/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec add west-east
"west-east": added IKEv1 connection
west #
 ipsec whack --impair suppress_retransmits
west #
 ipsec whack --impair revival
west #
 ipsec route west-east
west #
 # Initiate; during IKE_AUTH the child should fail and the connection
west #
 # put on to the revival queue
west #
 ipsec up west-east
"west-east" #1: initiating IKEv1 Main Mode connection
"west-east" #1: sent Main Mode request
"west-east" #1: sent Main Mode I2
"west-east" #1: sent Main Mode I3
"west-east" #1: Peer ID is FQDN: '@east'
"west-east" #1: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
"west-east" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+ROUTE+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
"west-east" #2: sent Quick Mode request
"west-east" #2: STATE_QUICK_I1: 60 second timeout exceeded after 0 retransmits.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
"west-east" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"west-east" #2: IMPAIR: revival: skip scheduling revival event
"west-east" #2: deleting IPsec SA (QUICK_I1) and NOT sending notification
ERROR: "west-east" #2: netlink response for Del SA esp.ESPSPIi@192.1.2.45: No such process (errno 3)
west #
 # expect the on-demand kernel policy
west #
 ipsec _kernel policy
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
west #
 # Trigger an acquire; this fast track the revival using
west #
 # CREATE_CHILD_SA and again it will fail
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ../../guestbin/wait-for-pluto.sh '#3: IMPAIR: revival'
timeout waiting 30 seconds for cat /tmp/pluto.log to match #3: IMPAIR: revival
output: |    next payload type: ISAKMP_NEXT_KE (0x4)
output: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
output: |    exchange type: ISAKMP_XCHG_IDPROT (0x2)
output: |    flags: none (0x0)
output: |    Message ID: 0 (00 00 00 00)
output: |    length: 396 (00 00 01 8c)
output: |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
output: | State DB: found IKEv1 state #1 in MAIN_I2 (find_state_ikev1)
output: | #1 is idle
output: | #1 idle
output: | got payload 0x10 (ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080
output: | ***parse ISAKMP Key Exchange Payload:
output: |    next payload type: ISAKMP_NEXT_NONCE (0xa)
output: |    length: 260 (01 04)
output: | got payload 0x400 (ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080
output: | ***parse ISAKMP Nonce Payload:
output: |    next payload type: ISAKMP_NEXT_NATD_RFC (0x14)
output: |    length: 36 (00 24)
output: | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080
output: | ***parse ISAKMP NAT-D Payload:
output: |    next payload type: ISAKMP_NEXT_NATD_RFC (0x14)
output: |    length: 36 (00 24)
output: | got payload 0x100000 (ISAKMP_NEXT_NATD_RFC) needed: 0x0 opt: 0x102080
output: | ***parse ISAKMP NAT-D Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    length: 36 (00 24)
output: | message 'main_inR2_outI3' HASH payload not checked early
output: | main_inR2_outI3: delref DH shared secret-key@NULL
output: | main_inR2_outI3: delref skeyid-key@NULL
output: | main_inR2_outI3: delref skeyid_d-key@NULL
output: | main_inR2_outI3: delref skeyid_a-key@NULL
output: | main_inR2_outI3: delref skeyid_e-key@NULL
output: | main_inR2_outI3: delref enc_key-key@NULL
output: | submitting DH shared secret for #1/#1 (main_inR2_outI3() +925 programs/pluto/ikev1_main.c)
output: | struct dh_local_secret: addref @0x7ff4d0f6ffd8(1->2) (submit_dh_shared_secret() +212 programs/pluto/crypt_dh.c)
output: | job: newref @0x7ff4d0f80f98(0->1) (submit_task() +331 programs/pluto/server_pool.c)
output: | clone logger: newref @0x7ff4d060efc8(0->1) (submit_task() +358 programs/pluto/server_pool.c)
output: | "west-east" #1: attach whack fd@0x7ff4d106efe8 to logger 0x7ff4d060efc8 slot 0 (submit_task() +358 programs/pluto/server_pool.c)
output: | struct fd: addref @0x7ff4d106efe8(2->3) (submit_task() +358 programs/pluto/server_pool.c)
output: | job 2 helper 0 #1 main_inR2_outI3 (dh): added to pending queue
output: | event_schedule_where: newref EVENT_CRYPTO_TIMEOUT-pe@0x7ff4d0610fa8 timeout in 60 seconds for #1
output: | tt: newref @0x7ff4d0612f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | complete v1 state transition with STF_SUSPEND
output: | suspend: saving MD@0x7ff4d0f73668 in state #1 (complete_v1_state_transition() +2417 programs/pluto/ikev1.c)
output: | struct msg_digest: addref @0x7ff4d0f73668(1->2) (complete_v1_state_transition() +2417 programs/pluto/ikev1.c)
output: | #1 is busy; has suspended MD 0x7ff4d0f73668
output: | #1 requesting EVENT_RETRANSMIT-event@0x7ff4d0f78fa8 be deleted (clear_retransmits() +108 programs/pluto/retransmit.c)
output: | #1 deleting EVENT_RETRANSMIT
output: | tt: delref @0x7ff4d0f7af68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0f78fa8(1->0) (clear_retransmits() +108 programs/pluto/retransmit.c)
output: | #1 STATE_MAIN_I2: retransmits: cleared
output: | #1 spent 0.482 (2.65) milliseconds in process_packet_tail()
output: | IKEv1 packet dropped
output: | packet from 192.1.2.23:500: delref @0x7ff4d0f73668(2->1) (process_iface_packet() +296 programs/pluto/demux.c)
output: | spent 1.21 (8.98) milliseconds in process_iface_packet() reading and processing packet
output: | job 2 helper 1 #1 main_inR2_outI3 (dh): started
output: | newref : g_ir-key@0x7ff4d0fe0f80 (256-bytes, CONCATENATE_DATA_AND_BASE)
output: | job 2 helper 1 #1 main_inR2_outI3 (dh): finished
output: | "west-east" #1: spent 1.91 (3.49) milliseconds in job 2 helper 1 #1 main_inR2_outI3 (dh)
output: | scheduling resume sending job back to main thread for #1
output: | tt: newref @0x7ff4d0614f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | helper 1: waiting for work
output: | processing resume sending job back to main thread for #1
output: | suspend: restoring MD@0x7ff4d0f73668 from state #1 (resume_handler() +641 programs/pluto/server.c)
output: | job 2 helper 1 #1 main_inR2_outI3 (dh): calling state's callback function
output: | completing DH shared secret for #1/#1
output: | complete_dh_shared_secret: delref st_dh_shared_secret-key@NULL
output: | main_inR2_outI3_continue for #1: calculated DH, sending R1
output: | lsw_get_secret() using IDs for @west->@east of kind SECRET_PSK
output: | line 1: key type SECRET_PSK(@west) to type SECRET_PSK
output: | 1: compared key @west to @west / @east -> 8
output: | 2: compared key @east to @west / @east -> c
output: |   match=c
output: |   match c beats previous best_match 0 match=0x7ff4d05e2f68 (line=1)
output: | concluding with best_match=c best=0x7ff4d05e2f68 (lineno=1)
output: |     result: newref psk-key@0x7ff4d10d8f80 (52-bytes, EXTRACT_KEY_FROM_KEY)(merge_symkey_bytes() +222 lib/libswan/crypt_symkey.c)
output: |     result: newref psk-key@0x7ff4d117ef80 (36-bytes, SHA256_HMAC)(pre_shared_key_skeyid() +66 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: | psk: delref tmp-key@0x7ff4d10d8f80
output: |     result: newref skeyid-key@0x7ff4d10d8f80 (32-bytes, NSS_IKE1_PRF_DERIVE)(pre_shared_key_skeyid() +89 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: | SKEYID psk: delref psk-key@0x7ff4d117ef80
output: | NSS: #1 pointers skeyid_d (nil),  skeyid_a (nil),  skeyid_e (nil),  enc_key (nil)
output: |     result: newref skeyid_d-key@0x7ff4d117ef80 (32-bytes, EXTRACT_KEY_FROM_KEY)(skeyid_d() +121 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: |     result: newref skeyid_a-key@0x7ff4d11bef80 (32-bytes, EXTRACT_KEY_FROM_KEY)(skeyid_a() +152 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: |     result: newref skeyid_e-key@0x7ff4d0fcbf80 (32-bytes, EXTRACT_KEY_FROM_KEY)(skeyid_e() +183 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: |     result: newref keymat_e-key@0x7ff4d10d6f80 (32-bytes, AES_CBC)(appendix_b_keymat_e() +216 lib/libswan/ike_alg_prf_ikev1_nss_ops.c)
output: | NSS: #1 pointers skeyid_d 0x7ff4d117ef80,  skeyid_a 0x7ff4d11bef80,  skeyid_e 0x7ff4d0fcbf80,  enc_key 0x7ff4d10d6f80
output: | opening output PBS reply packet
output: | **emit ISAKMP Message:
output: |    initiator SPI: ec 17 79 fe  a9 81 79 66
output: |    responder SPI: de 4d e9 3b  ce 1e 43 08
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
output: |    exchange type: ISAKMP_XCHG_IDPROT (0x2)
output: |    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
output: |    Message ID: 0 (00 00 00 00)
output: | next payload chain: saving message location 'ISAKMP Message'.'next payload type'
output: | thinking about whether to send my certificate:
output: |   I have RSA key: OAKLEY_PRESHARED_KEY cert.type: 0 
output: |   sendcert: CERT_ALWAYSSEND and I did not get a certificate request 
output: |   so do not send cert.
output: | I did not send a certificate because digital signatures are not being used. (PSK)
output: |  I am not sending a certificate request
output: | I will NOT send an initial contact payload
output: | init checking NAT-T: global enabled; conn enabled; vid RFC 3947 (NAT-Traversal)
output: | natd_hash: hasher=0x561a49edae20(32)
output: | natd_hash: icookie=
output: |   ec 17 79 fe  a9 81 79 66                             ..y...yf
output: | natd_hash: rcookie=
output: |   de 4d e9 3b  ce 1e 43 08                             .M.;..C.
output: | natd_hash: ip=
output: |   c0 01 02 2d                                          ...-
output: | natd_hash: port=
output: |   01 f4                                                ..
output: | natd_hash: hash=
output: |   d3 aa 19 a2  6b a4 09 f4  00 c6 bd 97  56 66 c7 b1   ....k.......Vf..
output: |   ed 1c 15 ed  5e 6e 58 2f  49 a0 63 b5  d0 9c 4e a9   ....^nX/I.c...N.
output: | natd_hash: hasher=0x561a49edae20(32)
output: | natd_hash: icookie=
output: |   ec 17 79 fe  a9 81 79 66                             ..y...yf
output: | natd_hash: rcookie=
output: |   de 4d e9 3b  ce 1e 43 08                             .M.;..C.
