WORK IN PROGRESS - output needs to get fully reviewed Starting UML /btmp/antony/ikev2/2008_01_14/UMLPOOL/east/start.sh spawn /btmp/antony/ikev2/2008_01_14/UMLPOOL/east/start.sh single Checking that ptrace can change system call numbers...OK Checking syscall emulation patch for ptrace...OK Checking advanced syscall emulation patch for ptrace...OK Checking for tmpfs mount on /dev/shm...OK Checking PROT_EXEC mmap in /dev/shm/...OK Checking for the skas3 patch in the host: - /proc/mm...not found - PTRACE_FAULTINFO...not found - PTRACE_LDT...not found UML running in SKAS0 mode Checking that ptrace can change system call numbers...OK Checking syscall emulation patch for ptrace...OK Checking advanced syscall emulation patch for ptrace...OK Linux version 2.6.18.6 (antony@cyclops) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 Mon Jan 14 16:26:00 EST 2008 Built 1 zonelists. Total pages: 8192 Kernel command line: initrd=/btmp/antony/ikev2/2008_01_14/UMLPOOL/initrd.uml umlroot=/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root root=/dev/ram0 rw ssl=pty eth0=daemon,10:00:00:dc:bc:ff,unix,/tmp/umlN7rfs9.d/east/ctl,/tmp/umlN7rfs9.d/east/data eth1=daemon,10:00:00:64:64:23,unix,/tmp/umlN7rfs9.d/public/ctl,/tmp/umlN7rfs9.d/public/data eth2=daemon,10:00:00:32:64:23,unix,/tmp/umlN7rfs9.d/admin/ctl,/tmp/umlN7rfs9.d/admin/data init=/linuxrc single PID hash table entries: 256 (order: 8, 1024 bytes) Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 27292k available Mount-cache hash table entries: 512 Checking for host processor cmov support...Yes Checking for host processor xmm support...No Checking that host ptys support output SIGIO...Yes Checking that host ptys support SIGIO on close...No, enabling workaround checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd Freeing initrd memory: 1212k freed Using 2.6 host AIO NET: Registered protocol family 16 NET: Registered protocol family 2 IP route cache hash table entries: 256 (order: -2, 1024 bytes) TCP established hash table entries: 1024 (order: 0, 4096 bytes) TCP bind hash table entries: 512 (order: -1, 2048 bytes) TCP: Hash tables configured (established 1024 bind 512) TCP reno registered klips_info:ipsec_init: KLIPS startup, Libreswan KLIPS IPsec stack version: 2.5.testing-g70d71a2f-dirty NET: Registered protocol family 15 klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251) klips_info:ipsec_alg_init: calling ipsec_alg_static_init() ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0 ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 daemon_setup : Ignoring data socket specification Netdevice 0 (10:00:00:dc:bc:ff) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/east/ctl daemon_setup : Ignoring data socket specification Netdevice 1 (10:00:00:64:64:23) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/public/ctl daemon_setup : Ignoring data socket specification Netdevice 2 (10:00:00:32:64:23) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/admin/ctl Checking host MADV_REMOVE support...OK mconsole (version 2) initialized on /home/antony/.uml/east/mconsole Host TLS support detected Detected host type: i386 VFS: Disk quotas dquot_6.5.1 Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) Initializing Cryptographic API io scheduler noop registered io scheduler anticipatory registered (default) io scheduler deadline registered io scheduler cfq registered RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize loop: loaded (max 8 devices) nbd: registered device at major 43 PPP generic driver version 2.4.2 SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256). tun: Universal TUN/TAP device driver, 1.6 tun: (C) 1999-2004 Max Krasnyansky Netfilter messages via NETLINK v0.30. IPv4 over IPv4 tunneling driver GRE over IPv4 tunneling driver ip_conntrack version 2.4 (213 buckets, 1704 max) - 204 bytes per conntrack ip_tables: (C) 2000-2006 Netfilter Core Team arp_tables: (C) 2002 David S. Miller TCP bic registered TCP cubic registered TCP westwood registered TCP highspeed registered TCP hybla registered TCP htcp registered TCP vegas registered TCP scalable registered NET: Registered protocol family 1 NET: Registered protocol family 17 Initialized stdio console driver Console initialized on /dev/tty0 Initializing software serial port version 1 Failed to open 'root_fs', errno = 2 RAMDISK: cramfs filesystem found at