 9e 08 a1 4a e4 de 7f
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_N
| length: 24
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 32
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| Notify Message Type: R_U_THERE
| info: e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| info: 00 00 49 78
| processing informational R_U_THERE (36136)
| DPD: received R_U_THERE seq:18808 time:1329322147 (state=#2 name="10.2.0.27-to-10.2.0.29")
| **emit ISAKMP Message:
| initiator cookie:
| e6 fd c8 85 01 b9 34 e7
| responder cookie:
| ab a8 1c d7 ad 95 b3 56
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: eb 89 29 91
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_N
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| Notify Message Type: R_U_THERE_ACK
| emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
| notify icookie e6 fd c8 85 01 b9 34 e7
| emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
| notify rcookie ab a8 1c d7 ad 95 b3 56
| emitting 4 raw bytes of notify data into ISAKMP Notification Payload
| notify data 00 00 49 78
| emitting length of ISAKMP Notification Payload: 32
| HASH computed:
| 17 73 5d 32 28 4b c4 e2 31 da 5c d1 0d 1b fd ea
| 13 d0 67 84
| last Phase 1 IV: 42 17 98 80 f8 9e ec 04
| current Phase 1 IV: 42 17 98 80 f8 9e ec 04
| computed Phase 2 IV:
| c0 60 d2 f7 fa ec 9e 18 11 f2 06 a3 ef 6f e4 e9
| 4b 5a 8c 5c
| encrypting:
| 0b 00 00 18 17 73 5d 32 28 4b c4 e2 31 da 5c d1
| 0d 1b fd ea 13 d0 67 84 00 00 00 20 00 00 00 01
| 01 10 8d 29 e6 fd c8 85 01 b9 34 e7 ab a8 1c d7
| ad 95 b3 56 00 00 49 78
| IV:
| c0 60 d2 f7 fa ec 9e 18 11 f2 06 a3 ef 6f e4 e9
| 4b 5a 8c 5c
| unpadded size is: 56
| encrypting 56 using OAKLEY_3DES_CBC
| next IV: 63 f3 83 13 d7 0a 8a 20
| emitting length of ISAKMP Message: 84
| sending 84 bytes for ISAKMP notify through ether1:500 to 10.2.0.29:500 (using #2)
| e6 fd c8 85 01 b9 34 e7 ab a8 1c d7 ad 95 b3 56
| 08 10 05 01 eb 89 29 91 00 00 00 54 4c b3 6d d4
| 01 69 b4 fa 94 e0 d9 76 cb 37 76 ae 2b 56 20 11
| 14 d2 e7 25 fd 88 ac c3 98 f7 8b 69 e7 67 81 b3
| 81 00 62 38 04 ef 92 23 eb b3 fa 54 63 f3 83 13
| d7 0a 8a 20
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 0 seconds for #5
| *time to handle event
| handling event EVENT_DPD
| event after this is EVENT_DPD in 0 seconds
| processing connection 10.2.0.27-to-10.2.0.31
| DPD: processing for state #5 ("10.2.0.27-to-10.2.0.31")
| get esp.2f0c0dfd at 10.2.0.27
| inserting event EVENT_DPD, timeout in 5 seconds for #5
| event added after event EVENT_DPD for #3
| DPD: scheduling timeout to 5
| state: 4 requesting event none to be deleted by /root/openswan.git/programs/pluto/dpd.c:195
| inserting event EVENT_DPD_TIMEOUT, timeout in 5 seconds for #4
| event added after event EVENT_DPD for #3
| DPD: sending R_U_THERE 13033 to 10.2.0.31:500 (state #4)
| **emit ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: d6 e7 3a a8
| ***emit ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_N
| emitting 20 zero bytes of HASH into ISAKMP Hash Payload
| emitting length of ISAKMP Hash Payload: 24
| ***emit ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| Notify Message Type: R_U_THERE