output: | natd_hash: ip=
output: |   c0 01 02 17                                          ....
output: | natd_hash: port=
output: |   01 f4                                                ..
output: | natd_hash: hash=
output: |   76 1b 2b ff  4e 77 c3 74  79 c1 f7 0d  9d e6 4a 6b   v.+.Nw.ty.....Jk
output: |   ed 50 5f d9  d3 09 99 90  f7 50 5a aa  67 7c fd f4   .P_......PZ.g|..
output: | expected NAT-D(local):
output: |   d3 aa 19 a2  6b a4 09 f4  00 c6 bd 97  56 66 c7 b1   ....k.......Vf..
output: |   ed 1c 15 ed  5e 6e 58 2f  49 a0 63 b5  d0 9c 4e a9   ....^nX/I.c...N.
output: | expected NAT-D(remote):
output: |   76 1b 2b ff  4e 77 c3 74  79 c1 f7 0d  9d e6 4a 6b   v.+.Nw.ty.....Jk
output: |   ed 50 5f d9  d3 09 99 90  f7 50 5a aa  67 7c fd f4   .P_......PZ.g|..
output: | received NAT-D:
output: |   d3 aa 19 a2  6b a4 09 f4  00 c6 bd 97  56 66 c7 b1   ....k.......Vf..
output: |   ed 1c 15 ed  5e 6e 58 2f  49 a0 63 b5  d0 9c 4e a9   ....^nX/I.c...N.
output: | received NAT-D:
output: |   76 1b 2b ff  4e 77 c3 74  79 c1 f7 0d  9d e6 4a 6b   v.+.Nw.ty.....Jk
output: |   ed 50 5f d9  d3 09 99 90  f7 50 5a aa  67 7c fd f4   .P_......PZ.g|..
output: | NAT_TRAVERSAL encaps using auto-detect
output: | NAT_TRAVERSAL this end is NOT behind NAT
output: | NAT_TRAVERSAL that end is NOT behind NAT
output: | NAT_TRAVERSAL nat-keepalive enabled 192.1.2.23:500
output: | NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
output: |  NAT_T_WITH_KA detected
output: | global one-shot timer EVENT_NAT_T_KEEPALIVE scheduled in 20 seconds
output: | ***emit ISAKMP Identification Payload (IPsec DOI):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ID type: ID_FQDN (0x2)
output: |    Protocol ID: ALL (0x0)
output: |    port: 0 (00 00)
output: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
output: | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
output: | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI)
output: | my identity: 77 65 73 74
output: | emitting length of ISAKMP Identification Payload (IPsec DOI): 12
output: |     result: newref clone-key@0x7ff4d0625f80 (32-bytes, SHA256_HMAC)(init_symkey() +101 lib/libswan/ike_alg_prf_mac_nss_ops.c)
output: | main mode: delref clone-key@0x7ff4d0625f80
output: | ***emit ISAKMP Hash Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
output: | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet'
output: | emitting 32 raw bytes of HASH_I into ISAKMP Hash Payload
output: |   a9 ed 40 b3  f3 8e a7 7e  e0 e5 b7 d7  9e 8f f8 9e   ..@....~........
output: |   31 d7 13 d5  75 2a 02 86  3f 32 b9 d8  e5 14 e9 1b   1...u*..?2......
output: | emitting length of ISAKMP Hash Payload: 36
output: | Not sending INITIAL_CONTACT
output: | no IKEv1 message padding required
output: | emitting length of ISAKMP Message: 76
output: | job 2 helper 1 #1 main_inR2_outI3 (dh): final status STF_OK; cleaning up
output: | delref @0x7ff4d0f6ffd8(2->1) (cleanup_dh_shared_secret() +170 programs/pluto/crypt_dh.c)
output: | DH: delref secret-key@NULL
output: | "west-east" #1: detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d060efc8 slot 0 (free_job() +430 programs/pluto/server_pool.c)
output: | delref @0x7ff4d106efe8(3->2) (free_job() +430 programs/pluto/server_pool.c)
output: | logger: delref @0x7ff4d060efc8(1->0) (free_job() +430 programs/pluto/server_pool.c)
output: | job: delref @0x7ff4d0f80f98(1->0) (free_job() +431 programs/pluto/server_pool.c)
output: | complete v1 state transition with STF_OK
output: | #1 is idle
output: | doing_xauth:no, t_xauth_client_done:no
output: | parent state #1: MAIN_I2(open IKE SA) => MAIN_I3(open IKE SA)
output: | #1 deleting EVENT_CRYPTO_TIMEOUT
output: | tt: delref @0x7ff4d0612f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0610fa8(1->0) (delete_event() +534 programs/pluto/timer.c)
output: | #1 STATE_MAIN_I3: retransmits: cleared
output: | sending 76 bytes for main_inR2_outI3 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 using UDP (for #1)
output: |   ec 17 79 fe  a9 81 79 66  de 4d e9 3b  ce 1e 43 08   ..y...yf.M.;..C.
output: |   05 10 02 01  00 00 00 00  00 00 00 4c  d7 f0 17 c3   ...........L....
output: |   b8 28 fb 13  76 b6 db af  ff 45 95 b5  0b 05 18 61   .(..v....E.....a
output: |   62 11 36 54  43 54 2b 5c  0e 3b 36 8a  3b 9e 7d a3   b.6TCT+\.;6.;.}.
output: |   92 c0 e5 5c  ef dd f1 61  34 7a 85 fe                ...\...a4z..
output: | event_schedule_where: newref EVENT_RETRANSMIT-pe@0x7ff4d0632fa8 timeout in 60 seconds for #1
output: | tt: newref @0x7ff4d0f7cf68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | #1 STATE_MAIN_I3: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 12.424312
output: "west-east" #1: sent Main Mode I3
output: | modecfg pull: noquirk policy:push not-client
output: | phase 1 is done, looking for phase 2 to unpend
output: | packet from 192.1.2.23:500: delref @0x7ff4d0f73668(1->0) (resume_handler() +687 programs/pluto/server.c)
output: | packet from 192.1.2.23:500: releasing whack (but there are none) (resume_handler() +687 programs/pluto/server.c)
output: | logger: delref @0x7ff4d1070fc8(1->0) (resume_handler() +687 programs/pluto/server.c)
output: | delref @0x7ff4d1074f38(3->2) (resume_handler() +687 programs/pluto/server.c)
output: | #1 spent 4.78 (18) milliseconds in resume sending job back to main thread
output: | tt: delref @0x7ff4d0614f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | spent 0.00168 (0.00167) milliseconds in udp_read_packet() calling check_incoming_msg_errqueue()
output: | struct msg_digest: newref @0x7ff4d0f737a8(0->1) (udp_read_packet() +249 programs/pluto/iface_udp.c)
output: | struct iface_endpoint: addref @0x7ff4d1074f38(2->3) (udp_read_packet() +249 programs/pluto/iface_udp.c)
output: | alloc logger: newref @0x7ff4d1070fc8(0->1) (udp_read_packet() +249 programs/pluto/iface_udp.c)
output: | *received 76 bytes from 192.1.2.23:500 on eth1 192.1.2.45:500 using UDP
output: |   ec 17 79 fe  a9 81 79 66  de 4d e9 3b  ce 1e 43 08   ..y...yf.M.;..C.
output: |   05 10 02 01  00 00 00 00  00 00 00 4c  ac ce 10 ce   ...........L....
output: |   d3 5f 9c 9e  39 0b 03 6a  0e f5 35 17  fc 02 dd e1   ._..9..j..5.....
output: |   a1 9c 1b 7e  49 eb 6c d3  74 57 41 0f  57 da 56 92   ...~I.l.tWA.W.V.