block 0 RAMDISK: Loading 1212KiB [1 disk] into ram disk... |/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\done. VFS: Mounted root (cramfs filesystem) readonly. MOUNTING /btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root for UML testing root. Mounting a tmpfs over /dev...done. Creating initial device nodes...done. Invoked with Arguments: single Creating initial device nodes...done. crw-r--r-- 1 root root 5, 1 Feb 13 23:54 /dev/console line_ioctl: tty0: ioctl KDSIGACCEPT called INIT: version 2.78 booting /dev/root on / type hostfs (rw) proc on /proc type proc (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/shm on /tmp type tmpfs (rw) /dev/shm on /var/run type tmpfs (rw) none on /usr/share type hostfs (ro) none on /testing type hostfs (ro,/home/antony/ikev2/testing) none on /usr/src type hostfs (ro,/home/antony/ikev2) none on /usr/obj type hostfs (ro,/home/antony/ikev2/OBJ.linux.i386) none on /usr/local type hostfs (rw,/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root/usr/local) none on /var/tmp type hostfs (rw,/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root/var/tmp) none on /proc type proc (rw) crw-r--r-- 1 root root 5, 1 Feb 13 23:54 /dev/console mount: proc already mounted Activating swap... Checking all file systems... Parallelizing fsck version 1.18 (11-Nov-1999) Setting kernel variables. Mounting local filesystems... mount: devpts already mounted on /dev/pts /dev/shm on /tmp type tmpfs (rw) /dev/shm on /var/run type tmpfs (rw) none on /usr/share type hostfs (ro) none on /testing type hostfs (ro,/home/antony/ikev2/testing) none on /usr/src type hostfs (ro,/home/antony/ikev2) none on /usr/obj type hostfs (ro,/home/antony/ikev2/OBJ.linux.i386) none on /usr/local type hostfs (rw,/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root/usr/local) none on /var/tmp type hostfs (rw,/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root/var/tmp) Enabling packet forwarding: done. Configuring network interfaces: done. Cleaning: /tmp /var/lock /var/run. Initializing random number generator... done. Recovering nvi editor sessions... done. Give root password for maintenance (or type Control-D for normal startup): east:~# echo Starting loading module Starting loading module east:~# exec bash --noediting east:~# ulimit -c unlimited east:~# echo Finished loading module Finished loading module east:~# klogd -c 4 -x -f /tmp/klog.log east:~# : ==== start ==== east:~# TESTNAME=netkey-pluto-01 east:~# source /testing/pluto/bin/eastlocal.sh east:~# ipsec setup start ipsec_setup: Starting Libreswan IPsec U2.5.testing-g21680e0d-dirty/K2.5.testing-g70d71a2f-dirty... east:~# ipsec auto --add westnet-eastnet east:~# ipsec whack --debug-control --debug-controlmore --debug-crypt east:~# /testing/pluto/bin/wait-until-pluto-started east:~# : === NETJIG start of WEST westrun.sh east:~# east:~# : ==== cut ==== east:~# ipsec auto --status 000 using kernel interface: klips 000 interface ipsec0/eth1 192.1.2.23 000 %myid = (none) 000 debug crypt+control+controlmore 000 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 "westnet-eastnet": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east,S=C]...192.1.2.45<192.1.2.45>[@west,S=C]===192.0.1.0/24; erouted HOLD; eroute owner: #0 000 "westnet-eastnet": myip=unset; hisip=unset; 000 "westnet-eastnet": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 000 "westnet-eastnet": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW; prio: 24,24; interface: eth1; 000 "westnet-eastnet": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "westnet-eastnet": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=-strict 000 "westnet-eastnet": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000 000 #3: "westnet-eastnet":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 6s; nodpd; idle; import:local rekey 000 #3: pending Phase 2 for "westnet-eastnet" replacing #0 000 east:~# cat /tmp/pluto.log Plutorun started on Wed Feb 13 23:54:52 GMT 2008 Starting Pluto (Libreswan Version 2.5.testing-g21680e0d-dirty; Vendor ID OEGJMMweP{pQ) pid:912 Setting NAT-Traversal port-4500 floating to off port floating activation criteria nat_t=0/port_float=1 including NAT-Traversal patch (Version 0.6c) [disabled] using /dev/urandom as source of random entropy ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) starting up 1 cryptographic