Plutorun started on Tue Feb 25 13:17:57 EST 2014 adjusting ipsec.d to /etc/ipsec.d nss directory plutomain: /etc/ipsec.d NSS Initialized Non-fips mode set in /proc/sys/crypto/fips_enabled FIPS: not a FIPS product FIPS HMAC integrity verification test passed Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:13669 Non-fips mode set in /proc/sys/crypto/fips_enabled LEAK_DETECTIVE support [disabled] OCF support for IKE [disabled] SAref support [disabled]: Protocol not available SAbind support [disabled]: Protocol not available NSS support [enabled] HAVE_STATSD notification support not compiled in Setting NAT-Traversal port-4500 floating to on port floating activation criteria nat_t=1/port_float=1 NAT-Traversal support [enabled] | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds | event added at head of queue | inserting event EVENT_PENDING_DDNS, timeout in 60 seconds | event added at head of queue | inserting event EVENT_PENDING_PHASE2, timeout in 120 seconds | event added after event EVENT_PENDING_DDNS ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) starting up 1 cryptographic helpers started helper (thread) pid=140430446606080 (fd:7) Using Linux 2.6 IPsec interface code on 3.12.9-301.fc20.x86_64 (experimental code) | process 13669 listening for PF_KEY_V2 on file descriptor 11 | finish_pfkey_msg: K_SADB_REGISTER message 1 for AH | 02 07 00 02 02 00 00 00 01 00 00 00 65 35 00 00 | status value returned by setting the priority of this thread (id=0) 22 | helper 0 waiting on fd: 8 | pfkey_get: K_SADB_REGISTER message 1 | AH registered with kernel. | finish_pfkey_msg: K_SADB_REGISTER message 2 for ESP | 02 07 00 03 02 00 00 00 02 00 00 00 65 35 00 00 | pfkey_get: K_SADB_REGISTER message 2 | alg_init():memset(0x7fb888bcb980, 0, 2048) memset(0x7fb888bcc180, 0, 2048) | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=72 | kernel_alg_add():satype=3, exttype=14, alg_id=251 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[0], exttype=14, satype=3, alg_id=251, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=2 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[1], exttype=14, satype=3, alg_id=2, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=3 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[2], exttype=14, satype=3, alg_id=3, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=5 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[3], exttype=14, satype=3, alg_id=5, alg_ivlen=0, alg_minbits=256, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=6 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[4], exttype=14, satype=3, alg_id=6, alg_ivlen=0, alg_minbits=384, alg_maxbits=384, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=7 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[5], exttype=14, satype=3, alg_id=7, alg_ivlen=0, alg_minbits=512, alg_maxbits=512, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=8 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[6], exttype=14, satype=3, alg_id=8, alg_ivlen=0, alg_minbits=160, alg_maxbits=160, res=0, ret=1 | kernel_alg_add():satype=3, exttype=14, alg_id=9 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[7], exttype=14, satype=3, alg_id=9, alg_ivlen=0, alg_minbits=128, alg_maxbits=128, res=0, ret=1 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: sadb_msg_len=22 sadb_supported_len=88 | kernel_alg_add():satype=3, exttype=15, alg_id=11 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[8], exttype=15, satype=3, alg_id=11, alg_ivlen=0, alg_minbits=0, alg_maxbits=0, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=2 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[9], exttype=15, satype=3, alg_id=2, alg_ivlen=8, alg_minbits=64, alg_maxbits=64, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=3 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[10], exttype=15, satype=3, alg_id=3, alg_ivlen=8, alg_minbits=192, alg_maxbits=192, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=6 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[11], exttype=15, satype=3, alg_id=6, alg_ivlen=8, alg_minbits=40, alg_maxbits=128, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=7 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[12], exttype=15, satype=3, alg_id=7, alg_ivlen=8, alg_minbits=40, alg_maxbits=448, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=12 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[13], exttype=15, satype=3, alg_id=12, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=252 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[14], exttype=15, satype=3, alg_id=252, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=22 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[15], exttype=15, satype=3, alg_id=22, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=253 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[16], exttype=15, satype=3, alg_id=253, alg_ivlen=8, alg_minbits=128, alg_maxbits=256, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=13 | kernel_alg_register_pfkey(): SADB_SATYPE_ESP: alg[17], exttype=15, satype=3, alg_id=13, alg_ivlen=8, alg_minbits=160, alg_maxbits=288, res=0, ret=1 | kernel_alg_add():satype=3, exttype=15, alg_id=18 | kernel_alg_add():satype=3, exttype=15, alg_id=19 | kernel_alg_add():satype=3, exttype=15, alg_id=20 | kernel_alg_add():satype=3, exttype=15, alg_id=14 | kernel_alg_add():satype=3, exttype=15, alg_id=15 | kernel_alg_add():satype=3, exttype=15, alg_id=16 ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) ike_alg_add(): ERROR: Algorithm already exists ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) | ESP registered with kernel. | finish_pfkey_msg: K_SADB_REGISTER message 3 for IPCOMP | 02 07 00 09 02 00 00 00 03 00 00 00 65 35 00 00 | pfkey_get: K_SADB_REGISTER message 3 | IPCOMP registered with kernel. Changed path to directory '/etc/ipsec.d/cacerts' Could not change to directory '/etc/ipsec.d/aacerts': /tmp Could not change to directory '/etc/ipsec.d/ocspcerts': /tmp Changing to directory '/etc/ipsec.d/crls' Warning: empty directory | selinux support is enabled. | inserting event EVENT_LOG_DAILY, timeout in 38523 seconds | event added after event EVENT_REINIT_SECRET | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message listening for IKE messages | found lo with address 127.0.0.1 