output: |   65 3c b2 81  0f dc cd ce  36 21 70 53                e<......6!pS
output: | **parse ISAKMP Message:
output: |    initiator SPI: ec 17 79 fe  a9 81 79 66
output: |    responder SPI: de 4d e9 3b  ce 1e 43 08
output: |    next payload type: ISAKMP_NEXT_ID (0x5)
output: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
output: |    exchange type: ISAKMP_XCHG_IDPROT (0x2)
output: |    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
output: |    Message ID: 0 (00 00 00 00)
output: |    length: 76 (00 00 00 4c)
output: |  processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2)
output: | State DB: found IKEv1 state #1 in MAIN_I3 (find_state_ikev1)
output: | #1 is idle
output: | #1 idle
output: | received encrypted packet from 192.1.2.23:500
output: | got payload 0x20 (ISAKMP_NEXT_ID) needed: 0x120 opt: 0x2080
output: | ***parse ISAKMP Identification Payload:
output: |    next payload type: ISAKMP_NEXT_HASH (0x8)
output: |    length: 12 (00 0c)
output: |    ID type: ID_FQDN (0x2)
output: |    DOI specific A: 0 (00)
output: |    DOI specific B: 0 (00 00)
output: |      obj: 
output: |   65 61 73 74                                          east
output: | got payload 0x100 (ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x2080
output: | ***parse ISAKMP Hash Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    length: 36 (00 24)
output: | message 'main_inR3' HASH payload not checked early
output: "west-east" #1: Peer ID is FQDN: '@east'
output: | rhc: peer ID matches and no certificate payload - continuing with peer ID @east
output: |     result: newref clone-key@0x7ff4d0625f80 (32-bytes, SHA256_HMAC)(init_symkey() +101 lib/libswan/ike_alg_prf_mac_nss_ops.c)
output: | main mode: delref clone-key@0x7ff4d0625f80
output: | received message HASH_R data ok
output: | authentication succeeded
output: | wipe_old_connections() contemplating releasing older self
output: | FOR_EACH_CONNECTION[that_id_eq=@east].... in (wipe_old_connections() +2160 programs/pluto/state.c)
output: |   found "west-east"
output: |   matches: 1
output: | "west-east": addref @0x7ff4d1066a78(3->4) "west-east" #1:  (dispatch() +2436 programs/pluto/routing.c)
output: | "west-east" #1: routing: start ESTABLISH_IKE, ROUTED_NEGOTIATION, PERMANENT; ISAKMP #1 (MAIN_I3) by=PEER; $1@0x7ff4d1066a78; routing_sa #1 negotiating_ike_sa #1 (ISAKMP_SA_established() +3023 programs/pluto/ikev1.c)
output: | "west-east" #1: routing: stop ESTABLISH_IKE, ROUTED_NEGOTIATION, PERMANENT; ok=yes; routing_sa #1 negotiating_ike_sa #1 established_ike_sa #0->#1 (ISAKMP_SA_established() +3023 programs/pluto/ikev1.c)
output: | "west-east": delref @0x7ff4d1066a78(4->3) "west-east" #1:  (dispatch() +2450 programs/pluto/routing.c)
output: | complete v1 state transition with STF_OK
output: | #1 is idle
output: | doing_xauth:no, t_xauth_client_done:no
output: | parent state #1: MAIN_I3(open IKE SA) => MAIN_I4(established IKE SA)
output: | #1 requesting EVENT_RETRANSMIT-event@0x7ff4d0632fa8 be deleted (clear_retransmits() +108 programs/pluto/retransmit.c)
output: | #1 deleting EVENT_RETRANSMIT
output: | tt: delref @0x7ff4d0f7cf68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0632fa8(1->0) (clear_retransmits() +108 programs/pluto/retransmit.c)
output: | #1 STATE_MAIN_I4: retransmits: cleared
output: | event_schedule_where: newref EVENT_v1_REPLACE-pe@0x7ff4d0f6dfa8 timeout in 28163 seconds for #1
output: | tt: newref @0x7ff4d0f76f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | pstats #1 ikev1.isakmp established
output: "west-east" #1: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
output: | "west-east" #1: DPD: dpd_init() called on ISAKMP SA
output: | "west-east" #1: DPD: Peer supports Dead Peer Detection
output: | "west-east" #1: DPD: not initializing DPD because DPD is disabled locally
output: | modecfg pull: noquirk policy:push not-client
output: | phase 1 is done, looking for phase 2 to unpend
output: | pending: unpending state 0x7ff4d05f6348 #1 pending 0x7ff4d05fafa8
output: | pending: unpend() ike 0x7ff4d05f6348 pending 0x7ff4d05fafa8 connection 0x7ff4d1066a78 ike 0x7ff4d05f6348
output: | struct fd: addref @0x7ff4d106efe8(2->3) (unpend() +325 programs/pluto/pending.c)
output: | "west-east": attach whack fd@0x7ff4d106efe8 to empty logger 0x7ff4d05d6fc8 slot 0
output: | struct iface_endpoint: addref @0x7ff4d1074f38(3->4) (duplicate_state() +1198 programs/pluto/state.c)
output: | alloc logger: newref @0x7ff4d0f7cfc8(0->1) (duplicate_state() +1206 programs/pluto/state.c)
output: | struct fd: addref @0x7ff4d106efe8(3->4) (new_state() +482 programs/pluto/state.c)
output: |  #0: attach whack fd@0x7ff4d106efe8 to empty logger 0x7ff4d0f7cfc8 slot 0
output: | "west-east": addref @0x7ff4d1066a78(3->4)  #2:  (new_state() +491 programs/pluto/state.c)
output: | creating state object #2 at 0x7ff4d0632348
output: | pstats #2 ikev1.ipsec started
output: | duplicating state object #1 "west-east" as #2 for IPSEC SA
output: | #2 setting local endpoint to 192.1.2.45:500 from #1.st_localport (duplicate_state() +1220 programs/pluto/state.c)
output: | duplicate_state: addref st_skeyid_nss-key@0x7ff4d10d8f80
output: | duplicate_state: addref st_skey_d_nss-key@0x7ff4d117ef80
output: | duplicate_state: addref st_skey_ai_nss-key@0x7ff4d11bef80
output: | duplicate_state: addref st_skey_ar_nss-key@NULL
output: | duplicate_state: addref st_skey_ei_nss-key@0x7ff4d0fcbf80
output: | duplicate_state: addref st_skey_er_nss-key@NULL
output: | duplicate_state: addref st_skey_pi_nss-key@NULL
output: | duplicate_state: addref st_skey_pr_nss-key@NULL
output: | duplicate_state: addref st_enc_key_nss-key@0x7ff4d10d6f80
output: | child state #2: UNDEFINED(ignore) => QUICK_I1(established CHILD SA)
output: "west-east" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+ROUTE+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
output: | job: newref @0x7ff4d060ef98(0->1) (submit_task() +331 programs/pluto/server_pool.c)
output: | clone logger: newref @0x7ff4d0612fc8(0->1) (submit_task() +358 programs/pluto/server_pool.c)
output: | "west-east" #2: attach whack fd@0x7ff4d106efe8 to logger 0x7ff4d0612fc8 slot 0 (submit_task() +358 programs/pluto/server_pool.c)
output: | struct fd: addref @0x7ff4d106efe8(4->5) (submit_task() +358 programs/pluto/server_pool.c)
output: | job 3 helper 0 #2 quick_outI1 (dh): added to pending queue
output: | event_schedule_where: newref EVENT_CRYPTO_TIMEOUT-pe@0x7ff4d0614fa8 timeout in 60 seconds for #2
output: | tt: newref @0x7ff4d0668f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | "west-east": addref @0x7ff4d1066a78(4->5) "west-east" #2:  (dispatch() +2436 programs/pluto/routing.c)
output: | "west-east" #2: routing: start INITIATED, ROUTED_NEGOTIATION, PERMANENT; ISAKMP #1 (MAIN_I4) IPsec #2 (QUICK_I1) by=PENDING; $1@0x7ff4d1066a78; routing_sa #1 negotiating_ike_sa #1 established_ike_sa #1 (unpend() +332 programs/pluto/pending.c)
output: | "west-east" #2: routing:   Child SA's IKE SA matches .routing_sa
output: | "west-east" #2: routing: stop INITIATED, ROUTED_NEGOTIATION, PERMANENT; ok=yes; routing_sa #1->#2 negotiating_ike_sa #1 established_ike_sa #1 negotiating_child_sa #0->#2 (unpend() +332 programs/pluto/pending.c)
output: | "west-east": delref @0x7ff4d1066a78(5->4) "west-east" #2:  (dispatch() +2450 programs/pluto/routing.c)
output: | "west-east": detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d05d6fc8 slot 0 (unpend() +333 programs/pluto/pending.c)
output: | delref @0x7ff4d106efe8(5->4) (unpend() +333 programs/pluto/pending.c)
output: | pending: unqueuing pending [0x7ff4d05fafa8] Quick Mode connection "west-east" [0x7ff4d1066a78]
output: | "west-east": delref @0x7ff4d1066a78(4->3)  (delete_pending() +262 programs/pluto/pending.c)
output: | "west-east": detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d05fefc8 slot 0 (delete_pending() +263 programs/pluto/pending.c)
output: | delref @0x7ff4d106efe8(4->3) (delete_pending() +263 programs/pluto/pending.c)
output: | logger: delref @0x7ff4d05fefc8(1->0) (delete_pending() +263 programs/pluto/pending.c)
output: | "west-east" #1: detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d05f8fc8 slot 0 (complete_v1_state_transition() +2840 programs/pluto/ikev1.c)
output: | delref @0x7ff4d106efe8(3->2) (complete_v1_state_transition() +2840 programs/pluto/ikev1.c)
output: | #1 spent 1.98 (15.1) milliseconds in process_packet_tail()
output: | IKEv1 packet dropped
output: | packet from 192.1.2.23:500: delref @0x7ff4d0f737a8(1->0) (process_iface_packet() +296 programs/pluto/demux.c)
output: | packet from 192.1.2.23:500: releasing whack (but there are none) (process_iface_packet() +296 programs/pluto/demux.c)
output: | logger: delref @0x7ff4d1070fc8(1->0) (process_iface_packet() +296 programs/pluto/demux.c)
output: | delref @0x7ff4d1074f38(4->3) (process_iface_packet() +296 programs/pluto/demux.c)
output: | spent 2.97 (20.1) milliseconds in process_iface_packet() reading and processing packet
output: | job 3 helper 1 #2 quick_outI1 (dh): started
output: | struct dh_local_secret: newref @0x7ff4d1070fd8(0->1) (calc_dh_local_secret() +85 programs/pluto/crypt_dh.c)
output: | job 3 helper 1 #2 quick_outI1 (dh): finished
output: | "west-east" #2: spent 4.44 (6.92) milliseconds in job 3 helper 1 #2 quick_outI1 (dh)
output: | scheduling resume sending job back to main thread for #2
output: | tt: newref @0x7ff4d0695f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | libevent: delref @0x7ff4d1164fb8(1->0) (libevent_realloc() +965 programs/pluto/server.c)
output: | libevent: newref @0x7ff4d0697f78(0->1) (libevent_realloc() +969 programs/pluto/server.c)
output: | helper 1: waiting for work
output: | processing resume sending job back to main thread for #2
output: | suspend: no MD saved in state #2 (resume_handler() +641 programs/pluto/server.c)
output: | job 3 helper 1 #2 quick_outI1 (dh): calling state's callback function
output: | quick_outI1_continue for #2: calculated ke+nonce, sending I1
output: | quick_outI1_continue for #2: calculated ke+nonce, sending I1
output: | opening output PBS reply packet
output: | **emit ISAKMP Message:
output: |    initiator SPI: ec 17 79 fe  a9 81 79 66
output: |    responder SPI: de 4d e9 3b  ce 1e 43 08
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
output: |    exchange type: ISAKMP_XCHG_QUICK (0x20)
output: |    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
output: |    Message ID: 1523391037 (5a cd 1a 3d)
output: | next payload chain: saving message location 'ISAKMP Message'.'next payload type'
output: | ***emit ISAKMP Hash Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
output: | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet'
output: | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload
output: | emitting length of ISAKMP Hash Payload: 36
output: | emitting quick defaults using policy: encrypt
output: | empty esp_info, returning defaults for: encrypt
output: | sadb: newref @0x7ff4d1164fe8(0->1) (v1_kernel_alg_makedb() +445 programs/pluto/ikev1_spdb_struct.c)
output: | ***emit ISAKMP Security Association Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    DOI: ISAKMP_DOI_IPSEC (0x1)
output: | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA)
output: | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet'
output: | ****emit IPsec DOI SIT:
output: |    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
output: | ikev1_out_sa() pcn: 0 has 1 valid proposals
output: | ikev1_out_sa() pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2
output: | ****emit ISAKMP Proposal Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    proposal number: 0 (00)
output: |    protocol ID: PROTO_IPSEC_ESP (0x3)
output: |    SPI size: 4 (04)
output: |    number of transforms: 2 (02)
output: | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type'
output: | "west-east" #2: routing:  kernel_ops_get_ipsec_spi() 192.1.2.23-ESP->192.1.2.45 reqid=4005 [1000,ffffffff] for SPI ...