helpers started helper pid=913 (fd:6) Using KLIPS IPsec interface code on 2.6.18.6 Changed path to directory '/tmp/netkey-pluto-01/ipsec.d/cacerts' loaded CA cert file 'otherca.crt' (1428 bytes) loaded CA cert file 'caCert.pem' (4854 bytes) loaded CA cert file 'ca.crt' (1184 bytes) RSA modulus too small for security: less than 512 bits error in X.509 certificate Changed path to directory '/tmp/netkey-pluto-01/ipsec.d/aacerts' Changed path to directory '/tmp/netkey-pluto-01/ipsec.d/ocspcerts' Changing to directory '/tmp/netkey-pluto-01/ipsec.d/crls' loaded crl file 'othercacrl.pem' (556 bytes) loaded crl file 'nic.crl' (642 bytes) loaded crl file 'crashcrl-3.pem' (690 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/crashcrl-3.pem) loaded crl file 'crashcrl-2.pem' (528 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/crashcrl-2.pem) loaded crl file 'crashcrl-1.pem' (1053 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/crashcrl-1.pem) loaded crl file 'cacrlvalid.pem' (581 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/cacrlvalid.pem) loaded crl file 'cacrlnotyetvalid.pem' (552 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/cacrlnotyetvalid.pem) loaded crl file 'cacrlexpired.pem' (552 bytes) crl issuer cacert not found for (file:///tmp/netkey-pluto-01/ipsec.d/crls/cacrlexpired.pem) using /dev/urandom as source of random entropy added connection description "westnet-eastnet" listening for IKE messages adding interface ipsec0/eth1 192.1.2.23:500 loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | base debugging = crypt+control+controlmore | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 120 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x8142e30) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x8142e30) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 120 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81438a8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81438a8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 117 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x8144350) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x8144350) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 115 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81442c8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81442c8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 113 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x813f7e8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x813f7e8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 111 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81442c8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81442c8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 109 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x813f7e8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x813f7e8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 107 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81442c8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81442c8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 105 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x813f7e8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x813f7e8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 103 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81442c8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81442c8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 101 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81442c8) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81442c8) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 99 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x81494d0) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x81494d0) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 97 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814a928) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814a928) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 94 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x8144e08) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x8144e08) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 92 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814bd20) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814bd20) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 90 