| emitting 8 raw bytes of notify icookie into ISAKMP Notification Payload
| notify icookie e2 e4 22 2b ce 0e 80 29
| emitting 8 raw bytes of notify rcookie into ISAKMP Notification Payload
| notify rcookie da 88 c6 24 a9 13 5a b2
| emitting 4 raw bytes of notify data into ISAKMP Notification Payload
| notify data 00 00 32 e9
| emitting length of ISAKMP Notification Payload: 32
| HASH computed:
| c7 5d 58 28 97 59 e2 e5 78 ad 71 c9 60 9a 75 c7
| b7 90 37 a3
| last Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| current Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| computed Phase 2 IV:
| fd 79 d2 fa c8 18 d9 b8 82 06 9a 77 97 d4 11 da
| 10 c9 67 ab
| encrypting:
| 0b 00 00 18 c7 5d 58 28 97 59 e2 e5 78 ad 71 c9
| 60 9a 75 c7 b7 90 37 a3 00 00 00 20 00 00 00 01
| 01 10 8d 28 e2 e4 22 2b ce 0e 80 29 da 88 c6 24
| a9 13 5a b2 00 00 32 e9
| IV:
| fd 79 d2 fa c8 18 d9 b8 82 06 9a 77 97 d4 11 da
| 10 c9 67 ab
| unpadded size is: 56
| encrypting 56 using OAKLEY_3DES_CBC
| next IV: 4c fd 21 d4 5e 5a f0 2e
| emitting length of ISAKMP Message: 84
| sending 84 bytes for ISAKMP notify through ether1:500 to 10.2.0.31:500 (using #4)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 08 10 05 01 d6 e7 3a a8 00 00 00 54 01 8b 0a 37
| 8e 97 c4 59 a3 1a 3e a9 c9 d1 13 c2 27 6a 9a 88
| b0 1d 35 24 d9 1c bb a0 fd 57 c9 d3 f7 61 bf d0
| 2e ad e7 10 ce d0 ec 21 0c 83 74 29 4c fd 21 d4
| 5e 5a f0 2e
| handling event EVENT_DPD
| event after this is EVENT_DPD_TIMEOUT in 5 seconds
| processing connection 10.2.0.27-to-10.2.0.29
| DPD: processing for state #3 ("10.2.0.27-to-10.2.0.29")
| DPD: not yet time for dpd event: 1329322147 < 1329322152
| inserting event EVENT_DPD, timeout in 5 seconds for #3
| event added at head of queue
| next event EVENT_DPD in 5 seconds for #3
|
| *received 84 bytes from 10.2.0.31:500 on ether1 (port=500)
| e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| 08 10 05 01 c6 07 51 2d 00 00 00 54 75 a5 45 b4
| f0 cd fa cb 29 eb f4 8a be 91 89 dd a4 3e 13 d5
| 60 ae 7c cb 07 3b bc 65 15 67 c9 1b 74 e0 63 5a
| e0 98 0d 25 0d 86 d4 1b a0 a7 d1 f5 8a f6 79 86
| f2 0f a5 e2
| **parse ISAKMP Message:
| initiator cookie:
| e2 e4 22 2b ce 0e 80 29
| responder cookie:
| da 88 c6 24 a9 13 5a b2
| next payload type: ISAKMP_NEXT_HASH
| ISAKMP version: ISAKMP Version 1.0 (rfc2407)
| exchange type: ISAKMP_XCHG_INFO
| flags: ISAKMP_FLAG_ENCRYPTION
| message ID: c6 07 51 2d
| length: 84
| processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5)
| ICOOKIE: e2 e4 22 2b ce 0e 80 29
| RCOOKIE: da 88 c6 24 a9 13 5a b2
| state hash entry 26
| peer and cookies match on #5, provided msgid 00000000 vs 8928ab85/00000000
| peer and cookies match on #4, provided msgid 00000000 vs 00000000/00000000
| p15 state object #4 found, in STATE_MAIN_I4
| processing connection 10.2.0.27-to-10.2.0.31
| last Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| current Phase 1 IV: 1f 2c 75 23 09 6b 5e fc
| computed Phase 2 IV:
| bb 9c 2a 39 9c e8 59 92 c8 9c 77 9d 36 78 15 a3
| e5 1b dd f7
| received encrypted packet from 10.2.0.31:500
| decrypting 56 bytes using algorithm OAKLEY_3DES_CBC