output: | sendrecv_xfrm_msg() sending 22 Get SPI SPI
output: | sendrecv_xfrm_msg() recvfrom() returned 256 bytes
output: | "west-east" #2: routing:   ... allocated e2929ca3 for SPI
output: | emitting 4 raw bytes of SPI SPISPI ISAKMP Proposal Payload
output: | SPI: e2 92 9c a3
output: | *****emit ISAKMP Transform Payload (ESP):
output: |    next payload type: ISAKMP_NEXT_T (0x3)
output: |    ESP transform number: 0 (00)
output: |    ESP transform ID: ESP_AES (0xc)
output: | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type'
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+GROUP_DESCRIPTION (0x8003)
output: |    length/value: 14 (00 0e)
output: |     [14 is OAKLEY_GROUP_MODP2048]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+ENCAPSULATION_MODE (0x8004)
output: |    length/value: 1 (00 01)
output: |     [1 is ENCAPSULATION_MODE_TUNNEL]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_TYPE (0x8001)
output: |    length/value: 1 (00 01)
output: |     [1 is SA_LIFE_TYPE_SECONDS]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
output: |    length/value: 28800 (70 80)
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+AUTH_ALGORITHM (0x8005)
output: |    length/value: 2 (00 02)
output: |     [2 is AUTH_ALGORITHM_HMAC_SHA1]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+KEY_LENGTH (0x8006)
output: |    length/value: 128 (00 80)
output: | emitting length of ISAKMP Transform Payload (ESP): 32
output: | *****emit ISAKMP Transform Payload (ESP):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ESP transform number: 1 (01)
output: |    ESP transform ID: ESP_3DES (0x3)
output: | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' containing ISAKMP_NEXT_T (0x3) is ISAKMP_NEXT_T (0x3)
output: | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type'
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+GROUP_DESCRIPTION (0x8003)
output: |    length/value: 14 (00 0e)
output: |     [14 is OAKLEY_GROUP_MODP2048]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+ENCAPSULATION_MODE (0x8004)
output: |    length/value: 1 (00 01)
output: |     [1 is ENCAPSULATION_MODE_TUNNEL]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_TYPE (0x8001)
output: |    length/value: 1 (00 01)
output: |     [1 is SA_LIFE_TYPE_SECONDS]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
output: |    length/value: 28800 (70 80)
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+AUTH_ALGORITHM (0x8005)
output: |    length/value: 2 (00 02)
output: |     [2 is AUTH_ALGORITHM_HMAC_SHA1]
output: | emitting length of ISAKMP Transform Payload (ESP): 28
output: | emitting length of ISAKMP Proposal Payload: 72
output: | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0
output: | emitting length of ISAKMP Security Association Payload: 84
output: | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0
output: | sadb: delref @0x7ff4d1164fe8(1->0) (free_sa() +857 programs/pluto/ikev1_spdb.c)
output: | ***emit ISAKMP Nonce Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE)
output: | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet'
output: | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload
output: |   21 2e 17 ca  50 c5 20 4f  30 d9 01 5a  a3 f2 46 c0   !...P. O0..Z..F.
output: |   88 db 9e 6a  9d 22 9c 0e  b7 6c a3 05  73 1c 8d a3   ...j."...l..s...
output: | emitting length of ISAKMP Nonce Payload: 36
output: | struct dh_local_secret: addref @0x7ff4d1070fd8(1->2) (unpack_KE_from_helper() +155 programs/pluto/crypt_ke.c)
output: | ***emit ISAKMP Key Exchange Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE)
output: | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet'
output: | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload
output: |   f2 6d 4b c4  66 2e 68 e4  d7 49 0e dd  f6 d5 c6 e6   .mK.f.h..I......
output: |   66 55 92 5d  e5 cf e9 89  11 ba 99 10  6b 27 07 9a   fU.]........k'..
output: |   be 16 06 7d  a4 9e c0 d2  f3 15 ec b5  54 20 47 b0   ...}........T G.
output: |   35 42 26 66  07 a4 34 5a  6f e8 bc 3c  86 e6 93 54   5B&f..4Zo..<...T
output: |   f3 31 fa b4  a7 d1 0a d7  8e 81 76 42  32 57 72 d4   .1........vB2Wr.
output: |   de 65 f9 54  69 d0 af c8  de 47 ea 95  13 4e f9 10   .e.Ti....G...N..
output: |   ac 96 bc db  8f 88 b6 d9  70 f7 53 26  19 42 91 38   ........p.S&.B.8
output: |   cf 7f e5 53  db f5 96 0c  9a c1 ee 67  96 19 50 1b   ...S.......g..P.
output: |   cd f7 be 14  6b 4d b1 5c  7d 14 8d ee  cf 97 6c bb   ....kM.\}.....l.
output: |   ca 12 95 ff  ac 36 5d e4  54 13 14 e1  07 e0 75 d8   .....6].T.....u.
output: |   2b b1 96 05  5d 0d ff 88  e7 43 e2 b2  91 07 dd 01   +...]....C......
output: |   2d 41 ea 47  75 f2 5c 05  1e bb 2f c7  83 df 21 d8   -A.Gu.\.../...!.
output: |   cd 3c 22 64  11 7a 1e 02  ac 62 76 5a  d1 cb 2a ca   .<"d.z...bvZ..*.
output: |   14 8b 83 40  2b a0 f9 a6  ca c6 a4 37  89 8b b1 94   ...@+......7....
output: |   dd 53 73 52  40 c3 8d 24  85 77 83 00  da 67 00 ac   .SsR@..$.w...g..
output: |   80 a2 2d ef  0d b3 8d f8  99 b7 8e 0b  6a fe 10 c6   ..-.........j...
output: | emitting length of ISAKMP Key Exchange Payload: 260
output: | ***emit ISAKMP Identification Payload (IPsec DOI):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ID type: ID_IPV4_ADDR_SUBNET (0x4)
output: |    Protocol ID: ALL (0x0)
output: |    port: 0 (00 00)
output: | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
output: | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
output: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
output: | client network: c0 00 01 00
output: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
output: | client mask: ff ff ff 00
output: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
output: | ***emit ISAKMP Identification Payload (IPsec DOI):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ID type: ID_IPV4_ADDR_SUBNET (0x4)
output: |    Protocol ID: ALL (0x0)
output: |    port: 0 (00 00)
output: | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
output: | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
output: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
output: | client network: c0 00 02 00
output: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
output: | client mask: ff ff ff 00
output: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
output: |     result: newref clone-key@0x7ff4d0625f80 (32-bytes, SHA256_HMAC)(init_symkey() +101 lib/libswan/ike_alg_prf_mac_nss_ops.c)
output: | HASH(1): delref clone-key@0x7ff4d0625f80
output: | outI1 HASH(1):
output: |   8a f0 7c 07  c3 fb c3 db  33 59 47 c1  6a 99 6d 15   ..|.....3YG.j.m.
output: |   2e dd e1 3d  f5 06 8b 49  3f 6a 00 ff  f5 cb af 08   ...=...I?j......
output: | no IKEv1 message padding required
output: | emitting length of ISAKMP Message: 476
output: | sending 476 bytes for reply packet from quick_outI1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 using UDP (for #2)
output: |   ec 17 79 fe  a9 81 79 66  de 4d e9 3b  ce 1e 43 08   ..y...yf.M.;..C.
output: |   08 10 20 01  5a cd 1a 3d  00 00 01 dc  3a f5 a2 4e   .. .Z..=....:..N
output: |   7e 8e 4f 40  c2 b8 04 89  e7 d9 e0 2f  ac f0 a0 34   ~.O@......./...4
output: |   93 8c ff 10  70 e5 df d4  8a 95 22 f0  7b 97 3e 00   ....p.....".{.>.
output: |   d2 9f 2f bc  92 9b 0d 47  0a 24 98 e4  0c 60 cd fc   ../....G.$...`..
output: |   6c 5b e4 01  57 39 6a 75  9f f9 7a 97  57 07 7b 28   l[..W9ju..z.W.{(
output: |   0d c9 9b 80  ea 9d 14 a1  03 9b 33 d7  d0 57 79 c6   ..........3..Wy.
output: |   72 43 72 fb  02 f3 21 40  ce 10 6a bb  85 5a 36 8d   rCr...!@..j..Z6.
output: |   ba a4 10 3c  0d 42 17 5a  69 03 cd a4  9b 9a 24 0b   ...<.B.Zi.....$.
output: |   06 d3 41 cc  11 fa ba bf  6b 7e 99 56  76 37 91 e9   ..A.....k~.Vv7..
output: |   09 66 91 4c  b5 1b 6b c7  48 a0 d3 3b  2d 70 f5 31   .f.L..k.H..;-p.1
output: |   bd 81 78 de  a7 79 ce 9d  51 1b 14 12  5b 18 32 a7   ..x..y..Q...[.2.
output: |   26 94 48 00  b8 86 66 d9  f9 25 66 3f  62 dd dd 12   &.H...f..%f?b...
output: |   87 d5 56 66  cb da be 20  80 1b 62 a4  63 72 2e 2c   ..Vf... ..b.cr.,
output: |   2e 9d 30 03  cc 3f 5a 8e  1a 42 3e 95  4a 5f f0 c6   ..0..?Z..B>.J_..
output: |   cb a9 7d e4  0a c7 6c 03  63 e9 46 b0  38 cb 31 7f   ..}...l.c.F.8.1.
output: |   28 ec 9a fb  0d 62 dc 1f  06 ff d6 3e  05 1e 7f 08   (....b.....>....
output: |   77 ed 3f 09  08 c1 5c 6a  48 20 5e 47  76 a1 19 09   w.?...\jH ^Gv...
output: |   55 02 89 39  b3 3e 42 f5  8c 55 26 aa  87 4b 26 7a   U..9.>B..U&..K&z
output: |   62 0c c6 24  d0 51 2b 59  00 5a 45 de  e1 be 0b c0   b..$.Q+Y.ZE.....
output: |   e2 8a ef 56  54 e5 10 24  66 f3 1e 9a  3c 79 22 ad   ...VT..$f...<y".
output: |   da 49 58 35  c6 86 81 9c  4d 90 cc 4f  e2 89 52 b7   .IX5....M..O..R.
output: |   ba 87 d0 8d  c7 ca 52 d0  3c 01 7c de  92 d4 81 ba   ......R.<.|.....
output: |   7d d1 e3 45  c7 9e 83 92  d3 b5 48 cd  06 8c d8 9b   }..E......H.....
output: |   07 a1 7c 7e  e2 2c f6 ce  0d cd 40 65  e0 83 3c 7c   ..|~.,....@e..<|
output: |   8b 16 3d 8f  94 14 08 1b  e4 1c 5d d0  48 59 e5 6e   ..=.......].HY.n
output: |   f8 a1 f1 19  ed 34 ae a7  0c b6 ea 83  81 28 9d ca   .....4.......(..
output: |   73 c5 b8 a6  cd ee 86 18  38 fc b7 0c  d5 09 07 06   s.......8.......