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814bd18) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814bd18) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 88 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814bd18) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814bd18) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 86 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814bd20) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814bd20) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 84 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814f120) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814f120) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 82 seconds | | *received whack message listening for IKE messages | found ipsec0 with address 192.1.2.23 | found eth0 with address 192.0.2.254 | found eth1 with address 192.1.2.23 | found eth2 with address 192.9.2.23 | found lo with address 127.0.0.1 | IP interface lo 127.0.0.1 has no matching ipsec* interface -- ignored | IP interface eth2 192.9.2.23 has no matching ipsec* interface -- ignored | IP interface eth0 192.0.2.254 has no matching ipsec* interface -- ignored | could not open /proc/net/if_inet6 forgetting secrets loading secrets from "/tmp/netkey-pluto-01/ipsec.secrets" loaded private key for keyid: PPK_RSA:AQN3cn11F | id type added to secret(0x814fb78) 1: C=ca, ST=Ontario, O=Libreswan, CN=east.libreswan.org, E=testing.libreswan.org | id type added to secret(0x814fb78) 1: %any loaded private key file '/etc/ipsec.d/private/east.key' (464 bytes) | decrypting file using 'DES-EDE3-CBC' "/tmp/netkey-pluto-01/ipsec.secrets" line 25: RSA modulus too small for security: less than 512 bits | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 80 seconds | | *received 404 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) packet from 192.1.2.45:500: received Vendor ID payload [Libreswan (this version) 2.5.testing-g21680e0d-dirty ] packet from 192.1.2.45:500: received Vendor ID payload [Dead Peer Detection] | find_host_connection called from main_inI1_outR1, me=192.1.2.23:500 him=192.1.2.45:500 policy=none | find_host_pair: comparing to 192.1.2.23:500 192.1.2.45:500 | find_host_pair_conn (find_host_connection2): 192.1.2.23:500 192.1.2.45:500 -> hp:westnet-eastnet | find_host_connection returns westnet-eastnet | creating state object #1 at 0x81503d0 | processing connection westnet-eastnet | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | inserting state object #1 on chain 4 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #1 "westnet-eastnet" #1: responding to Main Mode | Oakley Transform 0 accepted | sender checking NAT-t: 0 and 0 | complete state transition with STF_OK "westnet-eastnet" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 | sending reply packet to 192.1.2.45:500 (from port 500) | sending 116 bytes for STATE_MAIN_R0 through eth1:500 to 192.1.2.45:500 (using #1) | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #1 "westnet-eastnet" #1: STATE_MAIN_R1: sent MR1, expecting MI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 0 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 10 seconds for #1 | | *received 308 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_IDPROT (2) | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000 | v1 state object #1 found, in STATE_MAIN_R1 | processing connection westnet-eastnet | DH public value received: | 42 bb a4 76 29 12 78 bc 7c 48 4e 33 08 2e c4 be | 82 d2 93 1b a0 bf d6 95 32 a5 ac 66 ac 18 d7 1e | af 8f ef 46 85 f0 bc 87 42 32 69 e1 df 1e f2 af | f1 d2 e2 10 fc c9 4a 49 24 54 07 1a c9 b0 c9 75 | 09 39 ba 7f 6c 64 e9 69 c0 d6 ee d4 76 a4 38 74 | fa 0e 25 04 54 14 01 d8 d6 5a e4 2a 2b 54 7f 83 | 7b 9a b1 61 a7 94 34 6b db e3 02 94 ef a1 38 9c | 2f 32 11 10 ac b4 ce 6c 7d 99 41 5d f9 b3 a0 2c | 9e b2 45 ab c5 77 66 96 ba 67 f4 1e 90 3c ff 20 | 39 3f ca 57 9d 5a 4a de f2 9f a5 d8 cd c3 06 7e | a0 d7 82 a2 b3 3a 7e 9a ff 36 30 30 83 1b bf f3 | c8 cc fb ae 11 8f 00 46 90 48 44 e0 54 6d 80 c7 | d6 88 aa 79 ce 52 05 64 a0 8e cb e5 b3 b8 ff 3a | 9b 9b 9e d9 b3 eb 91 7a e5 31 8d 99 14 df be d4 | ed b0 b4 df 5c 7e 39 61 33 a6 98 8b 25 50 e7 96 | 0e fb fe 03 95 8f e4 01 b2 d4 ce 65 c4 0f 7a 7f | inI2: checking NAT-t: 0 and 0 | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do build_kenonce op on seq: 1 (len=2668, pcw_work=1) | crypto