| decrypted:
| 0b 00 00 18 a1 3b 69 57 d8 6c e1 4a d0 98 c6 70
| 89 aa 9e 07 c1 5b 79 eb 00 00 00 20 00 00 00 01
| 01 10 8d 29 e2 e4 22 2b ce 0e 80 29 da 88 c6 24
| a9 13 5a b2 00 00 32 e9
| next IV: 8a f6 79 86 f2 0f a5 e2
| got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0
| ***parse ISAKMP Hash Payload:
| next payload type: ISAKMP_NEXT_N
| length: 24
| got payload 0x800(ISAKMP_NEXT_N) needed: 0x0 opt: 0x0
| ***parse ISAKMP Notification Payload:
| next payload type: ISAKMP_NEXT_NONE
| length: 32
| DOI: ISAKMP_DOI_IPSEC
| protocol ID: 1
| SPI size: 16
| Notify Message Type: R_U_THERE_ACK
| info: e2 e4 22 2b ce 0e 80 29 da 88 c6 24 a9 13 5a b2
| info: 00 00 32 e9
| processing informational R_U_THERE_ACK (36137)
| DPD: R_U_THERE_ACK, seqno received: 13033 expected: 13033 (state=#4)
| state: 4 requesting event EVENT_DPD_TIMEOUT to be deleted by /root/openswan.git/programs/pluto/dpd.c:536
| complete state transition with STF_IGNORE
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 5 seconds for #3
| next event EVENT_DPD in 5 seconds for #3
|
| *received 244 bytes from fdaa:13:cc00:2:219:dbff:fe42:14a2:500 on ether1 (port=500)
| 95 00 b3 38 dc db 9a 01 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| 2e f1 df 63 b2 ad cf 55 d9 5d 0e 74 5b d4 41 09
| 1c cb 6f 02 58 ad dc d5 ec 39 99 8a 28 20 78 74
| 2d 81 50 d6 4c b9 3e 97 1c aa af 47 53 04 57 5a
| ad b6 87 76 f4 8d 1b 96 b3 ef 9c af 5b 72 5d 5c
| a7 44 e1 45 9a a5 93 28 f6 2f 82 7d f4 fc aa 5c
| f8 04 bb 1a d6 f3 0e 24 89 c1 94 b9 3c 3e 75 6b
| 8f 00 8e 3a 18 d4 47 8f 96 e3 2f c8 5c de c6 26
| 93 4a 99 99 5f 57 6d 86 c3 e9 c3 d3 99 fe 66 f0
| 2b 00 00 14 62 68 ff 7b e2 b7 25 a4 14 f9 9f 19
| 01 d9 38 b6 00 00 00 10 4f 45 4b 70 52 70 41 7f
| 76 5b 6b 59
| **parse ISAKMP Message:
| initiator cookie:
| 95 00 b3 38 dc db 9a 01
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| length: 244
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| ICOOKIE: 95 00 b3 38 dc db 9a 01
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| v2 state object not found
| ICOOKIE: 95 00 b3 38 dc db 9a 01
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| length: 136
| transform type: 2
| processing payload: ISAKMP_NEXT_v2KE (len=136)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=fdaa:13:cc00:2:214:22ff:feb1:1679:500 him=fdaa:13:cc00:2:219:dbff:fe42:14a2:500 policy=IKEv2ALLOW
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair_conn (find_host_connection2): fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500 -> hp:fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| searching for connection with policy = IKEv2ALLOW
| found policy = PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK (fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2)
| find_host_connection2 returns fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| found connection: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| creating state object #7 at 0x1b2ea2e0
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| ICOOKIE: 95 00 b3 38 dc db 9a 01
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 6