output: |   e4 f3 ce a5  9e 88 d4 c8  a6 d6 99 24  c5 aa 4b 03   ...........$..K.
output: |   bd e7 58 27  4b a8 06 09  c1 63 d2 70                ..X'K....c.p
output: | #2 deleting EVENT_CRYPTO_TIMEOUT
output: | tt: delref @0x7ff4d0668f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0614fa8(1->0) (delete_event() +534 programs/pluto/timer.c)
output: | #2 STATE_QUICK_I1: retransmits: cleared
output: | event_schedule_where: newref EVENT_RETRANSMIT-pe@0x7ff4d0668fa8 timeout in 60 seconds for #2
output: | tt: newref @0x7ff4d0614f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | #2 STATE_QUICK_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 12.485623
output: "west-east" #2: sent Quick Mode request
output: | job 3 helper 1 #2 quick_outI1 (dh): final status STF_SKIP_COMPLETE_STATE_TRANSITION; cleaning up
output: | delref @0x7ff4d1070fd8(2->1) (cleanup_ke_and_nonce() +83 programs/pluto/crypt_ke.c)
output: | "west-east" #2: detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d0612fc8 slot 0 (free_job() +430 programs/pluto/server_pool.c)
output: | delref @0x7ff4d106efe8(2->1) (free_job() +430 programs/pluto/server_pool.c)
output: | logger: delref @0x7ff4d0612fc8(1->0) (free_job() +430 programs/pluto/server_pool.c)
output: | job: delref @0x7ff4d060ef98(1->0) (free_job() +431 programs/pluto/server_pool.c)
output: | resume sending job back to main thread for #2 suppressed complete_v1_state_transition()
output: | #2 spent 2.31 (22) milliseconds in resume sending job back to main thread
output: | tt: delref @0x7ff4d0695f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | processing global timer EVENT_SHUNT_SCAN
output: | kernel: checking for aged bare shunts from shunt table to expire
output: | spent 0.0165 (0.153) milliseconds in global timer EVENT_SHUNT_SCAN
output: | processing global timer EVENT_NAT_T_KEEPALIVE
output: | FOR_EACH_STATE_... in (nat_traversal_ka_event() +304 programs/pluto/nat_traversal.c)
output: |   found "west-east" #2
output: | not behind NAT: no NAT-T KEEP-ALIVE required for conn west-east
output: |   found "west-east" #1
output: | not behind NAT: no NAT-T KEEP-ALIVE required for conn west-east
output: |   matches: 2
output: | spent 0.0327 (0.634) milliseconds in global timer EVENT_NAT_T_KEEPALIVE
output: | kernel: netlink_process_xfrm_messages() process messages
output: | netlink_get() recvfrom() returned 248 bytes
output: | netlink_xfrm_message_processor() got XFRM_MSG_EXPIRE message with length 248
output: | xfrm_kernel_sa_expire() spi e2929ca3 src 192.1.2.23 dst 192.1.2.45 hard mode 0 proto 50 bytes 0 packets 0
output: | FOR_EACH_STATE_... in (find_v2_child_sa_by_spi() +1446 programs/pluto/state.c)
output: |   found "west-east" #2
output: |   found "west-east" #1
output: |   matches: 2
output: | received kernel hard EXPIRE event for IPsec SPI e2929ca3, but there is no connection with this SPI SPISPI dst 192.1.2.45 bytes 0 packets 0
output: | processing global timer EVENT_SHUNT_SCAN
output: | kernel: checking for aged bare shunts from shunt table to expire
output: | spent 0.0163 (0.254) milliseconds in global timer EVENT_SHUNT_SCAN
output: | processing global timer EVENT_PENDING_DDNS
output: | FOR_EACH_CONNECTION_.... in (connection_check_ddns() +213 programs/pluto/ddns.c)
output: |   found "west-east"
output: | "west-east": addref @0x7ff4d1066a78(3->4)  (connection_check_ddns() +217 programs/pluto/ddns.c)
output: | "west-east": pending ddns: skipping connection, has no .dnshostname
output: | "west-east": delref @0x7ff4d1066a78(4->3)  (connection_check_ddns() +219 programs/pluto/ddns.c)
output: |   matches: 1
output: | spent 0.044 (0.462) milliseconds in in connection_check_ddns for hostname lookup
output: | spent 0.0615 (0.54) milliseconds in global timer EVENT_PENDING_DDNS
output: | processing global timer EVENT_SHUNT_SCAN
output: | kernel: checking for aged bare shunts from shunt table to expire
output: | spent 0.0081 (0.0982) milliseconds in global timer EVENT_SHUNT_SCAN
output: | timer_event_cb: processing EVENT_RETRANSMIT-event@0x7ff4d0668fa8 for CHILD SA #2 in state QUICK_I1
output: | #2 deleting EVENT_RETRANSMIT
output: | tt: delref @0x7ff4d0614f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0668fa8(1->0) (timer_event_cb() +221 programs/pluto/timer.c)
output: | IKEv1 retransmit event
output: | #2 STATE_QUICK_I1: retransmits: current time 72.46581
output: | #2 STATE_QUICK_I1: retransmits: retransmit count 0 exceeds limit? NO
output: | #2 STATE_QUICK_I1: retransmits: deltatime 60 exceeds limit? YES
output: | #2 STATE_QUICK_I1: retransmits: monotime 59.980187 exceeds limit? NO
output: "west-east" #2: STATE_QUICK_I1: 60 second timeout exceeded after 0 retransmits.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
output: | pstats #2 ikev1.ipsec failed too-many-retransmits
output: | clone logger: newref @0x7ff4d0693fc8(0->1) (teardown_child() +1217 programs/pluto/routing.c)
output: | "west-east" #2: attach whack fd@0x7ff4d106efe8 to logger 0x7ff4d0693fc8 slot 0 (teardown_child() +1217 programs/pluto/routing.c)
output: | struct fd: addref @0x7ff4d106efe8(1->2) (teardown_child() +1217 programs/pluto/routing.c)
output: | "west-east": addref @0x7ff4d1066a78(3->4) "west-east" #2:  (dispatch() +2436 programs/pluto/routing.c)
output: | "west-east" #2: routing: start TEARDOWN_CHILD, ROUTED_NEGOTIATION, PERMANENT; IPsec #2 (QUICK_I1) by=UNKNOWN; $1@0x7ff4d1066a78; routing_sa #2 negotiating_ike_sa #1 established_ike_sa #1 negotiating_child_sa #2 (event_v1_retransmit() +83 programs/pluto/ikev1_retransmit.c)
output: | "west-east" #2: routing:   Child SA matches .routing_sa
output: | revival: skip update_remote_port(), not an instance
output: "west-east" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
output: | string logger: newref @0x7ff4d060efc8(0->1) (schedule_connection_event() +44 programs/pluto/connection_event.c)
output: | "west-east": addref @0x7ff4d1066a78(4->5) event CONNECTION_REVIVAL for "west-east":  (schedule_connection_event() +49 programs/pluto/connection_event.c)
output: "west-east" #2: IMPAIR: revival: skip scheduling revival event
output: | spd_owner() looking for SPD owner of 192.0.1.0/24===192.0.2.0/24 with routing >= ROUTED_ONDEMAND[ONDEMAND]
output: | FOR_EACH_SPD_ROUTE[remote_client_range=192.0.2.0/24]... in (routed_negotiation_to_routed_ondemand() +911 programs/pluto/routing.c)
output: |   found "west-east" 192.0.1.0/24===192.0.2.0/24
output: |    "west-east" 192.0.1.0/24===192.0.2.0/24 ROUTED_NEGOTIATION[NEGOTIATION] skipped; ignoring self
output: |   matches: 1
output: | spd_owner: owners of 192.0.1.0/24===192.0.2.0/24 routing >= ROUTED_ONDEMAND[ONDEMAND]
output: | kernel: NIC esp-hw-offload disabled for connection 'west-east'
output: |  replacing 192.0.1.0/24===192.0.2.0/24
output: | priority calculation of is 1757393 (0x1ad0d1) base=1 portsw=2 protow=1, srcw=104 dstw=104 instw=1
output: | "west-east" #2: routing:  kernel_ops_policy_add() REPLACE+OUTBOUND delete Child SA (event_v1_retransmit() +83 programs/pluto/ikev1_retransmit.c)
output: | "west-east" #2: routing:   client=192.0.1.0/24=>192.0.2.0/24 lifetime=0s
output: | "west-east" #2: routing:   sa_marks=out:0/00000000,in:0/00000000
output: | "west-east" #2: routing:   policy=0.0.0.0=>0.0.0.0,ONDEMAND=TRAP,priority=1757393,TRANSPORT[ESP@0(ALL)]
output: | kernel_ops_policy_add()   policy=%trap(allow) action=0 xfrm_dir=1 op=REPLACE dir=OUTBOUND
output: | kernel_xfrm_policy_add() using family IPv4 (2)
output: | set_xfrm_selectors() using family IPv4 (2)
output: | kernel_xfrm_policy_add() IPsec SA SPD priority set to 1757393
output: | kernel_xfrm_policy_add() adding xfrm_user_tmpl reqid=0 id.proto=50 optional=0 family=2 mode=0 saddr=<unset-address> daddr=<unset-address>
output: | sendrecv_xfrm_msg() sending 25 policy %trap(allow)
output: | sendrecv_xfrm_msg() recvfrom() returned 36 bytes
output: | kernel_ops_policy_add()   XFRM_MSG_UPDPOLICY for flow %trap(allow) (out) had A policy
output: | "west-east" #2: routing:   ... yes
output: | "west-east" #2: .st_on_delete.skip_send_delete no->true (delete_child_sa() +758 programs/pluto/state.c)
output: | "west-east" #2: delete_state() skipping log_message:no
output: "west-east" #2: deleting IPsec SA (QUICK_I1) and NOT sending notification
output: | "west-east" #2: .st_on_delete.skip_log_message no->true (llog_sa_delete_n_send() +852 programs/pluto/state.c)
output: | pstats #2 ikev1.ipsec deleted too-many-retransmits
output: | #2 main thread spent 2.31 (22) milliseconds helper thread spent 4.44 (6.92) milliseconds in total
output: | suspend: no MD saved in state #2 (delete_state() +973 programs/pluto/state.c)
output: | #2 STATE_QUICK_I1: retransmits: cleared
output: | kernel: uninstall_kernel_state() deleting OUTBOUND
output: | kernel: uninstall_kernel_state() deleting INBOUND
output: | kernel: forcing inbound delete of ESP as .inbound.spi: e2929ca3; attrs.spi: 00000000
output: | "west-east" #2: routing:  kernel_ops_del_ipsec_spi() deleting sa 192.1.2.23-ESP[e2929ca3]->192.1.2.45 for esp.ESPSPIi@192.1.2.45 ...