helper write of request: cnt=2668@west of kind PPK_PSK | actually looking for secret for @east->@west of kind PPK_PSK | line 8: key type PPK_PSK(@east) to type PPK_RSA | concluding with best_match=0 best=(nil) (lineno=-1) | parent1 type: 7 group: 14 len: 2668 | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do compute dh+iv op on seq: 2 (len=2668, pcw_work=1) | crypto helper write of request: cnt=2668@west of kind PPK_RSA | actually looking for secret for @east->@west of kind PPK_RSA | line 8: key type PPK_RSA(@east) to type PPK_RSA | 1: compared key (none) to @east / @west -> 6 | 2: compared key (none) to @east / @west -> 6 | line 8: match=6 | best_match 0>6 best=0x81442c8 (line=8) | concluding with best_match=6 best=0x81442c8 (lineno=8) | offered CA: '%none' | hashing 336 bytes of SA | required CA is '%any' | trusted_ca called with a=(empty) b=(empty) | key issuer CA is '%any' | an RSA Sig check passed with *AQNzGEFs1 [preloaded key] | authentication succeeded | thinking about whether to send my certificate: | I have RSA key: OAKLEY_RSA_SIG cert.type: CERT_NONE | sendcert: CERT_ALWAYSSEND and I did not get a certificate request | so do not send cert. | I did not send a certificate because I do not have one. | hashing 336 bytes of SA | started looking for secret for @east->@west of kind PPK_RSA | actually looking for secret for @east->@west of kind PPK_RSA | line 8: key type PPK_RSA(@east) to type PPK_RSA | 1: compared key (none) to @east / @west -> 6 | 2: compared key (none) to @east / @west -> 6 | line 8: match=6 | best_match 0>6 best=0x81442c8 (line=8) | concluding with best_match=6 best=0x81442c8 (lineno=8) | signing hash with RSA Key *AQN3cn11F | encrypting: | 09 00 00 0c 02 00 00 00 65 61 73 74 00 00 01 04 | 4a a5 53 74 f3 61 f8 47 9b 2e 8f b9 7b 10 e4 a3 | db 48 78 bf 3a d3 00 4a 00 08 11 a5 89 50 0c 51 | 3c 13 c9 e0 a2 a7 21 1b 6c fa c0 78 0b 21 ed e6 | 5d 2b de ca 3c bc ea d2 57 b2 74 0e e4 1a 09 20 | a3 f5 b8 8d 55 bd 69 c0 42 82 86 a5 d2 27 5b 89 | 77 31 d6 dd 7c d4 dd 56 6e 8c ec 65 39 52 2c 7a | 68 38 a3 cb 47 83 7f 83 83 9f 99 92 45 b6 6b e8 | 54 36 57 a5 ad 5b 50 5e c0 6c 43 c3 b3 88 c3 be | d8 28 fb 0a 1b a6 b0 3c 9e fb 0e 89 bc db d3 ae | 9f 56 35 3a 4e 37 8c 4e 6b 4d f1 85 24 22 a0 78 | 9a 76 78 7c df 11 d3 f1 8e 2c 36 70 f5 1f 7e c5 | 9b 5f 63 2b e3 b7 0f 10 f3 d3 c3 27 2e c0 71 ef | 35 39 96 5f 45 7b b9 eb d1 cd 7c c0 8d b9 c8 33 | 46 43 ea e8 40 be 44 0f 37 1d 48 50 eb cf e7 76 | 62 ff d1 79 53 23 c7 48 3f d8 df 4a 61 95 ec 0c | 45 cf cd 59 07 28 63 89 83 ed 71 c8 4a b8 58 34 | IV: | 6b 0c e1 72 3c de 99 1d 1e 03 38 87 a5 a7 53 15 | unpadded size is: 272 | encrypting 272 using OAKLEY_AES_CBC | next IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | last encrypted block of Phase 1: | 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | complete state transition with STF_OK "westnet-eastnet" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 | sending reply packet to 192.1.2.45:500 (from port 500) | sending 300 bytes for STATE_MAIN_R2 through eth1:500 to 192.1.2.45:500 (using #1) | inserting event EVENT_SA_REPLACE, timeout in 3330 seconds for #1 "westnet-eastnet" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 54 seconds | | *received 428 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | v1 peer and cookies match on #1, provided msgid f98d9432 vs 00000000 | v1 state object not found | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000 | v1 state object #1 found, in STATE_MAIN_R3 | processing connection westnet-eastnet | last Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | current Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | computed Phase 2 IV: | b5 32 1b 37 d7 39 45 52 42 4c 9c ac ea 31 a9 43 | 8c df 9f 58 | received encrypted packet from 192.1.2.45:500 | decrypting 400 bytes using algorithm OAKLEY_AES_CBC | decrypted: | 01 00 00 18 b6 45 55 42 08 50 39 c3 5a 78 13 3f | d7 c8 b6 ed 20 46 73 fb 0a 00 00 34 00 00 00 01 | 00 00 00 01 00 00 00 28 00 03 04 01 2d 02 4a 97 | 00 00 00 1c 00 03 00 00 80 03 00 0e 80 04 00 01 | 80 01 00 01 80 02 70 80 80 05 00 01 04 00 00 14 | c2 ed fc bd 40 e0 78 e8 48 b7 dc 26 47 05 42 90 | 05 00 01 04 46 ef 3f 73 0b d2 12 39 e5 cd d1 c3 | 8d 47 4e dc 96 9c 1a e3 cb b7 4c ee 69 4b ca 4d | 0d f2 e1 ce 71 92 38 56 68 97 01 76 c5 52 fe d1 | af 8d 93 60 ba 40 c8 be 72 45 65 66 da 97 83 9b | d6 