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | NAT-Traversal: Trying new style NAT-T | NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=95) | NAT-Traversal: Trying old style NAT-T adding interface eth2/eth2 192.9.2.23:500 adding interface eth2/eth2 192.9.2.23:4500 adding interface eth1/eth1 192.1.2.23:500 adding interface eth1/eth1 192.1.2.23:4500 adding interface eth0/eth0 192.0.2.254:500 adding interface eth0/eth0 192.0.2.254:4500 adding interface lo/lo 127.0.0.1:500 adding interface lo/lo 127.0.0.1:4500 loading secrets from "/etc/ipsec.secrets" | Processing PSK at line 1: passed | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 60 seconds | next event EVENT_PENDING_DDNS in 60 seconds | | *received whack message | find_host_pair_conn (check_connection_end): 192.1.2.23:500 %any:500 -> hp:none | Added new connection any--east-l2tp with policy PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK | loopback=0 labeled_ipsec=0, policy_label=(null) | counting wild cards for @winxp is 0 | counting wild cards for @east is 0 | based upon policy, the connection is a template. | connect_to_host_pair: 192.1.2.23:500 0.0.0.0:500 -> hp:none added connection description "any--east-l2tp" | 192.1.2.23<192.1.2.23>[@east,+S=C]:17/1701...%virtual[@winxp,+S=C]:17/1701===? | ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; policy: PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK | * processed 0 messages from cryptographic helpers | next event EVENT_PENDING_DDNS in 59 seconds | next event EVENT_PENDING_DDNS in 59 seconds | | *received 312 bytes from 192.1.2.254:500 on eth1 (port=500) | c4 da 02 57 48 a6 11 b0 00 00 00 00 00 00 00 00 | 01 10 02 00 00 00 00 00 00 00 01 38 0d 00 00 c8 | 00 00 00 01 00 00 00 01 00 00 00 bc 01 01 00 05 | 03 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 | 80 04 00 0e 80 03 00 01 80 0b 00 01 00 0c 00 04 | 00 00 70 80 03 00 00 24 02 01 00 00 80 01 00 05 | 80 02 00 02 80 04 00 02 80 03 00 01 80 0b 00 01 | 00 0c 00 04 00 00 70 80 03 00 00 24 03 01 00 00 | 80 01 00 05 80 02 00 01 80 04 00 02 80 03 00 01 | 80 0b 00 01 00 0c 00 04 00 00 70 80 03 00 00 24 | 04 01 00 00 80 01 00 01 80 02 00 02 80 04 00 01 | 80 03 00 01 80 0b 00 01 00 0c 00 04 00 00 70 80 | 00 00 00 24 05 01 00 00 80 01 00 01 80 02 00 01 | 80 04 00 01 80 03 00 01 80 0b 00 01 00 0c 00 04 | 00 00 70 80 0d 00 00 18 1e 2b 51 69 05 99 1c 7d | 7c 96 fc bf b5 87 e4 61 00 00 00 04 0d 00 00 14 | 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3 | 0d 00 00 14 90 cb 80 91 3e bb 69 6e 08 63 81 b5 | ec 42 7b 1f 00 00 00 14 26 24 4d 38 ed db 61 b3 | 17 2a 36 e3 d0 cf b8 19 | **parse ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 00 00 00 00 00 00 00 00 | next payload type: ISAKMP_NEXT_SA | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_IDPROT | flags: none | message ID: 00 00 00 00 | length: 312 | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x2 opt: 0x2080 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID | length: 200 | DOI: ISAKMP_DOI_IPSEC | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID | length: 24 | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID | length: 20 | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID | length: 20 | got payload 0x2000(ISAKMP_NEXT_VID) needed: 0x0 opt: 0x2080 | ***parse ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE | length: 20 packet from 192.1.2.254:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] packet from 192.1.2.254:500: ignoring Vendor ID payload [FRAGMENTATION] packet from 192.1.2.254:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 packet from 192.1.2.254:500: ignoring Vendor ID payload [Vid-Initial-Contact] | nat-t detected, sending nat-t VID | find_host_connection2 called from main_inI1_outR1, me=192.1.2.23:500 him=192.1.2.254:500 policy=none | find_host_pair: comparing to 192.1.2.23:500 0.0.0.0:500 | find_host_pair_conn (find_host_connection2): 192.1.2.23:500 192.1.2.254:500 -> hp:none | find_host_connection2 returns empty | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE | length: 188 | proposal number: 1 | protocol ID: PROTO_ISAKMP | SPI size: 0 | number of transforms: 5 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T | length: 36 | transform number: 1 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 5 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 2 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 14 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T | length: 36 | transform number: 2 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 5 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 2 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 2 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T | length: 36 | transform number: 3 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 5 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 2 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T | length: 36 | transform number: 4 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 2 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE | length: 36 | transform number: 5 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | find_host_connection2 called from main_inI1_outR1, me=192.1.2.23:500 him=%any:500 policy=PSK | find_host_pair: comparing to 192.1.2.23:500 0.0.0.0:500 | find_host_pair_conn (find_host_connection2): 192.1.2.23:500 %any:500 -> hp:any--east-l2tp | searching for connection with policy = PSK | found policy = PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK (any--east-l2tp) | find_host_connection2 returns any--east-l2tp | instantiating "any--east-l2tp" for initial Main Mode message received on 192.1.2.23:500 | find_host_pair: comparing to 192.1.2.23:500 0.0.0.0:500 | connect_to_host_pair: 192.1.2.23:500 192.1.2.254:500 -> hp:none | instantiated "any--east-l2tp" for 192.1.2.254 | creating state object #1 at 0x7fb88a3dd730 | processing connection any--east-l2tp[1] 192.1.2.254 | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | inserting state object #1 on chain 17 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 | event added at head of queue "any--east-l2tp"[1] 192.1.2.254 #1: responding to Main Mode from unknown peer 192.1.2.254 | **emit ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 80 09 90 31 b2 ce c5 88 | next payload type: ISAKMP_NEXT_SA | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_IDPROT | flags: none | message ID: 00 00 00 00 | ***emit ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_VID | DOI: ISAKMP_DOI_IPSEC | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE | length: 188 | proposal number: 1 | protocol ID: PROTO_ISAKMP | SPI size: 0 | number of transforms: 5 | *****parse ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_T | length: 36 | transform number: 1 | transform ID: KEY_IKE | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_ENCRYPTION_ALGORITHM | length/value: 5 | [5 is OAKLEY_3DES_CBC] | ike_alg_enc_ok(ealg=5,key_len=0): blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192, ret=1 | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_HASH_ALGORITHM | length/value: 2 | [2 is OAKLEY_SHA1] | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_GROUP_DESCRIPTION | length/value: 14 | [14 is OAKLEY_GROUP_MODP2048] | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_AUTHENTICATION_METHOD | length/value: 1 | [1 is OAKLEY_PRESHARED_KEY] | started looking for secret for @east->@winxp of kind PPK_PSK | actually looking for secret for @east->@winxp of kind PPK_PSK | line 1: key type PPK_PSK(@east) to type PPK_PSK | 1: compared key (none) to @east / @winxp -> 2 | 2: compared key (none) to @east / @winxp -> 2 | line 1: match=2 | best_match 0>2 best=0x7fb88a3db120 (line=1) | concluding with best_match=2 best=0x7fb88a3db120 (lineno=1) | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_TYPE | length/value: 1 | [1 is OAKLEY_LIFE_SECONDS] | ******parse ISAKMP Oakley attribute: | af+type: OAKLEY_LIFE_DURATION (variable length) | length/value: 4 | long duration: 28800 | Oakley Transform 1 accepted | ****emit IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY | ****emit ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE | proposal number: 1 | protocol ID: PROTO_ISAKMP | SPI size: 0 | number of transforms: 1 | *****emit ISAKMP Transform Payload (ISAKMP): | next payload type: ISAKMP_NEXT_NONE | transform number: 1 | transform ID: KEY_IKE | emitting 28 raw bytes of attributes into ISAKMP Transform Payload (ISAKMP) | attributes 80 01 00 05 80 02 00 02 80 04 00 0e 80 03 00 01 | attributes 80 0b 00 01 00 0c 00 04 00 00 70 80 | emitting length of ISAKMP Transform Payload (ISAKMP): 36 | emitting length of ISAKMP Proposal Payload: 44 | emitting length of ISAKMP Security Association Payload: 56 | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID | emitting 12 raw bytes of Vendor ID into ISAKMP Vendor ID Payload | Vendor ID 4f 45 68 79 4c 64 41 43 65 63 66 61 | emitting length of ISAKMP Vendor ID Payload: 16 | out_vendorid(): sending [Dead Peer Detection] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_VID | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID af ca d7 13 68 a1 f1 c9 6b 86 96 fc 77 57 01 00 | emitting length of ISAKMP Vendor ID Payload: 20 | sender checking NAT-t: 1 and 106 | out_vendorid(): sending [draft-ietf-ipsec-nat-t-ike-02_n] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE | emitting 16 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 90 cb 80 91 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | emitting length of ISAKMP Vendor ID Payload: 20 | emitting length of ISAKMP Message: 140 | peer supports fragmentation | complete state transition with STF_OK "any--east-l2tp"[1] 192.1.2.254 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | deleting event for #1 | sending reply packet to 192.1.2.254:500 (from port 500) | sending 140 bytes for STATE_MAIN_R0 through eth1:500 to 192.1.2.254:500 (using #1) | c4 da 02 57 48 a6 11 b0 80 09 90 31 b2 ce c5 88 | 01 10 02 00 00 00 00 00 00 00 00 8c 0d 00 00 38 | 00 00 00 01 00 00 00 01 00 00 00 2c 01 01 00 01 | 00 00 00 24 01 01 00 00 80 01 00 05 80 02 00 02 | 80 04 00 0e 80 03 00 01 80 0b 00 01 00 0c 00 04 | 00 00 70 80 0d 00 00 10 4f 45 68 79 4c 64 41 43 | 65 63 66 61 0d 00 00 14 af ca d7 13 68 a1 f1 c9 | 6b 86 96 fc 77 57 01 00 00 00 00 14 90 cb 80 91 | 3e bb 69 6e 08 63 81 b5 ec 42 7b 1f | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 | event added at head of queue "any--east-l2tp"[1] 192.1.2.254 #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 0 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 10 seconds for #1 | next event EVENT_RETRANSMIT in 10 seconds for #1 | | *received 360 bytes from 192.1.2.254:500 on eth1 (port=500) | c4 da 02 57 48 a6 11 b0 80 09 90 31 b2 ce c5 88 | 04 10 02 00 00 00 00 00 00 00 01 68 0a 00 01 04 | c1 4f 7e 0d 71 56 dc 9c 86 86 55 df ce 8a 53 e7 | 24 d1 81 73 57 35 5f 33 10 72 bd c6 5b 6a 90 07 | 1b e6 4f 44 e5 78 98 84 71 c0 42 99 cf 6c d9 56 | fb 5a 3b 30 35 c8 65 e9 51 98 fc f4 e0 ba b2 2f | 30 cf 68 b0 0f 63 f9 e8 04 3e 4a 8e 77 98 68 17 | aa 37 c6 46 65 94 35 26 0f cd 23 1e c5 9a b9 f5 | e1 d7 c4 93 27 21 92 af 93 5d ce 4d c5 3c 3d 9e | d0 da dc 5b 81 a1 e9 f0 17 ee 43 61 ac c7 ef 19 | 94 a1 ff d0 2f 31 2c 7b a3 d1 03 90 e1 9f cd 1e | 9f 12 c9 bb d9 24 11 93 79 93 67 d1 fa 68 db fe | 14 84 33 84 67 ce a4 8d 0e 65 50 00 be b9 51 e8 | 92 29 aa 77 49 01 98 78 e1 e8 38 3d 7d aa 60 01 | 62 9d 1e c7 86 46 9b 34 12 4f b1 cf ac 80 3e d1 | cb fe aa 83 f3 73 b5 92 a4 10 d4 80 41 fb ff d7 | a6 c5 21 04 6e 97 dc c6 a1 75 dd dc 69 9a 2b 90 | e6 f5 73 d7 7a 99 3c d0 d4 08 01 ba 8f 75 f5 94 | 82 00 00 18 00 26 ed 61 3a cd f5 fb d4 de 2b 3b | b8 b2 50 c8 2c a9 5a db 82 00 00 18 96 f5 41 6d | d1 3d cb 8c 6b 29 a2 24 ec 3d a3 bb ef a8 51 38 | 00 00 00 18 2a 0b 79 cd 95 c8 e9 ea 63 43 00 45 | e5 f5 2b 7d 4c e6 85 ad | **parse ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 80 09 90 31 b2 ce c5 88 | next payload type: ISAKMP_NEXT_KE | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_IDPROT | flags: none | message ID: 00 00 00 00 | length: 360 | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000 | v1 state object #1 found, in STATE_MAIN_R1 | processing connection any--east-l2tp[1] 192.1.2.254 | got payload 0x10(ISAKMP_NEXT_KE) needed: 0x410 opt: 0x102080 | ***parse ISAKMP Key Exchange Payload: | next payload type: ISAKMP_NEXT_NONCE | length: 260 | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x102080 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_NAT-D | length: 24 | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NAT-D | length: 24 | got payload 0x100000(ISAKMP_NEXT_NAT-D) needed: 0x0 opt: 0x102080 | ***parse