output: | sendrecv_xfrm_msg() sending 17 Del SA esp.ESPSPIi@192.1.2.45
output: | sendrecv_xfrm_msg() recvfrom() returned 60 bytes
output: ERROR: "west-east" #2: netlink response for Del SA esp.ESPSPIi@192.1.2.45: No such process (errno 3)
output: | "west-east" #2: routing:   ... no
output: | delref @0x7ff4d1074f38(3->2) (delete_state() +1033 programs/pluto/state.c)
output: | "west-east": delref @0x7ff4d1066a78(5->4)  #2:  (delete_state() +1073 programs/pluto/state.c)
output: | child state #2: QUICK_I1(established CHILD SA) => UNDEFINED(ignore)
output: |  #2: detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d0f7cfc8 slot 0 (delete_state() +1079 programs/pluto/state.c)
output: | delref @0x7ff4d106efe8(2->1) (delete_state() +1079 programs/pluto/state.c)
output: | delref @0x7ff4d1070fd8(1->0) (delete_state() +1094 programs/pluto/state.c)
output: | delete_state: delref st->st_dh_shared_secret-key@NULL
output: | delete_state: delref st->st_skeyid_nss-key@0x7ff4d10d8f80
output: | delete_state: delref st->st_skey_d_nss-key@0x7ff4d117ef80
output: | delete_state: delref st->st_skey_ai_nss-key@0x7ff4d11bef80
output: | delete_state: delref st->st_skey_ar_nss-key@NULL
output: | delete_state: delref st->st_skey_ei_nss-key@0x7ff4d0fcbf80
output: | delete_state: delref st->st_skey_er_nss-key@NULL
output: | delete_state: delref st->st_skey_pi_nss-key@NULL
output: | delete_state: delref st->st_skey_pr_nss-key@NULL
output: | delete_state: delref st->st_enc_key_nss-key@0x7ff4d10d6f80
output: | delete_state: delref st->st_sk_d_no_ppk-key@NULL
output: | delete_state: delref st->st_sk_pi_no_ppk-key@NULL
output: | delete_state: delref st->st_sk_pr_no_ppk-key@NULL
output: |  #2: releasing whack (but there are none) (delete_state() +1172 programs/pluto/state.c)
output: | logger: delref @0x7ff4d0f7cfc8(1->0) (delete_state() +1172 programs/pluto/state.c)
output: | "west-east" #2: routing: stop TEARDOWN_CHILD, ROUTED_NEGOTIATION->ROUTED_ONDEMAND, PERMANENT; ok=yes; routing_sa #2->#0 negotiating_ike_sa #1 established_ike_sa #1 negotiating_child_sa #2->#0 revival 0->1 (event_v1_retransmit() +83 programs/pluto/ikev1_retransmit.c)
output: | "west-east": delref @0x7ff4d1066a78(4->3) "west-east" #2:  (dispatch() +2450 programs/pluto/routing.c)
output: | "west-east" #2: detach whack fd@0x7ff4d106efe8 from logger 0x7ff4d0693fc8 slot 0 (teardown_child() +1236 programs/pluto/routing.c)
output: | delref @0x7ff4d106efe8(1->0) (teardown_child() +1236 programs/pluto/routing.c)
output: | freeref fd@0x7ff4d106efe8 (teardown_child() +1236 programs/pluto/routing.c)
output: | logger: delref @0x7ff4d0693fc8(1->0) (teardown_child() +1236 programs/pluto/routing.c)
output: | in statetime_stop() and could not find #2
output: | kernel: netlink_process_xfrm_messages() process messages
output: | netlink_get() recvfrom() returned 376 bytes
output: | netlink_xfrm_message_processor() got XFRM_MSG_ACQUIRE message with length 376
output: | xfrm netlink msg len 376
output: | xfrm_user_acquire  id { daddr: xfrm_address_t spi: 0 proto: 32 saddr: struct xfrm_address_t sel: struct xfrm_selector} policy { lft { soft_add_expires_seconds=0 hard_add_expires_seconds=0 soft_use_expires_seconds=0 hard_use_expires_seconds=0} curlft { add_time=>0 use_time=0} } aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295 seq: 1
output: | xfrm acquire rtattribute type 5 ...
output: | xfrm_user_tmpl { id: xfrm_id id family: 2 saddr: xfrm_address_t reqid: 0 mode: 0 share: 0 optional: 0 aalgos: 4294967295 ealgos: 4294967295 calgos: 4294967295}
output: | xfrm acquire rtattribute type 16 ...
output: | xfrm_userpolicy_type { type: 0}
output: | find_connection_for_packet() looking for an out-going connection that matches packet 192.0.1.254:8-ICMP->192.0.2.254:0 sec_label=
output: | FOR_EACH_CONNECTION_.... in (find_connection_for_packet() +3936 programs/pluto/connections.c)
output: |   found "west-east"
output: |     choosing "west-east" priority 25214988; as first best
output: |   matches: 1
output: |   concluding with "west-east" priority 25214988 kind=PERMANENT
output: | "west-east": addref @0x7ff4d1066a78(3->4)  (initiate_ondemand() +135 programs/pluto/acquire.c)
output: | "west-east": no whack to attach
output: "west-east": initiate on-demand for packet 192.0.1.254:8-ICMP->192.0.2.254:0
output: | "west-east": initiate() by ACQUIRE policy=ENCRYPT+TUNNEL+PFS proto=ESP sec_label= (initiate_ondemand() +158 programs/pluto/acquire.c)
output: |   connection $1: "west-east"
output: |     routing+kind: ROUTED_ONDEMAND PERMANENT
output: |     host: 192.1.2.45->192.1.2.23
output: |     selectors: 192.0.1.0/24 -> 192.0.2.0/24
output: |     spds: 192.0.1.0/24===192.0.2.0/24
output: |     policy: IKEv1+PSK+ENCRYPT+TUNNEL+PFS+ROUTE+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
output: | FOR_EACH_STATE_... in (find_viable_parent_for_connection() +1567 programs/pluto/state.c)
output: |   found "west-east" #1
output: |   matches: 1
output: | struct iface_endpoint: addref @0x7ff4d1074f38(2->3) (duplicate_state() +1198 programs/pluto/state.c)
output: | alloc logger: newref @0x7ff4d05fafc8(0->1) (duplicate_state() +1206 programs/pluto/state.c)
output: |  #0: no whack to attach
output: | "west-east": addref @0x7ff4d1066a78(4->5)  #3:  (new_state() +491 programs/pluto/state.c)
output: | creating state object #3 at 0x7ff4d1164348
output: | pstats #3 ikev1.ipsec started
output: | duplicating state object #1 "west-east" as #3 for IPSEC SA
output: | #3 setting local endpoint to 192.1.2.45:500 from #1.st_localport (duplicate_state() +1220 programs/pluto/state.c)
output: | duplicate_state: addref st_skeyid_nss-key@0x7ff4d10d8f80
output: | duplicate_state: addref st_skey_d_nss-key@0x7ff4d117ef80
output: | duplicate_state: addref st_skey_ai_nss-key@0x7ff4d11bef80
output: | duplicate_state: addref st_skey_ar_nss-key@NULL
output: | duplicate_state: addref st_skey_ei_nss-key@0x7ff4d0fcbf80
output: | duplicate_state: addref st_skey_er_nss-key@NULL
output: | duplicate_state: addref st_skey_pi_nss-key@NULL
output: | duplicate_state: addref st_skey_pr_nss-key@NULL
output: | duplicate_state: addref st_enc_key_nss-key@0x7ff4d10d6f80
output: | child state #3: UNDEFINED(ignore) => QUICK_I1(established CHILD SA)
output: "west-east" #3: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+ROUTE+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
output: | job: newref @0x7ff4d106ef98(0->1) (submit_task() +331 programs/pluto/server_pool.c)
output: | clone logger: newref @0x7ff4d0f7cfc8(0->1) (submit_task() +358 programs/pluto/server_pool.c)
output: | job 4 helper 0 #3 quick_outI1 (dh): added to pending queue
output: | event_schedule_where: newref EVENT_CRYPTO_TIMEOUT-pe@0x7ff4d0f7efa8 timeout in 60 seconds for #3
output: | tt: newref @0x7ff4d0f80f68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | "west-east": addref @0x7ff4d1066a78(5->6) "west-east" #3:  (dispatch() +2436 programs/pluto/routing.c)
output: | "west-east" #3: routing: start INITIATED, ROUTED_ONDEMAND, PERMANENT; ISAKMP #1 (MAIN_I4) IPsec #3 (QUICK_I1) by=ACQUIRE; $1@0x7ff4d1066a78; negotiating_ike_sa #1 established_ike_sa #1 (initiate_ondemand() +158 programs/pluto/acquire.c)
output: | "west-east" #3: routing:   Child SA matches unset .routing_sa
output: | "west-east": delref @0x7ff4d1066a78(6->5) event CONNECTION_REVIVAL for "west-east":  (discard_connection_event() +71 programs/pluto/connection_event.c)
output: | event CONNECTION_REVIVAL for "west-east": releasing whack (but there are none) (discard_connection_event() +72 programs/pluto/connection_event.c)
output: | logger: delref @0x7ff4d060efc8(1->0) (discard_connection_event() +72 programs/pluto/connection_event.c)
output: | spd_owner() looking for SPD owner of 192.0.1.0/24===192.0.2.0/24 with routing >= ROUTED_NEGOTIATION[NEGOTIATION]
output: | FOR_EACH_SPD_ROUTE[remote_client_range=192.0.2.0/24]... in (routed_ondemand_to_routed_negotiation() +884 programs/pluto/routing.c)
output: |   found "west-east" 192.0.1.0/24===192.0.2.0/24
output: |    "west-east" 192.0.1.0/24===192.0.2.0/24 ROUTED_ONDEMAND[ONDEMAND] skipped; ignoring self
output: |   matches: 1
output: | spd_owner: owners of 192.0.1.0/24===192.0.2.0/24 routing >= ROUTED_NEGOTIATION[NEGOTIATION]
output: | kernel: NIC esp-hw-offload disabled for connection 'west-east'
output: |  replacing 192.0.1.0/24===192.0.2.0/24
output: | priority calculation of is 1757393 (0x1ad0d1) base=1 portsw=2 protow=1, srcw=104 dstw=104 instw=1
output: | "west-east" #3: routing:  kernel_ops_policy_add() REPLACE+OUTBOUND ondemand->negotiation (initiate_ondemand() +158 programs/pluto/acquire.c)
output: | "west-east" #3: routing:   client=192.0.1.0/24=>192.0.2.0/24 lifetime=0s
output: | "west-east" #3: routing:   sa_marks=out:0/00000000,in:0/00000000
output: | "west-east" #3: routing:   policy=0.0.0.0=>0.0.0.0,NEGOTIATION=HOLD,priority=1757393,TRANSPORT[ESP@0(ALL)]
output: | kernel_ops_policy_add()   policy=%hold(block) action=1 xfrm_dir=1 op=REPLACE dir=OUTBOUND
output: | kernel_xfrm_policy_add() using family IPv4 (2)
output: | set_xfrm_selectors() using family IPv4 (2)