38 66 d7 b3 b1 07 1f fe 8d df 60 84 f3 c5 76 | 35 91 14 3b c7 b3 36 1c b1 70 cf 64 23 61 f2 c9 | b1 66 31 81 47 58 f1 e7 be eb 18 bf e6 27 73 9d | fa 9d aa c2 7f e0 3d 35 df ab 64 75 06 dd 4d 26 | bd b3 b3 db 3a 81 90 1f a7 01 27 56 77 1c 40 53 | eb 42 19 00 3d 21 7e 6b 50 62 4b 7e 9a 1f 4b 57 | be da f7 e3 01 06 1a e8 81 39 42 84 77 6a 62 df | ff 0f cc 63 a7 4b 6b 15 47 be 0b 53 d5 a7 2d 05 | ca 01 54 af 21 4b 13 83 74 bb 47 af 39 74 0a 92 | 61 63 0e 51 0c 7c 28 9e b6 3d 87 cd 3d 19 53 e5 | 81 45 80 7e f9 8c 63 68 a1 61 fd e2 b8 98 b2 f7 | 43 19 16 86 88 f0 c1 22 64 bf 83 77 be 81 54 8b | 48 c1 e8 b7 05 00 00 10 04 00 00 00 c0 00 01 00 | ff ff ff 00 00 00 00 10 04 00 00 00 c0 00 02 00 | ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 | next IV: 79 9e 45 f8 9d a2 54 27 03 f0 11 b1 d1 c7 66 65 | HASH(1) computed: | b6 45 55 42 08 50 39 c3 5a 78 13 3f d7 c8 b6 ed | 20 46 73 fb | peer client is subnet 192.0.1.0/24 | peer client protocol/port is 0/0 | our client is subnet 192.0.2.0/24 | our client protocol/port is 0/0 "westnet-eastnet" #1: the peer proposed: 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 | find_client_connection starting with westnet-eastnet | looking for 192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 | concrete checking against sr#0 192.0.2.0/24 -> 192.0.1.0/24 | match_id a=@west | b=@west | results matched | trusted_ca called with a=(empty) b=(empty) | fc_try trying westnet-eastnet:192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 vs westnet-eastnet:192.0.2.0/24:0/0 -> 192.0.1.0/24:0/0 | fc_try concluding with westnet-eastnet [128] | fc_try westnet-eastnet gives westnet-eastnet | concluding with d = westnet-eastnet | duplicating state object #1 | creating state object #2 at 0x8151588 | processing connection westnet-eastnet | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | inserting state object #2 on chain 4 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #2 | DH public value received: | 46 ef 3f 73 0b d2 12 39 e5 cd d1 c3 8d 47 4e dc | 96 9c 1a e3 cb b7 4c ee 69 4b ca 4d 0d f2 e1 ce | 71 92 38 56 68 97 01 76 c5 52 fe d1 af 8d 93 60 | ba 40 c8 be 72 45 65 66 da 97 83 9b d6 38 66 d7 | b3 b1 07 1f fe 8d df 60 84 f3 c5 76 35 91 14 3b | c7 b3 36 1c b1 70 cf 64 23 61 f2 c9 b1 66 31 81 | 47 58 f1 e7 be eb 18 bf e6 27 73 9d fa 9d aa c2 | 7f e0 3d 35 df ab 64 75 06 dd 4d 26 bd b3 b3 db | 3a 81 90 1f a7 01 27 56 77 1c 40 53 eb 42 19 00 | 3d 21 7e 6b 50 62 4b 7e 9a 1f 4b 57 be da f7 e3 | 01 06 1a e8 81 39 42 84 77 6a 62 df ff 0f cc 63 | a7 4b 6b 15 47 be 0b 53 d5 a7 2d 05 ca 01 54 af | 21 4b 13 83 74 bb 47 af 39 74 0a 92 61 63 0e 51 | 0c 7c 28 9e b6 3d 87 cd 3d 19 53 e5 81 45 80 7e | f9 8c 63 68 a1 61 fd e2 b8 98 b2 f7 43 19 16 86 | 88 f0 c1 22 64 bf 83 77 be 81 54 8b 48 c1 e8 b7 | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do build_kenonce op on seq: 3 (len=2668, pcw_work=1) | crypto helper write of request: cnt=2668@west of kind PPK_PSK | actually looking for secret for @east->@west of kind PPK_PSK | line 8: key type PPK_PSK(@east) to type PPK_RSA | concluding with best_match=0 best=(nil) (lineno=-1) | 0: w->pcw_dead: 0 w->pcw_work: 0 cnt: 1 | asking helper 0 to do compute dh(p2) op on seq: 4 (len=2668, pcw_work=1) | crypto helper write of request: cnt=2668 192.0.2.0/24:0 => tun.1002@192.1.2.23 (raw_eroute) | raw_eroute result=1 | encrypting: | 01 00 00 18 63 8a 46 ba ba 46 6c 1c 03 27 f9 54 | 35 ca ca 88 b8 35 42 a2 0a 00 00 34 00 00 00 01 | 00 00 00 01 00 00 00 28 00 03 04 01 c0 9c 52 41 | 00 00 00 1c 00 03 00 00 80 03 00 0e 80 04 00 01 | 80 01 00 01 80 02 70 80 80 05 00 01 04 00 00 14 | 0a a6 1b 7f 9d da 0b b5 11 a5 6c ab c1 b1 6a f5 | 05 00 01 04 28 57 32 29 67 55 da bc 2b 42 50 19 | de 57 46 98 95 75 b9 43 10 36 af 1b ed 15 ec 38 | ca ae 76 9c 82 60 27 44 f9 f9 83 48 08 b5 a7 50 | c0 7d 67 7d d2 26 64 58 5a 34 4f cc ef bb ca 96 | 3d 5d dd 71 72 d3 c2 60 26 2c 6e 3f 23 87 35 e0 | b4 4a 50 4f 35 b6 98 ea bd d3 e5 9f 02 b2 21 c6 | aa 6b c7 31 ea a2 f5 36 15 d4 c7 a4 97 3c 69 88 | 0f 77 5b fc 3e 6f 96 85 9c e3 5c 2c b5 9e c3 39 | 25 f2 19 0d 4b fb f4 f6 fa ad 1d 0e 9e df fe f2 | c3 2c 06 88 f4 94 0c b3 46 cc 09 e4 d8 51 5f 97 | b1 ba ab e5 12 96 56 85 af 7b af 27 31 8f 6c 4f | 0c 9a ff c0 3a 75 ba 55 3b 05 bb b0 6b c9 e3 a5 | 5e 02 fd ed 77 ae 6d 13 39 e8 92 cf 88 3f e8 fa | a7 b9 ce 01 36 79 fb f3 af c5 a9 6c 7d 26 ae fe | 2a 