| inserting state object #7 on chain 6
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #7
| event added at head of queue
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| will not send/process a dcookie
| 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 12 (len=2752, pcw_work=1)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #7
! helper 0 read 2744+4/2752 bytesfd: 6
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #7
! helper 0 doing build_kenonce op id: 12
| event added after event EVENT_PENDING_PHASE2
| complete v2 state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 2 seconds for #3
| next event EVENT_DPD in 2 seconds for #3
|
| *received 244 bytes from fdaa:13:cc00:2:219:dbff:fe42:14a2:500 on ether1 (port=500)
| 14 26 a1 28 98 1a cb 6b 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| b5 9e 47 64 a2 90 c3 ef 16 3f 8b aa 06 85 f9 12
| a0 7a 93 63 fe f4 02 63 c1 fa db 38 ac eb 47 cc
| a3 6b 0e 62 ff 0d f1 bc 34 55 77 1a d6 91 c5 56
| 87 1f ac 6e 01 5c 70 32 2c aa 63 ae fe b4 61 88
| 10 2f b8 95 57 76 01 36 44 34 76 eb c5 e0 36 09
| 1f 4a c6 31 46 7d a5 15 9e 5b 55 5a ca 56 e4 ed
| f4 79 a3 82 a0 12 6d 15 58 59 92 38 40 45 51 3b
| 35 51 0f b7 b5 7b 3c 91 05 8d e2 63 1c cd 02 86
| 2b 00 00 14 78 81 6e 44 07 b8 ea ba 39 2c 22 c4
| 95 de 47 34 00 00 00 10 4f 45 4b 70 52 70 41 7f
| 76 5b 6b 59
| **parse ISAKMP Message:
| initiator cookie:
| 14 26 a1 28 98 1a cb 6b
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| length: 244
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| ICOOKIE: 14 26 a1 28 98 1a cb 6b
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 27
| v2 state object not found
| ICOOKIE: 14 26 a1 28 98 1a cb 6b
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 27
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| length: 136
| transform type: 2
| processing payload: ISAKMP_NEXT_v2KE (len=136)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=fdaa:13:cc00:2:214:22ff:feb1:1679:500 him=fdaa:13:cc00:2:219:dbff:fe42:14a2:500 policy=IKEv2ALLOW
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair_conn (find_host_connection2): fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500 -> hp:fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| searching for connection with policy = IKEv2ALLOW
| found policy = PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK (fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2)
| find_host_connection2 returns fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| found connection: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| creating state object #8 at 0x1b2eb990
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| ICOOKIE: 14 26 a1 28 98 1a cb 6b
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 27
| inserting state object #8 on chain 27
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #8
| event added at head of queue
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| will not send/process a dcookie
| 0: w->pcw_dead: 0 w->pcw_work: 1 cnt: 1
| asking helper 0 to do build_kenonce op on seq: 13 (len=2752, pcw_work=2)
| crypto helper write of request: cnt=2752<wlen=2752.