output: | kernel_xfrm_policy_add() IPsec SA SPD priority set to 1757393
output: | kernel_xfrm_policy_add() adding xfrm_user_tmpl reqid=0 id.proto=50 optional=0 family=2 mode=0 saddr=<unset-address> daddr=<unset-address>
output: | sendrecv_xfrm_msg() sending 25 policy %hold(block)
output: | job 4 helper 1 #3 quick_outI1 (dh): started
output: | sendrecv_xfrm_msg() recvfrom() returned 36 bytes
output: | kernel_ops_policy_add()   XFRM_MSG_UPDPOLICY for flow %hold(block) (out) had A policy
output: | "west-east" #3: routing:   ... yes
output: | "west-east" #3: routing: stop INITIATED, ROUTED_ONDEMAND->ROUTED_NEGOTIATION, PERMANENT; ok=yes; routing_sa #0->#3 negotiating_ike_sa #1 established_ike_sa #1 negotiating_child_sa #0->#3 (initiate_ondemand() +158 programs/pluto/acquire.c)
output: | "west-east": delref @0x7ff4d1066a78(5->4) "west-east" #3:  (dispatch() +2450 programs/pluto/routing.c)
output: | "west-east" #3: no whack to detach (initiate() +442 programs/pluto/initiate.c)
output: | "west-east": no whack to detach (initiate_ondemand() +160 programs/pluto/acquire.c)
output: | "west-east": delref @0x7ff4d1066a78(4->3)  (initiate_ondemand() +161 programs/pluto/acquire.c)
output: | struct dh_local_secret: newref @0x7ff4d060cfd8(0->1) (calc_dh_local_secret() +85 programs/pluto/crypt_dh.c)
output: | job 4 helper 1 #3 quick_outI1 (dh): finished
output: | "west-east" #3: spent 2.3 (5.39) milliseconds in job 4 helper 1 #3 quick_outI1 (dh)
output: | scheduling resume sending job back to main thread for #3
output: | tt: newref @0x7ff4d067af68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | processing resume sending job back to main thread for #3
output: | suspend: no MD saved in state #3 (resume_handler() +641 programs/pluto/server.c)
output: | job 4 helper 1 #3 quick_outI1 (dh): calling state's callback function
output: | quick_outI1_continue for #3: calculated ke+nonce, sending I1
output: | quick_outI1_continue for #3: calculated ke+nonce, sending I1
output: | opening output PBS reply packet
output: | **emit ISAKMP Message:
output: |    initiator SPI: ec 17 79 fe  a9 81 79 66
output: |    responder SPI: de 4d e9 3b  ce 1e 43 08
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ISAKMP version: ISAKMP Version 1.0 (rfc2407) (0x10)
output: |    exchange type: ISAKMP_XCHG_QUICK (0x20)
output: |    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
output: |    Message ID: 1384188587 (52 81 0a ab)
output: | next payload chain: saving message location 'ISAKMP Message'.'next payload type'
output: | ***emit ISAKMP Hash Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload (8:ISAKMP_NEXT_HASH)
output: | next payload chain: saving location 'ISAKMP Hash Payload'.'next payload type' in 'reply packet'
output: | emitting 32 zero bytes of HASH DATA into ISAKMP Hash Payload
output: | emitting length of ISAKMP Hash Payload: 36
output: | emitting quick defaults using policy: encrypt
output: | empty esp_info, returning defaults for: encrypt
output: | sadb: newref @0x7ff4d067cfe8(0->1) (v1_kernel_alg_makedb() +445 programs/pluto/ikev1_spdb_struct.c)
output: | ***emit ISAKMP Security Association Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    DOI: ISAKMP_DOI_IPSEC (0x1)
output: | next payload chain: setting previous 'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Security Association Payload (1:ISAKMP_NEXT_SA)
output: | next payload chain: saving location 'ISAKMP Security Association Payload'.'next payload type' in 'reply packet'
output: | ****emit IPsec DOI SIT:
output: |    IPsec DOI SIT: SIT_IDENTITY_ONLY (0x1)
output: | ikev1_out_sa() pcn: 0 has 1 valid proposals
output: | ikev1_out_sa() pcn: 0 pn: 0<1 valid_count: 1 trans_cnt: 2
output: | ****emit ISAKMP Proposal Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    proposal number: 0 (00)
output: |    protocol ID: PROTO_IPSEC_ESP (0x3)
output: |    SPI size: 4 (04)
output: |    number of transforms: 2 (02)
output: | last substructure: saving location 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type'
output: | "west-east" #3: routing:  kernel_ops_get_ipsec_spi() 192.1.2.23-ESP->192.1.2.45 reqid=4005 [1000,ffffffff] for SPI ...
output: | sendrecv_xfrm_msg() sending 22 Get SPI SPI
output: | sendrecv_xfrm_msg() recvfrom() returned 256 bytes
output: | "west-east" #3: routing:   ... allocated f484df86 for SPI
output: | emitting 4 raw bytes of SPI SPISPI ISAKMP Proposal Payload
output: | SPI: f4 84 df 86
output: | *****emit ISAKMP Transform Payload (ESP):
output: |    next payload type: ISAKMP_NEXT_T (0x3)
output: |    ESP transform number: 0 (00)
output: |    ESP transform ID: ESP_AES (0xc)
output: | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type'
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+GROUP_DESCRIPTION (0x8003)
output: |    length/value: 14 (00 0e)
output: |     [14 is OAKLEY_GROUP_MODP2048]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+ENCAPSULATION_MODE (0x8004)
output: |    length/value: 1 (00 01)
output: |     [1 is ENCAPSULATION_MODE_TUNNEL]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_TYPE (0x8001)
output: |    length/value: 1 (00 01)
output: |     [1 is SA_LIFE_TYPE_SECONDS]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
output: |    length/value: 28800 (70 80)
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+AUTH_ALGORITHM (0x8005)
output: |    length/value: 2 (00 02)
output: |     [2 is AUTH_ALGORITHM_HMAC_SHA1]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+KEY_LENGTH (0x8006)
output: |    length/value: 128 (00 80)
output: | emitting length of ISAKMP Transform Payload (ESP): 32
output: | *****emit ISAKMP Transform Payload (ESP):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ESP transform number: 1 (01)
output: |    ESP transform ID: ESP_3DES (0x3)
output: | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' containing ISAKMP_NEXT_T (0x3) is ISAKMP_NEXT_T (0x3)
output: | last substructure: saving location 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type'
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+GROUP_DESCRIPTION (0x8003)
output: |    length/value: 14 (00 0e)
output: |     [14 is OAKLEY_GROUP_MODP2048]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+ENCAPSULATION_MODE (0x8004)
output: |    length/value: 1 (00 01)
output: |     [1 is ENCAPSULATION_MODE_TUNNEL]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_TYPE (0x8001)
output: |    length/value: 1 (00 01)
output: |     [1 is SA_LIFE_TYPE_SECONDS]
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+SA_LIFE_DURATION (variable length) (0x8002)
output: |    length/value: 28800 (70 80)
output: | ******emit ISAKMP IPsec DOI attribute:
output: |    af+type: AF+AUTH_ALGORITHM (0x8005)
output: |    length/value: 2 (00 02)
output: |     [2 is AUTH_ALGORITHM_HMAC_SHA1]
output: | emitting length of ISAKMP Transform Payload (ESP): 28
output: | emitting length of ISAKMP Proposal Payload: 72
output: | last substructure: checking 'ISAKMP Proposal Payload'.'ISAKMP Transform Payload (ESP)'.'next payload type' is 0
output: | emitting length of ISAKMP Security Association Payload: 84
output: | last substructure: checking 'ISAKMP Security Association Payload'.'ISAKMP Proposal Payload'.'next payload type' is 0
output: | sadb: delref @0x7ff4d067cfe8(1->0) (free_sa() +857 programs/pluto/ikev1_spdb.c)
output: | ***emit ISAKMP Nonce Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Security Association Payload'.'next payload type' to current ISAKMP Nonce Payload (10:ISAKMP_NEXT_NONCE)
output: | next payload chain: saving location 'ISAKMP Nonce Payload'.'next payload type' in 'reply packet'
output: | emitting 32 raw bytes of Ni into ISAKMP Nonce Payload
output: |   9f dc 54 c3  46 db 9f d4  57 2d 52 59  1b f5 02 1b   ..T.F...W-RY....
output: |   2a 4a 7b 7b  90 f9 49 6e  1e ef c4 e6  87 22 67 00   *J{{..In....."g.
output: | emitting length of ISAKMP Nonce Payload: 36
output: | struct dh_local_secret: addref @0x7ff4d060cfd8(1->2) (unpack_KE_from_helper() +155 programs/pluto/crypt_ke.c)
output: | ***emit ISAKMP Key Exchange Payload:
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: | next payload chain: setting previous 'ISAKMP Nonce Payload'.'next payload type' to current ISAKMP Key Exchange Payload (4:ISAKMP_NEXT_KE)
output: | next payload chain: saving location 'ISAKMP Key Exchange Payload'.'next payload type' in 'reply packet'
output: | emitting 256 raw bytes of keyex value into ISAKMP Key Exchange Payload
output: |   94 b1 20 f7  96 ec 1f 33  99 82 55 dd  34 30 f0 22   .. ....3..U.40."
output: |   37 8f 18 1a  32 c8 09 e4  22 ea 76 d0  bc ef de 09   7...2...".v.....
output: |   97 a5 d0 48  6d 96 12 35  35 5a 3b 1a  bd 8b 86 53   ...Hm..55Z;....S
output: |   a4 70 78 16  27 17 5a a4  35 2b 73 7b  34 d9 b6 45   .px.'.Z.5+s{4..E
output: |   f8 1e 48 dc  d7 7f 5c 3e  3d 7a 06 41  98 bd 9e c0   ..H...\>=z.A....
output: |   6c 69 a2 eb  42 f0 db 26  3d c4 22 83  a1 5d a2 da   li..B..&=."..]..
output: |   28 8b 0a 12  02 ff ae 1f  e3 05 6d 57  52 1e 83 6a   (.........mWR..j
output: |   89 0f b4 2e  eb 0e ae 48  a2 62 7c f7  d0 55 f7 0c   .......H.b|..U..