4a e9 7e e7 37 e1 6f bd 23 79 cc f9 ad de 8a | 2a ee 64 2b 93 d8 d0 85 0a c9 82 a9 ce 21 6b 45 | 74 bc 50 e7 05 00 00 10 04 00 00 00 c0 00 01 00 | ff ff ff 00 00 00 00 10 04 00 00 00 c0 00 02 00 | ff ff ff 00 | IV: | 79 9e 45 f8 9d a2 54 27 03 f0 11 b1 d1 c7 66 65 | unpadded size is: 388 | encrypting 400 using OAKLEY_AES_CBC | next IV: 42 0f 7f 12 86 6e f5 d8 52 a1 59 71 cd 6f 93 16 | finished processing quick inI1 | complete state transition with STF_OK "westnet-eastnet" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 | sending reply packet to 192.1.2.45:500 (from port 500) | sending 428 bytes for STATE_QUICK_R0 through eth1:500 to 192.1.2.45:500 (using #2) | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #2 "westnet-eastnet" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 1 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 10 seconds for #2 | | *received 60 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_QUICK (32) | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | v1 peer and cookies match on #2, provided msgid f98d9432 vs f98d9432 | v1 state object #2 found, in STATE_QUICK_R1 | processing connection westnet-eastnet | received encrypted packet from 192.1.2.45:500 | decrypting 32 bytes using algorithm OAKLEY_AES_CBC | decrypted: | 00 00 00 18 ef d4 33 7e 0a a8 bb 4f ff 8b 6f 18 | 32 4e d5 1c ed 51 4b 1a 00 00 00 00 00 00 00 00 | next IV: 82 2b 4c 19 ba 07 91 dc bc c6 a6 e6 98 4f 82 28 | HASH(3) computed: ef d4 33 7e 0a a8 bb 4f ff 8b 6f 18 32 4e d5 1c | HASH(3) computed: ed 51 4b 1a | install_ipsec_sa() for #2: outbound only | route owner of "westnet-eastnet" unrouted: NULL; eroute owner: NULL | could_route called for westnet-eastnet (kind=CK_PERMANENT) | sr for #2: unrouted | route owner of "westnet-eastnet" unrouted: NULL; eroute owner: NULL | route_and_eroute with c: westnet-eastnet (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 2 | eroute_connection add eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => tun.1001@192.1.2.45 (raw_eroute) | raw_eroute result=1 | command executing up-client | trusted_ca called with a=(empty) b=(empty) | executing up-client: 2>&1 PLUTO_VERB='up-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet' PLUTO_INTERFACE='ipsec0' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='klips' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW' PLUTO_XAUTH_USERNAME='' ipsec _updown | route_and_eroute: firewall_notified: true | command executing prepare-client | trusted_ca called with a=(empty) b=(empty) | executing prepare-client: 2>&1 PLUTO_VERB='prepare-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet' PLUTO_INTERFACE='ipsec0' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='klips' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW' PLUTO_XAUTH_USERNAME='' ipsec _updown | command executing route-client | trusted_ca called with a=(empty) b=(empty) | executing route-client: 2>&1 PLUTO_VERB='route-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet' PLUTO_INTERFACE='ipsec0' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='klips' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW' PLUTO_XAUTH_USERNAME='' ipsec _updown | route_and_eroute: instance "westnet-eastnet", setting eroute_owner {spd=0x81414e0,sr=0x81414e0} to #2 (was #0) (newest_ipsec_sa=#0) | inI2: instance westnet-eastnet[0], setting newest_ipsec_sa to #2 (was #0) (spd.eroute=#2) | complete state transition with STF_OK "westnet-eastnet" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 | inserting event EVENT_SA_REPLACE, timeout in 28530 seconds for #2 "westnet-eastnet" #2: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x2d024a97 <0xc09c5241 xfrm=3DES_0-HMAC_MD5 NATOA= NATD=:500 DPD=enabled} | modecfg pull: noquirk policy:push not-client | phase 1 is done, looking for phase 2 to unpend | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 53 seconds | | *received 76 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | peer and cookies match on #2, provided msgid 00000000 vs f98d9432/00000000 | peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000 | p15 state object #1 found, in STATE_MAIN_R3 | processing connection westnet-eastnet | last Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | current Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | computed Phase 2 IV: | e6 97 6f c8 45 61 f7 55 7b 09 4f a3 f8 