ISAKMP NAT-D Payload: | next payload type: ISAKMP_NEXT_NONE | length: 24 | DH public value received: | c1 4f 7e 0d 71 56 dc 9c 86 86 55 df ce 8a 53 e7 | 24 d1 81 73 57 35 5f 33 10 72 bd c6 5b 6a 90 07 | 1b e6 4f 44 e5 78 98 84 71 c0 42 99 cf 6c d9 56 | fb 5a 3b 30 35 c8 65 e9 51 98 fc f4 e0 ba b2 2f | 30 cf 68 b0 0f 63 f9 e8 04 3e 4a 8e 77 98 68 17 | aa 37 c6 46 65 94 35 26 0f cd 23 1e c5 9a b9 f5 | e1 d7 c4 93 27 21 92 af 93 5d ce 4d c5 3c 3d 9e | d0 da dc 5b 81 a1 e9 f0 17 ee 43 61 ac c7 ef 19 | 94 a1 ff d0 2f 31 2c 7b a3 d1 03 90 e1 9f cd 1e | 9f 12 c9 bb d9 24 11 93 79 93 67 d1 fa 68 db fe | 14 84 33 84 67 ce a4 8d 0e 65 50 00 be b9 51 e8 | 92 29 aa 77 49 01 98 78 e1 e8 38 3d 7d aa 60 01 | 62 9d 1e c7 86 46 9b 34 12 4f b1 cf ac 80 3e d1 | cb fe aa 83 f3 73 b5 92 a4 10 d4 80 41 fb ff d7 | a6 c5 21 04 6e 97 dc c6 a1 75 dd dc 69 9a 2b 90 | e6 f5 73 d7 7a 99 3c d0 d4 08 01 ba 8f 75 f5 94 | inI2: checking NAT-t: 1 and 4 | _natd_hash: hasher=0x7fb888bb01a0(20) | _natd_hash: icookie= | c4 da 02 57 48 a6 11 b0 | _natd_hash: rcookie= | 80 09 90 31 b2 ce c5 88 | _natd_hash: ip= c0 01 02 17 | _natd_hash: port=500 | _natd_hash: hash= 96 f5 41 6d d1 3d cb 8c 6b 29 a2 24 ec 3d a3 bb | _natd_hash: hash= ef a8 51 38 | _natd_hash: hasher=0x7fb888bb01a0(20) | _natd_hash: icookie= | c4 da 02 57 48 a6 11 b0 | _natd_hash: rcookie= | 80 09 90 31 b2 ce c5 88 | _natd_hash: ip= c0 01 02 fe | _natd_hash: port=500 | _natd_hash: hash= 0f 84 3d e5 7f 03 4f cf b4 76 35 77 5a 4b 8f b1 | _natd_hash: hash= 00 8c cc f7 | NAT_TRAVERSAL hash=0 (me:0) (him:0) | expected NAT-D(me): 96 f5 41 6d d1 3d cb 8c 6b 29 a2 24 ec 3d a3 bb | expected NAT-D(me): ef a8 51 38 | expected NAT-D(him): | 0f 84 3d e5 7f 03 4f cf b4 76 35 77 5a 4b 8f b1 | 00 8c cc f7 | received NAT-D: 96 f5 41 6d d1 3d cb 8c 6b 29 a2 24 ec 3d a3 bb | received NAT-D: ef a8 51 38 | NAT_TRAVERSAL hash=1 (me:1) (him:0) | expected NAT-D(me): 96 f5 41 6d d1 3d cb 8c 6b 29 a2 24 ec 3d a3 bb | expected NAT-D(me): ef a8 51 38 | expected NAT-D(him): | 0f 84 3d e5 7f 03 4f cf b4 76 35 77 5a 4b 8f b1 | 00 8c cc f7 | received NAT-D: 2a 0b 79 cd 95 c8 e9 ea 63 43 00 45 e5 f5 2b 7d | received NAT-D: 4c e6 85 ad | NAT_TRAVERSAL hash=2 (me:1) (him:0) | NAT_TRAVERSAL nat_keepalive enabled "any--east-l2tp"[1] 192.1.2.254 #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer is NATed | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds | event added after event EVENT_RETRANSMIT for #1 | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do build_kenonce op on seq: 1 (len=2776, pcw_work=1) | helper 0 read 2768+4/2776 bytes fd: 8 | helper 0 doing build_kenonce op id: 1 | NSS: Value of Prime: | ff ff ff ff ff ff ff ff c9 0f da a2 21 68 c2 34 | c4 c6 62 8b 80 dc 1c d1 29 02 4e 08 8a 67 cc 74 | 02 0b be a6 3b 13 9b 22 51 4a 08 79 8e 34 04 dd | ef 95 19 b3 cd 3a 43 1b 30 2b 0a 6d f2 5f 14 37 | 4f e1 35 6d 6d 51 c2 45 e4 85 b5 76 62 5e 7e c6 | f4 4c 42 e9 a6 37 ed 6b 0b ff 5c b6 f4 06 b7 ed | ee 38 6b fb 5a 89 9f a5 ae 9f 24 11 7c 4b 1f e6 | 49 28 66 51 ec e4 5b 3d c2 00 7c b8 a1 63 bf 05 | 98 da 48 36 1c 55 d3 9a 69 16 3f a8 fd 24 cf 5f | 83 65 5d 23 dc a3 ad 96 1c 62 f3 56 20 85 52 bb | 9e d5 29 07 70 96 96 6d 67 0c 35 4e 4a bc 98 04 | f1 74 6c 08 ca 18 21 7c 32 90 5e 46 2e 36 ce 3b | e3 9e 77 2c 18 0e 86 03 9b 27 83 a2 ec 07 a2 8f | b5 c5 5d f0 6f 4c 52 c9 de 2b cb f6 95 58 17 18 | 39 95 49 7c ea 95 6a e5 15 d2 26 18 98 fa 05 10 | 15 72 8e 5a 8a ac aa 68 ff ff ff ff ff ff ff ff | NSS: Value of base: | 02 | NSS: generated dh priv and pub keys: 256 | NSS: Local DH secret: | a0 5d 00 7c b8 7f 00 00 | NSS: Public DH value sent(computed in NSS): | bf 2a c7 af c6 96 8e e3 87 96 d3 18 97 df 20 fb | 5b f0 59 cf 00 01 cf 02 12 73 63 c0 3f f7 ed fd | 38 81 b8 c4 45 3c 19 bc a4 73 4d bc d6 94 8e 6c | 5c 9f 84 4c 1d 40 50 cf a7 83 65 59 72 22 0a 4b | 5c 8b 48 e1 10 0f 08 31 86 82 a6 84 7d f9 96 50 | 8a 90 9a 73 af e5 6f 8d fb f9 c5 ed 5e 73 29 d6 | e7 58 8c cb 9e 7f e1 d1 7d 7f e5 f4 d5 04 e3 90 | 57 a3 fd a1 60 46 5d 59 d9 95 98 6d d6 7d 28 f2 | 3a 14 38 1b c2 1c bf 13 88 63 c3 9b 5a 58 94 84 | b3 4e 05 ee 2c 48 a5 96 e4 84 51 7d 58 34 94 56 | 7d 7b b0 3d e8 23 9e a5 48 c7 2b 29 58 68 36 c1 | 94 6b a0 f0 4a 3c af c5 19 dd 6d 75 60 ea 99 05 | c3 61 b2 2a ce 3a f3 99 c8 a6 58 f0 c1 06 71 29 | b7 d6 97 73 e4 a6 6f 3c 95 e8 36 26 27 2b bc 51 | f7 40 d6 95 93 ef 30 3e 53 8f 0e 04 41 dc 92 5c | 07 a8 df fa 42 e3 1a e4 de 10 8a cb 64 1d 90 96 | NSS: Local DH public value (pointer): | 90 55 00 7c b8 7f 00 00 | Generated nonce: | 18 d0 fa 64 ad 93 1a 0e 54 4a cc de d2 6f 0d d3 | crypto helper write of request: cnt=2776@winxp of kind PPK_PSK | actually looking for secret for @east->@winxp of kind PPK_PSK | line 1: key type PPK_PSK(@east) to type PPK_PSK | 1: compared key (none) to @east / @winxp -> 2 | 2: compared key (none) to @east / @winxp -> 2 | line 1: match=2 | best_match 0>2 best=0x7fb88a3db120 (line=1) | concluding with best_match=2 best=0x7fb88a3db120 (lineno=1) | parent1 type: 7 group: 14 len: 2776 | Copying DH pub key pointer to be sent to a thread helper | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do compute dh+iv op on seq: 2 (len=2776, pcw_work=1) | helper 0 read 2768+4/2776 bytes fd: 8 | helper 0 doing compute dh+iv op id: 2 | peer's g: c1 4f 7e 0d 71 56 dc 9c 86 86 55 df ce 8a 53 e7 | peer's g: 24 d1 81 73 57 35 5f 33 10 72 bd c6 5b 6a 90 07 | peer's g: 1b e6 4f 44 e5 78 98 84 71 c0 42 99 cf 6c d9 56 | peer's g: fb 5a 3b 30 35 c8 65 e9 51 98 fc f4 e0 ba b2 2f | peer's g: 30 cf 68 b0 0f 63 f9 e8 04 3e 4a 8e 77 98 68 17 | peer's g: aa 37 c6 46 65 94 35 26 0f cd 23 1e c5 9a b9 f5 | peer's g: e1 d7 c4 93 27 21 92 af 93 5d ce 4d c5 3c 3d 9e | peer's g: d0 da dc 5b 81 a1 e9 f0 17 ee 43 61 ac c7 ef 19 | peer's g: 94 a1 ff d0 2f 31 2c 7b a3 d1 03 90 e1 9f cd 1e | peer's g: 9f 12 c9 bb d9 24 11 93 79 93 67 d1 fa 68 db fe | peer's g: 14 84 33 84 67 ce a4 8d 0e 65 50 00 be b9 51 e8 | peer's g: 92 29 aa 77 49 01 98 78 e1 e8 38 3d 7d aa 60 01 | peer's g: 62 9d 1e c7 86 46 9b 34 12 4f b1 cf ac 80 3e d1 | peer's g: cb fe aa 83 f3 73 b5 92 a4 10 d4 80 41 fb ff d7 | peer's g: a6 c5 21 04 6e 97 dc c6 a1 75 dd dc 69 9a 2b 90 | peer's g: e6 f5 73 d7 7a 99 3c d0 d4 08 01 ba 8f 75 f5 94 | Started DH shared-secret computation in NSS: | Dropped no leading zeros 256 | calc_dh_shared(): time elapsed (OAKLEY_GROUP_MODP2048): 805 usec | DH