| deleting event for #8
| inserting event EVENT_CRYPTO_FAILED, timeout in 300 seconds for #8
| event added after event EVENT_PENDING_PHASE2
| complete v2 state transition with STF_SUSPEND
| * processed 0 messages from cryptographic helpers
| next event EVENT_DPD in 2 seconds for #3
| next event EVENT_DPD in 2 seconds for #3
|
| *received 244 bytes from fdaa:13:cc00:2:219:dbff:fe42:14a2:500 on ether1 (port=500)
| 69 2e 32 f9 d0 7b 0d 10 00 00 00 00 00 00 00 00
| 21 20 22 08 00 00 00 00 00 00 00 f4 22 00 00 2c
| 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 03
| 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02
| 00 00 00 08 04 00 00 02 28 00 00 88 00 02 00 00
| 27 97 c0 0f ce 07 7c bd 5e e4 f6 20 7e 6e d4 45
| 7c 6d ab ef 51 6b 49 4b 5d 2e af d3 cc c0 ca ad
| 58 d4 a9 9b 53 2c 9b b8 94 18 15 17 45 bf 39 0a
| 58 4c 2f 47 ca 2f e3 0a 1b 33 88 6e 5e 18 69 f1
| a9 02 26 71 e8 d2 aa 42 c0 90 0a 9e 8a eb 13 66
| 92 b8 72 49 e9 44 94 42 93 f0 51 46 8e d1 6f 9f
| 5a aa 80 6e 3d e4 7a 74 6f f1 50 84 de c8 14 28
| 89 5c ec dd ba dc d8 be bf af d7 34 75 e4 79 e0
| 2b 00 00 14 eb 4a 89 bd 07 05 db ef 36 68 d3 1f
| a8 06 21 c2 00 00 00 10 4f 45 4b 70 52 70 41 7f
| 76 5b 6b 59
| **parse ISAKMP Message:
| initiator cookie:
| 69 2e 32 f9 d0 7b 0d 10
| responder cookie:
| 00 00 00 00 00 00 00 00
| next payload type: ISAKMP_NEXT_v2SA
| ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996)
| exchange type: ISAKMP_v2_SA_INIT
| flags: ISAKMP_FLAG_INIT
| message ID: 00 00 00 00
| length: 244
| processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34)
| ICOOKIE: 69 2e 32 f9 d0 7b 0d 10
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 26
| v2 state object not found
| ICOOKIE: 69 2e 32 f9 d0 7b 0d 10
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 26
| v2 state object not found
| ***parse IKEv2 Security Association Payload:
| next payload type: ISAKMP_NEXT_v2KE
| critical bit: none
| length: 44
| processing payload: ISAKMP_NEXT_v2SA (len=44)
| ***parse IKEv2 Key Exchange Payload:
| next payload type: ISAKMP_NEXT_v2Ni
| critical bit: none
| length: 136
| transform type: 2
| processing payload: ISAKMP_NEXT_v2KE (len=136)
| ***parse IKEv2 Nonce Payload:
| next payload type: ISAKMP_NEXT_v2V
| critical bit: none
| length: 20
| processing payload: ISAKMP_NEXT_v2Ni (len=20)
| ***parse IKEv2 Vendor ID Payload:
| next payload type: ISAKMP_NEXT_NONE
| critical bit: none
| length: 16
| processing payload: ISAKMP_NEXT_v2V (len=16)
| find_host_connection2 called from ikev2parent_inI1outR1, me=fdaa:13:cc00:2:214:22ff:feb1:1679:500 him=fdaa:13:cc00:2:219:dbff:fe42:14a2:500 policy=IKEv2ALLOW
| find_host_pair: comparing to fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500
| find_host_pair_conn (find_host_connection2): fdaa:13:cc00:2:214:22ff:feb1:1679:500 fdaa:13:cc00:2:219:dbff:fe42:14a2:500 -> hp:fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| searching for connection with policy = IKEv2ALLOW
| found policy = PSK+ENCRYPT+PFS+!IKEv1+IKEv2ALLOW+IKEv2Init+SAREFTRACK (fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2)
| find_host_connection2 returns fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| found connection: fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| creating state object #9 at 0x1b2ed040
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| ICOOKIE: 69 2e 32 f9 d0 7b 0d 10
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 26
| inserting state object #9 on chain 26
| inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #9
| event added at head of queue
| processing connection fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2
| will not send/process a dcookie
| 0: w->pcw_dead: 0 w->pcw_work: 2 cnt: 1
| failed to find any available worker (import=import:respond to stranger)
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #9: can not start crypto helper: failed to find any available worker
"fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2" #9: system too busy
| deleting state #9
| disconnecting state #9 from md
| deleting event for #9
| no suspended cryptographic state for 9
| ICOOKIE: 69 2e 32 f9 d0 7b 0d 10
| RCOOKIE: 00 00 00 00 00 00 00 00
| state hash entry 26
| complete v2 state transition with STF_TOOMUCHCRYPTO
! Local DH secret:
! 53 1e 94 fd b1 c2 6f 95 40 34 ce e2 20 dc 79 57
! e6 8c 8f 11 84 15 73 c3 25 be be 35 f9 7d e1 1a
! Public DH value sent:
! 58 3f a8 49 03 1a 32 03 33 45 ab 00 e4 46 6e b3
! e7 4a 25 2f 40 9b 93 54 87 22 13 96 ae 8e 6a 0b
! eb 87 8a bf cc a6 e2 8e e2 81 7a b2 07 6f 2c e2
! bf 3a 7d 4f 7f ff f7 70 1c 30 a6 c0 c8 99 9a df
! bf 27 16 0e 67 d0 d5 6a 7e 9e 9f 36 bc db 77 27
! 5c 0a 20 fb de 4d fa b8 f1 bc b0 28 26 ed f4 69
! 94 a9 ce 27 21 8d c2 64 b8 ea dc 8c d4 04 da 15
! 60 81 32 b0 47 1c dc 30 01 61 b3 36 1c ec b2 ce
! Generated nonce:
! dd 21 37 cd c3 4e 39 9f 52 a1 08 40 6e de 43 5b
! helper 0 read 2744+4/2752 bytesfd: 6
! helper 0 doing build_kenonce op id: 13
! Local DH secret:
! 67 dc 0e 7c 1b 49 0f b2 1f 3a d8 5d d7 3d 6d 23
! 25 d9 63 35 13 1b df 3a 15 0f 1b b9 45 fc 32 6f
! Public DH value sent:
! a4 2e 27 13 04 09 f7 38 24 29 a5 b2 bd f7 d2 c5
! 47 10 a2 37 7c 88 f1 a9 18 50 50 5d 22 84 fa d5
! e5 71 a1 79 a3 fe 61 db e6 a7 70 c4 35 69 22 35
! 4d cc aa e7 3c 03 43 43 f2 0a 97 c5 0c 78 92 7e
! 63 06 ba 2b 37 74 fe 43 cf 48 e6 9b b4 35 61 42
! 39 73 f8 ec b1 25 6f a0 26 8c 20 ac 4c fd c3 34
! 0d 05 b5 5f a6 76 c9 c8 66 c2 ed cc a1 cf 9d 44
! c4 a5 5e ea 63 91 23 16 e3 21 0e 3d 1e ce c0 fb
! Generated nonce:
! 4d 3f c9 5b ec 02 89 e9 d2 8e 76 39 b1 c7 dc 84
-------------- next part --------------
[admin at tb7 output]# logtail | egrep -i pluto\|ipsec\|crypto
Feb 15 08:09:01 tb7 pm[13944]: [322141.163617] [pm.NOTICE]: Restarting process ipsec (IPSec Daemon [pluto]) after crash or unexpected exit of process ipsec (IPSec Daemon [pluto])
Feb 15 08:09:01 tb7 pm[13944]: [322141.165628] [pm.NOTICE]: Launched ipsec (IPSec Daemon [pluto]) with pid 16621
Feb 15 08:09:01 tb7 pm[13944]: [322141.171002] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Restoring crypto policy and SA database
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Restoring crypto policy and SA database
Feb 15 08:09:01 tb7 pm[13944]: [322141.174293] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Flushed crypto policy database
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Flushed crypto policy database
Feb 15 08:09:01 tb7 pm[13944]: [322141.177454] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Flushed crypto SA database
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Flushed crypto SA database
Feb 15 08:09:01 tb7 pm[13944]: [322141.181335] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Crypto IPsec not properly shut down...
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Crypto IPsec not properly shut down...
Feb 15 08:09:01 tb7 pm[13944]: [322141.194938] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Stopping Openswan IPsec...