output: |   4d 26 86 3b  b9 ec 1f c5  95 19 26 d4  3a 96 0b a2   M&.;......&.:...
output: |   b6 47 08 ac  4f eb a5 8b  35 37 97 75  73 6e 36 03   .G..O...57.usn6.
output: |   4a 18 cc e9  f6 58 28 7e  76 64 21 86  78 73 79 ea   J....X(~vd!.xsy.
output: |   a1 ef 82 e0  6f e7 cf 83  12 d9 6a d1  57 62 d1 e5   ....o.....j.Wb..
output: |   8d 01 18 56  e0 ce 32 1c  c1 93 4b 68  a9 08 90 eb   ...V..2...Kh....
output: |   0f a3 73 be  ad 27 2d d7  d2 1a 40 c4  84 00 6a 7f   ..s..'-...@...j.
output: |   9f a2 5b b7  e0 d4 6f 3b  4d 8e 3e 45  ba ce 2c 5a   ..[...o;M.>E..,Z
output: |   3c d8 c3 fc  94 bd a7 29  5d c7 bd 52  3d 42 d5 49   <......)]..R=B.I
output: | emitting length of ISAKMP Key Exchange Payload: 260
output: | ***emit ISAKMP Identification Payload (IPsec DOI):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ID type: ID_IPV4_ADDR_SUBNET (0x4)
output: |    Protocol ID: ALL (0x0)
output: |    port: 0 (00 00)
output: | next payload chain: setting previous 'ISAKMP Key Exchange Payload'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
output: | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
output: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
output: | client network: c0 00 01 00
output: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
output: | client mask: ff ff ff 00
output: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
output: | ***emit ISAKMP Identification Payload (IPsec DOI):
output: |    next payload type: ISAKMP_NEXT_NONE (0x0)
output: |    ID type: ID_IPV4_ADDR_SUBNET (0x4)
output: |    Protocol ID: ALL (0x0)
output: |    port: 0 (00 00)
output: | next payload chain: setting previous 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' to current ISAKMP Identification Payload (IPsec DOI) (5:ISAKMP_NEXT_ID)
output: | next payload chain: saving location 'ISAKMP Identification Payload (IPsec DOI)'.'next payload type' in 'reply packet'
output: | emitting 4 raw bytes of client network into ISAKMP Identification Payload (IPsec DOI)
output: | client network: c0 00 02 00
output: | emitting 4 raw bytes of client mask into ISAKMP Identification Payload (IPsec DOI)
output: | client mask: ff ff ff 00
output: | emitting length of ISAKMP Identification Payload (IPsec DOI): 16
output: |     result: newref clone-key@0x7ff4d0625f80 (32-bytes, SHA256_HMAC)(init_symkey() +101 lib/libswan/ike_alg_prf_mac_nss_ops.c)
output: | HASH(1): delref clone-key@0x7ff4d0625f80
output: | outI1 HASH(1):
output: |   b2 b8 b2 7a  5b 08 88 dc  a9 29 14 c9  e2 dd 6c 5c   ...z[....)....l\
output: |   44 51 c2 19  c2 e9 d4 9a  79 5a da 93  b0 74 10 13   DQ......yZ...t..
output: | no IKEv1 message padding required
output: | emitting length of ISAKMP Message: 476
output: | sending 476 bytes for reply packet from quick_outI1 through eth1 from 192.1.2.45:500 to 192.1.2.23:500 using UDP (for #3)
output: |   ec 17 79 fe  a9 81 79 66  de 4d e9 3b  ce 1e 43 08   ..y...yf.M.;..C.
output: |   08 10 20 01  52 81 0a ab  00 00 01 dc  25 da fa ff   .. .R.......%...
output: |   b6 e2 89 01  8f 96 60 38  10 a3 8b e8  b7 2a e7 70   ......`8.....*.p
output: |   b8 69 9d 5b  35 40 a3 6a  47 a8 d5 3b  09 f5 08 ff   .i.[5@.jG..;....
output: |   ef 36 c5 20  ad 0c e4 66  80 f2 ab 8e  d3 02 7f fc   .6. ...f........
output: |   8d fe 5e 35  55 1a 57 68  fc 28 a4 91  0b 26 70 c0   ..^5U.Wh.(...&p.
output: |   33 55 40 8b  58 36 6e 18  e5 27 33 d2  d7 29 69 ac   3U@.X6n..'3..)i.
output: |   73 36 5f f2  38 26 85 a1  98 01 a7 e0  9a 52 6a 4e   s6_.8&.......RjN
output: |   20 fd e1 16  69 e6 57 2a  3e 0b 9c 29  c0 18 3b d8    ...i.W*>..)..;.
output: |   b0 cf 6c e2  28 12 c3 4b  03 b3 c8 f7  80 f9 4a 78   ..l.(..K......Jx
output: |   71 66 a1 20  6d 06 a2 51  79 ea 0f 22  61 39 11 de   qf. m..Qy.."a9..
output: |   98 3b 42 4e  5b be 1d ac  03 88 9f bc  6b 08 98 cd   .;BN[.......k...
output: |   7d b0 8e fd  68 e4 61 4f  97 6c fc ca  be 4c 85 ea   }...h.aO.l...L..
output: |   60 fc 8e a8  a8 05 82 40  03 a2 2e 3c  b0 00 46 0a   `......@...<..F.
output: |   dd f9 85 13  b6 7d 92 b1  93 67 53 59  5f 52 37 da   .....}...gSY_R7.
output: |   d7 51 ef 25  40 9d ff 97  2e 75 02 a5  98 cd 4f 16   .Q.%@....u....O.
output: |   d9 74 d2 3f  6f 55 df d8  9c 39 fa 7b  1a 9b 25 7e   .t.?oU...9.{..%~
output: |   8a b4 bd 43  cc e0 49 c6  28 2b 84 a0  79 83 81 72   ...C..I.(+..y..r
output: |   4e 05 c8 b9  65 1c df 52  24 e3 eb 71  b1 b5 e3 f1   N...e..R$..q....
output: |   fd 32 eb 54  2b f7 66 3d  a2 33 48 b1  43 45 a8 32   .2.T+.f=.3H.CE.2
output: |   28 56 05 96  f9 57 56 e8  bd 57 8c a9  56 c9 1e 46   (V...WV..W..V..F
output: |   4e 07 b5 59  7e 4b dd 77  76 46 5b fb  d2 e7 89 37   N..Y~K.wvF[....7
output: |   3c d9 91 cc  5e 9e 35 a8  45 55 33 e8  b7 7d b3 3f   <...^.5.EU3..}.?
output: |   50 de c3 5b  ee 76 ac fe  1e 5b 31 b9  ea d3 55 51   P..[.v...[1...UQ
output: |   1a 3a ae 2a  08 85 74 a1  14 0e 82 94  85 e1 2f 86   .:.*..t......./.
output: |   dc 0c 01 54  06 56 7f 11  4b d3 55 1e  be ca 0f 75   ...T.V..K.U....u
output: |   c7 f8 17 c7  ba 83 c9 37  e5 34 23 da  1f 1f a3 52   .......7.4#....R
output: |   60 36 0d 95  b9 20 0f e3  fd 70 87 49  0c f0 59 7f   `6... ...p.I..Y.
output: |   10 85 0e f8  13 5f 6d 9c  4c e4 55 94  9a c8 ce 4b   ....._m.L.U....K
output: |   47 bd eb 80  cc ee f2 86  96 4e 3c 59                G........N<Y
output: | #3 deleting EVENT_CRYPTO_TIMEOUT
output: | tt: delref @0x7ff4d0f80f68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | state-event: delref @0x7ff4d0f7efa8(1->0) (delete_event() +534 programs/pluto/timer.c)
output: | #3 STATE_QUICK_I1: retransmits: cleared
output: | event_schedule_where: newref EVENT_RETRANSMIT-pe@0x7ff4d067efa8 timeout in 60 seconds for #3
output: | tt: newref @0x7ff4d0f7ef68(0->1) (schedule_timeout() +557 programs/pluto/server.c)
output: | #3 STATE_QUICK_I1: retransmits: first event in 60 seconds; timeout in 60 seconds; limit of 12 retransmits; current time is 72.823732
output: "west-east" #3: sent Quick Mode request
output: | job 4 helper 1 #3 quick_outI1 (dh): final status STF_SKIP_COMPLETE_STATE_TRANSITION; cleaning up
output: | delref @0x7ff4d060cfd8(2->1) (cleanup_ke_and_nonce() +83 programs/pluto/crypt_ke.c)
output: | "west-east" #3: releasing whack (but there are none) (free_job() +430 programs/pluto/server_pool.c)
output: | logger: delref @0x7ff4d0f7cfc8(1->0) (free_job() +430 programs/pluto/server_pool.c)
output: | job: delref @0x7ff4d106ef98(1->0) (free_job() +431 programs/pluto/server_pool.c)
output: | resume sending job back to main thread for #3 suppressed complete_v1_state_transition()
output: | #3 spent 2.67 (21.6) milliseconds in resume sending job back to main thread
output: | tt: delref @0x7ff4d067af68(1->0) (destroy_timeout() +575 programs/pluto/server.c)
output: | helper 1: waiting for work
output: | processing global timer EVENT_SHUNT_SCAN
output: | kernel: checking for aged bare shunts from shunt table to expire
output: | spent 0.0214 (0.177) milliseconds in global timer EVENT_SHUNT_SCAN
output: | kernel: netlink_process_xfrm_messages() process messages
output: | netlink_get() recvfrom() returned 248 bytes
output: | netlink_xfrm_message_processor() got XFRM_MSG_EXPIRE message with length 248
output: | xfrm_kernel_sa_expire() spi 00000000 src 192.0.1.254 dst 192.0.2.254 hard mode 0 proto 50 bytes 0 packets 0
output: | acquire state with SPI SPISPI expired, ignore it
output: | kernel: netlink_process_xfrm_messages() process messages
output: | netlink_get() recvfrom() returned 248 bytes
output: | netlink_xfrm_message_processor() got XFRM_MSG_EXPIRE message with length 248
output: | xfrm_kernel_sa_expire() spi f484df86 src 192.1.2.23 dst 192.1.2.45 hard mode 0 proto 50 bytes 0 packets 0
output: | FOR_EACH_STATE_... in (find_v2_child_sa_by_spi() +1446 programs/pluto/state.c)
output: |   found "west-east" #3
output: |   found "west-east" #1
output: |   matches: 2
output: | received kernel hard EXPIRE event for IPsec SPI f484df86, but there is no connection with this SPI SPISPI dst 192.1.2.45 bytes 0 packets 0
west #
 ipsec _kernel state
west #
 ipsec _kernel policy
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
west #
 ipsec unroute west-east
west #