shared-secret pointer: | 50 6e 00 7c b8 7f 00 00 | NSS: skeyid inputs (pss+NI+NR+shared) hasher: oakley_sha | shared-secret: 50 6e 00 7c b8 7f 00 00 | ni: 00 26 ed 61 3a cd f5 fb d4 de 2b 3b b8 b2 50 c8 | ni: 2c a9 5a db | nr: 18 d0 fa 64 ad 93 1a 0e 54 4a cc de d2 6f 0d d3 | NSS: st_skeyid in skeyid_preshared(): | 10 04 01 7c b8 7f 00 00 | NSS: Started key computation | NSS: enc keysize=24 | NSS: Freed 25-39 symkeys | NSS: copied skeyid_d_chunk | NSS: copied skeyid_a_chunk | NSS: copied skeyid_e_chunk | NSS: copied enc_key_chunk | NSS: Freed symkeys 1-23 | NSS: Freed padding chunks | DH_i: c1 4f 7e 0d 71 56 dc 9c 86 86 55 df ce 8a 53 e7 | DH_i: 24 d1 81 73 57 35 5f 33 10 72 bd c6 5b 6a 90 07 | DH_i: 1b e6 4f 44 e5 78 98 84 71 c0 42 99 cf 6c d9 56 | DH_i: fb 5a 3b 30 35 c8 65 e9 51 98 fc f4 e0 ba b2 2f | DH_i: 30 cf 68 b0 0f 63 f9 e8 04 3e 4a 8e 77 98 68 17 | DH_i: aa 37 c6 46 65 94 35 26 0f cd 23 1e c5 9a b9 f5 | DH_i: e1 d7 c4 93 27 21 92 af 93 5d ce 4d c5 3c 3d 9e | DH_i: d0 da dc 5b 81 a1 e9 f0 17 ee 43 61 ac c7 ef 19 | DH_i: 94 a1 ff d0 2f 31 2c 7b a3 d1 03 90 e1 9f cd 1e | DH_i: 9f 12 c9 bb d9 24 11 93 79 93 67 d1 fa 68 db fe | DH_i: 14 84 33 84 67 ce a4 8d 0e 65 50 00 be b9 51 e8 | DH_i: 92 29 aa 77 49 01 98 78 e1 e8 38 3d 7d aa 60 01 | DH_i: 62 9d 1e c7 86 46 9b 34 12 4f b1 cf ac 80 3e d1 | DH_i: cb fe aa 83 f3 73 b5 92 a4 10 d4 80 41 fb ff d7 | DH_i: a6 c5 21 04 6e 97 dc c6 a1 75 dd dc 69 9a 2b 90 | DH_i: e6 f5 73 d7 7a 99 3c d0 d4 08 01 ba 8f 75 f5 94 | DH_r: bf 2a c7 af c6 96 8e e3 87 96 d3 18 97 df 20 fb | DH_r: 5b f0 59 cf 00 01 cf 02 12 73 63 c0 3f f7 ed fd | DH_r: 38 81 b8 c4 45 3c 19 bc a4 73 4d bc d6 94 8e 6c | DH_r: 5c 9f 84 4c 1d 40 50 cf a7 83 65 59 72 22 0a 4b | DH_r: 5c 8b 48 e1 10 0f 08 31 86 82 a6 84 7d f9 96 50 | DH_r: 8a 90 9a 73 af e5 6f 8d fb f9 c5 ed 5e 73 29 d6 | DH_r: e7 58 8c cb 9e 7f e1 d1 7d 7f e5 f4 d5 04 e3 90 | DH_r: 57 a3 fd a1 60 46 5d 59 d9 95 98 6d d6 7d 28 f2 | DH_r: 3a 14 38 1b c2 1c bf 13 88 63 c3 9b 5a 58 94 84 | DH_r: b3 4e 05 ee 2c 48 a5 96 e4 84 51 7d 58 34 94 56 | DH_r: 7d 7b b0 3d e8 23 9e a5 48 c7 2b 29 58 68 36 c1 | DH_r: 94 6b a0 f0 4a 3c af c5 19 dd 6d 75 60 ea 99 05 | DH_r: c3 61 b2 2a ce 3a f3 99 c8 a6 58 f0 c1 06 71 29 | DH_r: b7 d6 97 73 e4 a6 6f 3c 95 e8 36 26 27 2b bc 51 | DH_r: f7 40 d6 95 93 ef 30 3e 53 8f 0e 04 41 dc 92 5c | DH_r: 07 a8 df fa 42 e3 1a e4 de 10 8a cb 64 1d 90 96 | end of IV generation | crypto helper write of request: cnt=2776@winxp of kind PPK_PSK | actually looking for secret for @east->@winxp of kind PPK_PSK | line 1: key type PPK_PSK(@east) to type PPK_PSK | 1: compared key (none) to @east / @winxp -> 2 | 2: compared key (none) to @east / @winxp -> 2 | line 1: match=2 | best_match 0>2 best=0x7fb88a3db120 (line=1) | concluding with best_match=2 best=0x7fb88a3db120 (lineno=1) | match_id a=@winxp | b=@winxp | results matched | trusted_ca called with a=(empty) b=(empty) | refine_connection: checking any--east-l2tp against any--east-l2tp, best=(none) with match=1(id=1/ca=1/reqca=1) | refine_connection: checked any--east-l2tp against any--east-l2tp, now for see if best | started looking for secret for @east->@winxp of kind PPK_PSK | actually looking for secret for @east->@winxp of kind PPK_PSK | line 1: key type PPK_PSK(@east) to type PPK_PSK | 1: compared key (none) to @east / @winxp -> 2 | 2: compared key (none) to @east / @winxp -> 2 | line 1: match=2 | best_match 0>2 best=0x7fb88a3db120 (line=1) | concluding with best_match=2 best=0x7fb88a3db120 (lineno=1) | offered CA: '%none' | hashing 196 bytes of SA | authentication succeeded | thinking about whether to send my certificate: | I have RSA key: OAKLEY_PRESHARED_KEY cert.type: CERT_NONE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because digital signatures are not being used. (PSK) | **emit ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 80 09 90 31 b2 ce c5 88 | next payload type: ISAKMP_NEXT_ID | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_IDPROT | flags: ISAKMP_FLAG_ENCRYPTION | message ID: 00 00 00 00 | ***emit ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_HASH | ID type: ID_FQDN | Protocol ID: 0 | port: 0 | emitting 4 raw bytes of my identity into ISAKMP Identification Payload (IPsec DOI) | my identity 65 61 73 74 | emitting length of ISAKMP Identification Payload (IPsec DOI): 12 | hashing 196 bytes of SA | ***emit ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_VID | emitting 20 raw bytes of HASH_R into ISAKMP Hash Payload | HASH_R 18 d0 8d c3 f2 b5 41 7b 4b fd e0 e0 f3 9d 5a cf | HASH_R bb 8d 01 77 | emitting length of ISAKMP Hash Payload: 24 | out_vendorid(): sending [CAN-IKEv2] | ***emit ISAKMP Vendor ID Payload: | next payload type: ISAKMP_NEXT_NONE | emitting 5 raw bytes of V_ID into ISAKMP Vendor ID Payload | V_ID 49 4b 45 76 32 | emitting length of ISAKMP Vendor ID Payload: 9 | encrypting: | 08 00 00 0c 02 00 00 00 65 61 73 74 0d 00 00 18 | 18 d0 8d c3 f2 b5 41 7b 4b fd e0 e0 f3 9d 5a cf | bb 8d 01 77 00 00 00 09 49 4b 45 76 32 | IV: | 3c 22 59 da 7a 5a 60 3f | unpadded size is: 45 | emitting 3 zero bytes of encryption padding into ISAKMP Message | encrypting 48 using OAKLEY_3DES_CBC | NSS: do_3des init start | NSS: do_3des init end | next IV: 29 e7 b3 85 04 91 b5 38 | emitting length of ISAKMP Message: 76 | last encrypted block of Phase 1: | 29 e7 b3 85 04 91 b5 38 | complete state transition with STF_OK "any--east-l2tp"[1] 192.1.2.254 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | deleting event for #1 | state #1 NAT-T: new mapping 192.1.2.254:4500 | processing connection any--east-l2tp[1] 192.1.2.254 "any--east-l2tp"[1] 192.1.2.254 #1: new NAT mapping for #1, was 192.1.2.254:500, now 192.1.2.254:4500 | NAT-T: updating local port to 4500 | NAT-T connection has wrong interface definition 192.1.2.23:4500 vs 192.1.2.23:500 | NAT-T: using interface eth1:4500 | sending reply packet to 192.1.2.254:4500 (from port 4500) | sending 80 bytes for STATE_MAIN_R2 through eth1:4500 to 192.1.2.254:4500 (using #1) | 00 00 00 00 c4 da 02 57 48 a6 11 b0 80 09 90 31 | b2 ce c5 88 05 10 02 01 00 00 00 00 00 00 00 4c | 37 ae 4b 7e b3 9d 67 c4 d1 5a 08 1b 63 13 ba 5d | 9c ba 6a 35 42 44 a0 eb 35 6f e7 3a 1e 89 a2 c8 | 8b e5 fb 0b 58 cb 46 9c 29 e7 b3 85 04 91 b5 38 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 | event added after event EVENT_PENDING_PHASE2 "any--east-l2tp"[1] 192.1.2.254 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp2048} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | unpending state #1 | * processed 0 messages from cryptographic helpers | next event EVENT_NAT_T_KEEPALIVE in 20 seconds | next event EVENT_NAT_T_KEEPALIVE in 20 seconds | | *received 380 bytes from 192.1.2.254:4500 on eth1 (port=4500) | c4 da 02 57 48 a6 11 b0 80 09 90 31 b2 ce c5 88 | 08 10 20 01 be fc a5 33 00 00 01 7c b0 c6 36 69 | 3a 6e 97 72 48 92 b6 d7 ee e9 57 51 a8 ba b7 8a | ab 05 d6 fb ff 3d ae 60 20 38 0c e4 51 82 80 e9 | d0 3c 2c 65 a9 90 09 15 7a 95 73 17 fd 65 79 9c | 74 af 38 e2 3a da f5 db 37 c5 a5 15 c8 6d c5 df | 00 8a ba 29 f7 cb ce f8 ef 2a 06 a2 7e fd 5a 65 | 94 b3 dc 30 a0 8c 04 6a 3a 24 13 59 9f 86 21 65 | 8d 25 ac 41 ca 91 a5 f7 90 fb 58 be 87 e5 b0 30 | 41 2e 60 68 7f a9 a9 ac 18 44 09 47 4e 92 56 df | 8a c3 59 f4 24 15 58 9b 60 60 50 92 e7 c0 fd d9 | 2f 33 b3 ab b8 ed 9c 14 6a c8 80 4f 4a f8 f3 00 | 9c b5 eb 32 b8 76 3b 27 87 b2 83 e8 92 5e 40 2b | 6a 7a 52 73 8e 24 d7 d8 46 29 93 a2 ba 7b 91 3f | 81 c0 3a fa 52 f4 52 e5 95 3f b8 98 cb 83 1e 53 | 69 7e 0c 2d 43 8b 3a a3 f2 2e 95 5c fb 89 0f 75 | c7 c5 60 af f9 30 7a 69 2c b7 f7 ab 21 3b 68 46 | eb 13 58 21 d0 e3 94 ad 76 07 09 61 03 93 91 1c | 3f d7 e3 d2 a1 a5 41 08 07 0c 6f 73 ae 8c 27 3c | 4a 74 1b 39 67 54 00 c5 ea 00 90 2f 11 23 82 f4 | 48 6d ff 45 82 e0 03 a6 c9 3e c8 99 58 40 dc 4c | b6 ed 24 13 6c f0 9c 7a 57 4b 7e d9 f6 87 5f 11 | 42 26 92 cf 9c 43 13 38 f9 99 90 72 d4 d6 b7 9a | 6c a3 80 86 12 b6 03 88 5c 0c af 06 | **parse ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 80 09 90 31 b2 ce c5 88 | next payload type: ISAKMP_NEXT_HASH | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_QUICK | flags: ISAKMP_FLAG_ENCRYPTION | message ID: be fc a5 33 | length: 380 | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | v1 peer and cookies match on #1, provided msgid befca533 vs 00000000 | v1 state object not found | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000 | v1 state object #1 found, in STATE_MAIN_R3 | processing connection any--east-l2tp[1] 192.1.2.254 | last Phase 1 IV: 29 e7 b3 85 04 91 b5 38 | current Phase 1 IV: 29 e7 b3 85 04 91 b5 38 | computed Phase 2 IV: | 15 6d 04 e8 ec 4e f3 d9 3c 3b 80 aa 75 2f 19 f9 | 50 20 aa aa | received encrypted packet from 192.1.2.254:4500 | decrypting 352 bytes using algorithm OAKLEY_3DES_CBC | NSS: do_3des init start | NSS: do_3des init end | decrypted: | 01 00 00 18 13 39 c2 b7 c8 0b 8a 40 97 f5 75 84 | 80 fd 1a e4 4f e7 04 9d 0a 00 01 08 00 00 00 01 | 00 00 00 01 00 00 00 fc 01 03 04 06 d1 a7 f0 c2 | 03 00 00 28 01 03 00 00 80 01 00 01 00 02 00 04 | 00 00 0e 10 80 01 00 02 00 02 00 04 00 03 d0 90 | 80 04 f0 04 80 05 00 01 03 00 00 28 02 03 00 00 | 80 01 00 01 00 02 00 04 00 00 0e 10 80 01 00 02 | 00 02 00 04 00 03 d0 90 80 04 f0 04 80 05 00 02 | 03 00 00 28 03 02 00 00 80 01 00 01 00 02 00 04 | 00 00 0e 10 80 01 00 02 00 02 00 04 00 03 d0 90 | 80 04 f0 04 80 05 00 01 03 00 00 28 04 02 00 00 | 80 01 00 01 00 02 00 04 00 00 0e 10 80 01 00 02 | 00 02 00 04 00 03 d0 90 80 04 f0 04 80 05 00 02 | 03 00 00 28 05 0b 00 00 80 01 00 01 00 02 00 04 | 00 00 0e 10 80 01 00 02 00 02 00 04 00 03 d0 90 | 80 04 f0 04 80 05 00 02 00 00 00 28 06 0b 00 00 | 80 01 00 01 00 02 00 04 00 00 0e 10 80 01 00 02 | 00 02 00 04 00 03 d0 90 80 04 f0 04 80 05 00 01 | 05 00 00 18 66 09 97 f8 13 f4 cb 0b 12 cd 13 d2 | b5 45 d5 c9 2e 27 3c 56 05 00 00 0d 02 11 06 a5 | 77 69 6e 78 70 83 00 00 0c 01 11 06 a5 c0 01 02 | 17 00 00 00 0c 01 00 00 00 c0 01 03 22 00 00 00 | next IV: 12 b6 03 88 5c 0c af 06 | got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x502 opt: 0x200030 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_SA | length: 24 | got payload 0x2(ISAKMP_NEXT_SA) needed: 0x402 opt: 0x200030 | ***parse ISAKMP Security Association Payload: | next payload type: ISAKMP_NEXT_NONCE | length: 264 | DOI: ISAKMP_DOI_IPSEC | got payload 0x400(ISAKMP_NEXT_NONCE) needed: 0x400 opt: 0x200030 | ***parse ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID | length: 24 | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_ID | length: 13 | ID type: ID_FQDN | Protocol ID: 17 | port: 1701 | obj: 77 69 6e 78 70 | got payload 0x20(ISAKMP_NEXT_ID) needed: 0x0 opt: 0x200030 | ***parse ISAKMP Identification Payload (IPsec DOI): | next payload type: ISAKMP_NEXT_NAT-OA | length: 12 | ID type: ID_IPV4_ADDR | Protocol ID: 17 | port: 1701 | obj: c0 01 02 17 | got payload 0x200000(ISAKMP_NEXT_NAT-OA) needed: 0x0 opt: 0x200030 | ***parse ISAKMP NAT-OA Payload: | next payload type: ISAKMP_NEXT_NONE | length: 12 | ID type: ID_IPV4_ADDR | obj: c0 01 03 22 | removing 3 bytes of padding | HASH(1) computed: | 13 39 c2 b7 c8 0b 8a 40 97 f5 75 84 80 fd 1a e4 | 4f e7 04 9d "any--east-l2tp"[1] 192.1.2.254 #1: peer client type is FQDN "any--east-l2tp"[1] 192.1.2.254 #1: Applying workaround for MS-818043 NAT-T bug | our client is 192.1.2.23 | our client protocol/port is 17/1701 | NAT-Traversal: received 1 NAT-OA. | NAT-OA: 00 00 00 0c 01 00 00 00 c0 01 03 22 | received NAT-OA: 192.1.3.34 "any--east-l2tp"[1] 192.1.2.254 #1: IDci was FQDN: \300\001\002\027, using NAT_OA=192.1.3.34/32 0 as IDci "any--east-l2tp"[1] 192.1.2.254 #1: the peer proposed: 192.1.2.23/32:17/1701 -> 192.1.3.34/32:17/1701 | find_client_connection starting with any--east-l2tp | looking for 192.1.2.23/32:17/1701 -> 192.1.3.34/32:17/1701 | concrete checking against sr#0 192.1.2.23/32 -> 0.0.0.0/32 | match_id a=@winxp | b=@winxp | results matched | trusted_ca called with a=(empty) b=(empty) | fc_try trying any--east-l2tp:192.1.2.23/32:17/1701 -> 192.1.3.34/32:17/1701(virt) vs any--east-l2tp:192.1.2.23/32:17/1701 -> 0.0.0.0/32:17/1701(virt) | fc_try concluding with any--east-l2tp [128] | fc_try any--east-l2tp gives any--east-l2tp | concluding with d = any--east-l2tp | client wildcard: no port wildcard: no virtual: yes | setting phase 2 virtual values to 192.1.3.34/32===192.1.2.254[@winxp,+S=C]:17/1701 | NAT-Traversal: received 1 NAT-OA. | NAT-OA: 00 00 00 0c 01 00 00 00 c0 01 03 22 | received NAT-OA: 192.1.3.34 | duplicating state object #1 | creating state object #2 at 0x7fb88a3e1900 | processing connection any--east-l2tp[1] 192.1.2.254 | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | inserting state object #2 on chain 17 