Feb 15 08:09:01 tb7 pm[13944]: [322141.197877] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Removing orphaned /var/run/pluto/pluto.pid:
Feb 15 08:09:01 tb7 pm[13944]: [322141.209965] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): ERROR: Module ipcomp does not exist in /proc/modules
Feb 15 08:09:01 tb7 ipsec_setup: ...Openswan IPsec stopped
Feb 15 08:09:01 tb7 pm[13944]: [322141.345207] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Starting ipsec
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Starting ipsec
Feb 15 08:09:01 tb7 pm[13944]: [322141.347039] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Calling ipsec _realsetup start
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.INFO]: Calling ipsec _realsetup start
Feb 15 08:09:01 tb7 pm[13944]: [322141.375133] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Starting Openswan IPsec U2.6.master-201205.git-g11dd7970-dirty/K2.6.18-274.7.1.el5TMSEXAMPLEuni...
Feb 15 08:09:01 tb7 ipsec_setup: Using NETKEY(XFRM) stack
Feb 15 08:09:01 tb7 ipsec__plutorun: Starting Pluto subsystem...
Feb 15 08:09:01 tb7 pluto: adjusting ipsec.d to /etc/ipsec.d
Feb 15 08:09:01 tb7 ipsec_setup: ...Openswan IPsec started
Feb 15 08:09:01 tb7 pm[13944]: [322141.794785] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): Restored crypto policy and SA databases
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.NOTICE]: Restored crypto policy and SA databases
Feb 15 08:09:01 tb7 pm[13944]: [322141.799798] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): ====== Crypto IPsec started ipsec at 20120215-080901
Feb 15 08:09:01 tb7 ipsec_startup[16621]: [ipsec_startup.INFO]: ====== Crypto IPsec started ipsec at 20120215-080901
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "10.2.0.27-to-10.2.0.29"
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "10.2.0.27-to-10.2.0.31"
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "10.3.0.121-to-10.3.0.113"
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:214:22ff:fe09:6ffd"
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "fdaa:13:cc00:2:214:22ff:feb1:1679-to-fdaa:13:cc00:2:219:dbff:fe42:14a2"
Feb 15 08:09:01 tb7 ipsec__plutorun: 002 added connection description "fdaa:13:cc00:3:214:22ff:feb1:167a-to-fdaa:13:cc00:3:219:dbff:fe42:14a3"
Feb 15 08:09:02 tb7 ipsec__plutorun: 104 "10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I1: initiate
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [Openswan (this version) 2.6.master-201205.git-g11dd7970-dirty ]
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [Dead Peer Detection]
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.29" #2: received Vendor ID payload [RFC 3947] method set to=109
Feb 15 08:09:02 tb7 ipsec__plutorun: 106 "10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.29" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 15 08:09:02 tb7 ipsec__plutorun: 108 "10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 15 08:09:02 tb7 ipsec__plutorun: 004 "10.2.0.27-to-10.2.0.29" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 15 08:09:02 tb7 ipsec__plutorun: 117 "10.2.0.27-to-10.2.0.29" #3: STATE_QUICK_I1: initiate
Feb 15 08:09:02 tb7 ipsec__plutorun: 004 "10.2.0.27-to-10.2.0.29" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x285ab2a2 <0x6d602c58 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Feb 15 08:09:02 tb7 ipsec__plutorun: 104 "10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I1: initiate
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.31" #4: ignoring unknown Vendor ID payload [4f454b705270417f765b6b59]