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2 | event added at head of queue | ****parse IPsec DOI SIT: | IPsec DOI SIT: SIT_IDENTITY_ONLY | ****parse ISAKMP Proposal Payload: | next payload type: ISAKMP_NEXT_NONE | length: 252 | proposal number: 1 | protocol ID: PROTO_IPSEC_ESP | SPI size: 4 | number of transforms: 6 | parsing 4 raw bytes of ISAKMP Proposal Payload into SPI | SPI d1 a7 f0 c2 | *****parse ISAKMP Transform Payload (ESP): | next payload type: ISAKMP_NEXT_T | length: 40 | transform number: 1 | transform ID: ESP_3DES | ******parse ISAKMP IPsec DOI attribute: | af+type: SA_LIFE_TYPE | length/value: 1 | ******parse ISAKMP IPsec DOI attribute: | af+type: SA_LIFE_DURATION | length/value: 4 | long duration: 3600 | ******parse ISAKMP IPsec DOI attribute: | af+type: SA_LIFE_TYPE | length/value: 2 | ******parse ISAKMP IPsec DOI attribute: | af+type: SA_LIFE_DURATION | length/value: 4 | long duration: 250000 | ******parse ISAKMP IPsec DOI attribute: | af+type: ENCAPSULATION_MODE | length/value: 61444 | [61444 is ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS] | ******parse ISAKMP IPsec DOI attribute: | af+type: AUTH_ALGORITHM | length/value: 1 | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do build_nonce op on seq: 3 (len=2776, pcw_work=1) | helper 0 read 2768+4/2776 bytes fd: 8 | helper 0 doing build_nonce op id: 3 | Generated nonce: | 4c fa ef 61 3c 35 e4 b5 92 27 5b 08 59 1e 9c 8e | crypto helper write of request: cnt=2776[@east,+S=C]:17/1701 "any--east-l2tp"[1] 192.1.2.254 #2: them: 192.1.2.254[@winxp,+S=C]:17/1701===192.1.3.34/32 | ***emit ISAKMP Nonce Payload: | next payload type: ISAKMP_NEXT_ID | emitting 16 raw bytes of Nr into ISAKMP Nonce Payload | Nr 4c fa ef 61 3c 35 e4 b5 92 27 5b 08 59 1e 9c 8e | emitting length of ISAKMP Nonce Payload: 20 | emitting 13 raw bytes of IDci into ISAKMP Message | IDci 05 00 00 0d 02 11 06 a5 77 69 6e 78 70 | emitting 12 raw bytes of IDcr into ISAKMP Message | IDcr 83 00 00 0c 01 11 06 a5 c0 01 02 17 | HASH(2) computed: | 9d 95 f9 e0 56 c7 41 19 54 71 91 79 89 3e 9f b7 | 28 a8 67 d7 | compute_proto_keymat:needed_len (after ESP enc)=24 | compute_proto_keymat:needed_len (after ESP auth)=40 | ESP KEYMAT | KEYMAT computed: | 49 2e 07 84 d5 cf 24 e0 8b 57 86 04 3f 7a 6f cc | e9 60 b2 9c 22 aa 09 94 9e 1c bb 5d 2e 69 39 57 | 9a 0a 8d ba 26 7a bd 65 | Peer KEYMAT computed: | 11 ff d2 ca 87 b2 3e 22 e8 52 b6 14 a0 0b 9b bc | 44 c8 1f 68 51 aa 67 a9 18 a9 72 71 d1 41 a1 29 | f6 0f 61 ad 40 e8 9a ef | route owner of "any--east-l2tp"[1] 192.1.2.254 unrouted: NULL | install_inbound_ipsec_sa() checking if we can route | route owner of "any--east-l2tp"[1] 192.1.2.254 unrouted: NULL; eroute owner: NULL | could_route called for any--east-l2tp (kind=CK_INSTANCE) | routing is easy, or has resolvable near-conflict | checking if this is a replacement state | st=0x7fb88a3e1900 ost=(nil) st->serialno=#2 ost->serialno=#0 | installing outgoing SA now as refhim=0 | looking for alg with transid: 3 keylen: 0 auth: 1 | checking transid: 11 keylen: 0 auth: 1 | checking transid: 11 keylen: 0 auth: 2 | checking transid: 2 keylen: 8 auth: 0 | checking transid: 2 keylen: 8 auth: 1 | checking transid: 2 keylen: 8 auth: 2 | checking transid: 3 keylen: 24 auth: 0 | checking transid: 3 keylen: 24 auth: 1 | esp enckey: 11 ff d2 ca 87 b2 3e 22 e8 52 b6 14 a0 0b 9b bc | esp enckey: 44 c8 1f 68 51 aa 67 a9 | esp authkey: 18 a9 72 71 d1 41 a1 29 f6 0f 61 ad 40 e8 9a ef | using old struct xfrm_algo for XFRM message | outgoing SA has refhim=4294901761 | looking for alg with transid: 3 keylen: 0 auth: 1 | checking transid: 11 keylen: 0 auth: 1 | checking transid: 11 keylen: 0 auth: 2 | checking transid: 2 keylen: 8 auth: 0 | checking transid: 2 keylen: 8 auth: 1 | checking transid: 2 keylen: 8 auth: 2 | checking transid: 3 keylen: 24 auth: 0 | checking transid: 3 keylen: 24 auth: 1 | esp enckey: 49 2e 07 84 d5 cf 24 e0 8b 57 86 04 3f 7a 6f cc | esp enckey: e9 60 b2 9c 22 aa 09 94 | esp authkey: 9e 1c bb 5d 2e 69 39 57 9a 0a 8d ba 26 7a bd 65 | using old struct xfrm_algo for XFRM message | add inbound eroute 192.1.3.34/32:0 --17-> 192.1.2.23/32:1701 => tun.10000@192.1.2.23 (raw_eroute) | raw_eroute result=1 | encrypting: | 01 00 00 18 9d 95 f9 e0 56 c7 41 19 54 71 91 79 | 89 3e 9f b7 28 a8 67 d7 0a 00 00 40 00 00 00 01 | 00 00 00 01 00 00 00 34 01 03 04 01 15 ee d5 cd | 00 00 00 28 01 03 00 00 80 01 00 01 00 02 00 04 | 00 00 0e 10 80 01 00 02 00 02 00 04 00 03 d0 90 | 80 04 f0 04 80 05 00 01 05 00 00 14 4c fa ef 61 | 3c 35 e4 b5 92 27 5b 08 59 1e 9c 8e 05 00 00 0d | 02 11 06 a5 77 69 6e 78 70 00 00 00 0c 01 11 06 | a5 c0 01 02 17 | IV: | 12 b6 03 88 5c 0c af 06 | unpadded size is: 133 | emitting 3 zero bytes of encryption padding into ISAKMP Message | encrypting 136 using OAKLEY_3DES_CBC | NSS: do_3des init start | NSS: do_3des init end | next IV: a5 3a 92 47 3d 30 3b f8 | emitting length of ISAKMP Message: 164 | finished processing quick inI1 | complete state transition with STF_OK "any--east-l2tp"[1] 192.1.2.254 #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | deleting event for #2 | sending reply packet to 192.1.2.254:4500 (from port 4500) | sending 168 bytes for STATE_QUICK_R0 through eth1:4500 to 192.1.2.254:4500 (using #2) | 00 00 00 00 c4 da 02 57 48 a6 11 b0 80 09 90 31 | b2 ce c5 88 08 10 20 01 be fc a5 33 00 00 00 a4 | 68 24 cc af 5e 03 ef 23 6c 8e 77 7b 44 70 16 c9 | 8e bf 3f 58 38 5c 94 ac db c1 47 4b 8b 00 cf 7b | d9 cf 41 23 16 0b d8 a0 ed 60 c2 6c a6 69 96 d0 | 8d e4 0a 5c 46 03 d0 bd 3d 2f f7 2b f5 d7 56 6f | 8f 4f 2d 33 3c 8e 97 18 ac 94 a0 14 0f 49 47 f0 | bb 31 06 30 45 70 4a 67 c3 7a bb 2d 93 8f 07 b6 | 61 92 d3 74 32 75 11 5b 37 de 29 3a 34 28 60 20 | 87 d8 38 2c 58 a0 04 bb 67 0f 15 86 ae 3f ea 1c | a5 3a 92 47 3d 30 3b f8 | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2 | event added at head of queue "any--east-l2tp"[1] 192.1.2.254 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 1 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 10 seconds for #2 | next event EVENT_RETRANSMIT in 10 seconds for #2 | | *received 52 bytes from 192.1.2.254:4500 on eth1 (port=4500) | c4 da 02 57 48 a6 11 b0 80 09 90 31 b2 ce c5 88 | 08 10 20 01 be fc a5 33 00 00 00 34 ee d0 32 86 | 34 7e 10 d1 f8 68 f0 07 17 10 df 3b 46 46 be 8c | ba 09 b4 12 | **parse ISAKMP Message: | initiator cookie: | c4 da 02 57 48 a6 11 b0 | responder cookie: | 80 09 90 31 b2 ce c5 88 | next payload type: ISAKMP_NEXT_HASH | ISAKMP version: ISAKMP Version 1.0 (rfc2407) | exchange type: ISAKMP_XCHG_QUICK | flags: ISAKMP_FLAG_ENCRYPTION | message ID: be fc a5 33 | length: 52 | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | ICOOKIE: c4 da 02 57 48 a6 11 b0 | RCOOKIE: 80 09 90 31 b2 ce c5 88 | state hash entry 17 | v1 peer and cookies match on #2, provided msgid befca533 vs befca533 | v1 state object #2 found, in STATE_QUICK_R1 | processing connection any--east-l2tp[1] 192.1.2.254 | received encrypted packet from 192.1.2.254:4500 | decrypting 24 bytes using algorithm OAKLEY_3DES_CBC | NSS: do_3des init start | NSS: do_3des init end | decrypted: | 00 00 00 18 89 cb 2a 8b 5e da 1e e2 45 a3 bd cc | 02 29 23 aa cb 18 9b be | next IV: 46 46 be 8c ba 09 b4 12 | got payload 0x100(ISAKMP_NEXT_HASH) needed: 0x100 opt: 0x0 | ***parse ISAKMP Hash Payload: | next payload type: ISAKMP_NEXT_NONE | length: 24 | HASH(3) computed: 89 cb 2a 8b 5e da 1e e2 45 a3 bd cc 02 29 23 aa | HASH(3) computed: cb 18 9b be | install_ipsec_sa() for #2: outbound only | route owner of "any--east-l2tp"[1] 192.1.2.254 unrouted: NULL; eroute owner: NULL | could_route called for any--east-l2tp (kind=CK_INSTANCE) | sr for #2: unrouted | route owner of "any--east-l2tp"[1] 192.1.2.254 unrouted: NULL; eroute owner: NULL | route_and_eroute with c: any--east-l2tp (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2 | eroute_connection add eroute 192.1.2.23/32:1701 --17-> 192.1.3.34/32:0 => esp.d1a7f0c2@192.1.2.254 (raw_eroute) | netlink_raw_eroute: proto = 50, substituting 192.1.3.34/32 with 192.1.2.254/32 "any--east-l2tp"[1] 192.1.2.254 #2: netlink_raw_eroute: WARNING: that_client port 0 and that_host port 4500 don't match. Using that_client port. | raw_eroute result=1 | command executing up-host | executing up-host: 2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l2tp' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.3.34/32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown | popen(): cmd is 779 chars long | cmd( 0):2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l2tp' : | cmd( 80):PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_: | cmd( 160):MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' P: | cmd( 240):LUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17: | cmd( 320):' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.3.34/: | cmd( 400):32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' : | cmd( 480):PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='ne: | cmd( 560):tkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAM: | cmd( 640):E='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='': | cmd( 720): PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown: | route_and_eroute: firewall_notified: true | command executing prepare-host | executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l2tp' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.3.34/32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown | popen(): cmd is 784 chars long | cmd( 0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l: | cmd( 80):2tp' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' P: | cmd( 160):LUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.: | cmd( 240):23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCO: | cmd( 320):L='17' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.: | cmd( 400):3.34/32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.: | cmd( 480):255' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STAC: | cmd( 560):K='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_US: | cmd( 640):ERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_IN: | cmd( 720):FO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown: | command executing route-host | executing route-host: 2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l2tp' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.3.34/32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USERNAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown | popen(): cmd is 782 chars long | cmd( 0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='any--east-l2t: | cmd( 80):p' PLUTO_INTERFACE='eth1' PLUTO_NEXT_HOP='192.1.2.254' PLUTO_ME='192.1.2.23' PLU: | cmd( 160):TO_MY_ID='@east' PLUTO_MY_CLIENT='192.1.2.23/32' PLUTO_MY_CLIENT_NET='192.1.2.23: | cmd( 240):' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL=: | cmd( 320):'17' PLUTO_PEER='192.1.2.254' PLUTO_PEER_ID='@winxp' PLUTO_PEER_CLIENT='192.1.3.: | cmd( 400):34/32' PLUTO_PEER_CLIENT_NET='192.1.3.34' PLUTO_PEER_CLIENT_MASK='255.255.255.25: | cmd( 480):5' PLUTO_PEER_PORT='1701' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK=: | cmd( 560):'netkey' PLUTO_CONN_POLICY='PSK+ENCRYPT+IKEv2ALLOW+SAREFTRACK' PLUTO_XAUTH_USER: | cmd( 640):NAME='' PLUTO_IS_PEER_CISCO='0' PLUTO_CISCO_DNS_INFO='' PLUTO_CISCO_DOMAIN_INFO: | cmd( 720):='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown: | route_and_eroute: instance "any--east-l2tp"[1] 192.1.2.254, setting eroute_owner {spd=0x7fb88a3dd2d8,sr=0x7fb88a3dd2d8} to #2 (was #0) (newest_ipsec_sa=#0) | inI2: instance any--east-l2tp[1], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) | complete state transition with STF_OK "any--east-l2tp"[1] 192.1.2.254 #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | deleting event for #2 | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #2 | event added after event EVENT_PENDING_PHASE2 "any--east-l2tp"[1] 192.1.2.254 #2: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xd1a7f0c2 <0x15eed5cd xfrm=3DES_0-HMAC_MD5 NATOA=192.1.3.34 NATD=192.1.2.254:4500 DPD=none} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 0 messages from cryptographic helpers | next event EVENT_NAT_T_KEEPALIVE in 20 seconds | next event EVENT_NAT_T_KEEPALIVE in 20 seconds | | next event EVENT_NAT_T_KEEPALIVE in 0 seconds | *time to handle event | handling event EVENT_NAT_T_KEEPALIVE | event after this is EVENT_PENDING_DDNS in 33 seconds | processing connection any--east-l2tp[1] 192.1.2.254 | Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes) | processing connection any--east-l2tp[1] 192.1.2.254 | Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes) | next event EVENT_PENDING_DDNS in 33 seconds