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.31" #4: received Vendor ID payload [Dead Peer Detection]
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.31" #4: received Vendor ID payload [RFC 3947] method set to=109
Feb 15 08:09:02 tb7 ipsec__plutorun: 106 "10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I2: sent MI2, expecting MR2
Feb 15 08:09:02 tb7 ipsec__plutorun: 003 "10.2.0.27-to-10.2.0.31" #4: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Feb 15 08:09:02 tb7 ipsec__plutorun: 108 "10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I3: sent MI3, expecting MR3
Feb 15 08:09:02 tb7 ipsec__plutorun: 004 "10.2.0.27-to-10.2.0.31" #4: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Feb 15 08:09:02 tb7 ipsec__plutorun: 117 "10.2.0.27-to-10.2.0.31" #5: STATE_QUICK_I1: initiate
Feb 15 08:09:02 tb7 ipsec__plutorun: 004 "10.2.0.27-to-10.2.0.31" #5: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xc8304691 <0x2f0c0dfd xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
Feb 15 08:09:10 tb7 kernel: pluto[16864]: segfault at 0000000000000030 rip 0000000000432b08 rsp 00007fff83127820 error 6
Feb 15 08:09:10 tb7 ipsec__plutorun: /usr/libexec/ipsec/_plutorun: line 246: 16864 Segmentation fault (core dumped) /usr/libexec/ipsec/pluto --nofork --secretsfile /etc/ipsec.secrets --ipsecdir /etc/ipsec.d --debug-all --debug-raw --debug-crypt --debug-parsing --debug-emitting --debug-control --debug-lifecycle --debug-klips --debug-dns --debug-oppo --debug-oppoinfo --debug-controlmore --debug-x509 --debug-dpd --debug-pfkey --debug-natt --debug-nattraversal --use-netkey --uniqueids --nat_traversal --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 --stderrlog 2>> /tmp/pluto.log
Feb 15 08:09:10 tb7 ipsec__plutorun: 133 "10.3.0.121-to-10.3.0.113" #6: STATE_PARENT_I1: initiate
Feb 15 08:09:10 tb7 ipsec__plutorun: 133 "10.3.0.121-to-10.3.0.113" #6: STATE_PARENT_I1: sent v2I1, expected v2R1
Feb 15 08:09:10 tb7 ipsec__plutorun: whack: is Pluto running? connect() for "/var/run/pluto/pluto.ctl" failed (111 Connection refused)
Feb 15 08:09:10 tb7 pm[13944]: [322150.832478] [pm.NOTICE]: Output from ipsec (IPSec Daemon [pluto]) (pid 16621): ====== Crypto IPsec stopped ipsec at 20120215-080910 with status 0: ====== Crypto IPsec (pluto) died unexpectedly
Feb 15 08:09:10 tb7 ipsec_startup[16621]: [ipsec_startup.INFO]: ====== Crypto IPsec stopped ipsec at 20120215-080910 with status 0: ====== Crypto IPsec (pluto) died unexpectedly
Feb 15 08:09:10 tb7 pm[13944]: [322150.834381] [pm.INFO]: Closed output logging pipe(s) for process ipsec (IPSec Daemon [pluto])
Feb 15 08:09:10 tb7 pm[13944]: [322150.834533] [pm.INFO]: Process ipsec (IPSec Daemon [pluto]) (pid 16621) exited with code 0
Feb 15 08:09:10 tb7 pm[13944]: [322150.834815] [pm.NOTICE]: Process ipsec (IPSec Daemon [pluto]) terminated unexpectedly, but left nothing that we recognized as a core file
Feb 15 08:09:10 tb7 pm[13944]: [322150.835040] [pm.INFO]: Forking then execing binary /bin/sh with argv "/bin/sh /sbin/afail.sh -n ipsec -b /usr/libexec/ipsec/pluto -l /usr/sbin/ipsec_startup.sh -p 0 -u \"9.669s\"".
Feb 15 08:09:10 tb7 mgmtd[13945]: [322150.835773] [mgmtd.INFO]: Crypto module: Flushing the crypto SA database
Feb 15 08:09:10 tb7 pm[13944]: [322150.843462] [pm.NOTICE]: Waiting 1 hour before applying restart action to ipsec (IPSec Daemon [pluto])
Feb 15 08:09:10 tb7 mgmtd[13945]: [322150.843726] [mgmtd.INFO]: Crypto module: handled pm event ipsec terminated
More information about the Dev
mailing list