6d 42 f4 | 73 d2 ce d3 | received encrypted packet from 192.1.2.45:500 | decrypting 48 bytes using algorithm OAKLEY_AES_CBC | decrypted: | 0c 00 00 18 55 a0 13 a5 77 c9 9e 43 98 44 ec f2 | 7b a1 09 17 84 31 57 b1 00 00 00 10 00 00 00 01 | 03 04 00 01 2d 02 4a 97 00 00 00 00 00 00 00 00 | next IV: 70 e8 85 f9 e9 d0 04 dd 17 bb ba 13 0e f3 a2 d6 | processing connection westnet-eastnet "westnet-eastnet" #1: received Delete SA(0x2d024a97) payload: deleting IPSEC State #2 | deleting state #2 | processing connection westnet-eastnet | HASH(1) computed: | 54 44 6b 4f 74 de 8d ae fa d9 d4 0f f9 92 85 a1 | 0c ef 70 ce | last Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | current Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | computed Phase 2 IV: | 42 06 58 7b 81 bd 37 6a 09 c8 6d c3 52 9f 9b b2 | 55 6a 17 02 | encrypting: | 0c 00 00 18 54 44 6b 4f 74 de 8d ae fa d9 d4 0f | f9 92 85 a1 0c ef 70 ce 00 00 00 10 00 00 00 01 | 03 04 00 01 c0 9c 52 41 | IV: | 42 06 58 7b 81 bd 37 6a 09 c8 6d c3 52 9f 9b b2 | 55 6a 17 02 | unpadded size is: 40 | encrypting 48 using OAKLEY_AES_CBC | next IV: bf 3f 16 f9 81 c3 17 f5 41 66 48 51 4c 06 8b f6 | sending 76 bytes for delete notify through eth1:500 to 192.1.2.45:500 (using #1) | no suspended cryptographic state for 2 | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | command executing down-client | trusted_ca called with a=(empty) b=(empty) | executing down-client: 2>&1 PLUTO_VERB='down-client' PLUTO_VERSION='2.0' PLUTO_CONNECTION='westnet-eastnet' PLUTO_INTERFACE='ipsec0' PLUTO_NEXT_HOP='192.1.2.45' PLUTO_ME='192.1.2.23' PLUTO_MY_ID='@east' PLUTO_MY_CLIENT='192.0.2.0/24' PLUTO_MY_CLIENT_NET='192.0.2.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_PEER='192.1.2.45' PLUTO_PEER_ID='@west' PLUTO_PEER_CLIENT='192.0.1.0/24' PLUTO_PEER_CLIENT_NET='192.0.1.0' PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='klips' PLUTO_CONN_POLICY='RSASIG+ENCRYPT+TUNNEL+PFS+IKEv2ALLOW' PLUTO_XAUTH_USERNAME='' ipsec _updown "westnet-eastnet" #1: received and ignored informational message | complete state transition with STF_IGNORE | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 53 seconds | | *received 92 bytes from 192.1.2.45:500 on eth1 (port=500) | processing version=1.0 packet with exchange type=ISAKMP_XCHG_INFO (5) | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | peer and cookies match on #1, provided msgid 00000000 vs 00000000/00000000 | p15 state object #1 found, in STATE_MAIN_R3 | processing connection westnet-eastnet | last Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | current Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | computed Phase 2 IV: | 19 12 de c3 7c f5 16 16 54 7e 1c 96 d0 aa 88 7e | cb 0c 20 43 | received encrypted packet from 192.1.2.45:500 | decrypting 64 bytes using algorithm OAKLEY_AES_CBC | decrypted: | 0c 00 00 18 d3 00 99 b1 c9 3d d9 3a ab 5b a1 be | 3e ab e3 33 b8 0e 2c ce 00 00 00 1c 00 00 00 01 | 01 10 00 01 f3 8b f8 08 3a fc b7 9c 8b 14 41 08 | 19 7c f5 87 00 00 00 00 00 00 00 00 00 00 00 00 | next IV: 64 dd e1 4a 4f 6f 8b 80 ff f3 de cb f3 f6 9d 09 | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | v1 peer and cookies match on #1, provided msgid 00000000 vs 00000000 | v1 state object #1 found, in STATE_MAIN_R3 | processing connection westnet-eastnet "westnet-eastnet" #1: received Delete SA payload: deleting ISAKMP State #1 | deleting state #1 | processing connection westnet-eastnet | HASH(1) computed: | fb 09 e9 ab a5 ae 96 6c 15 3d d9 6d 7a 3f 49 7c | 77 b0 75 02 | last Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | current Phase 1 IV: 04 4d 63 08 a0 05 5b bf 0d 16 08 9c c5 72 8d c2 | computed Phase 2 IV: | 75 b1 f0 6b 01 5b d6 cc 71 6d dc d4 0b bc 6f 9d | 46 61 c7 13 | encrypting: | 0c 00 00 18 fb 09 e9 ab a5 ae 96 6c 15 3d d9 6d | 7a 3f 49 7c 77 b0 75 02 00 00 00 1c 00 00 00 01 | 01 10 00 01 f3 8b f8 08 3a fc b7 9c 8b 14 41 08 | 19 7c f5 87 | IV: | 75 b1 f0 6b 01 5b d6 cc 71 6d dc d4 0b bc 6f 9d | 46 61 c7 13 | unpadded size is: 52 | encrypting 64 using OAKLEY_AES_CBC | next IV: 15 d4 29 85 c7 e4 c9 7f b9 dc d0 3c 59 49 36 27 | sending 92 bytes for delete notify through eth1:500 to 192.1.2.45:500 (using #1) | no suspended cryptographic state for 1 | ICOOKIE: f3 8b f8 08 3a fc b7 9c | RCOOKIE: 8b 14 41 08 19 7c f5 87 | state hash entry 4 | unreference key: 0x813f870 @west cnt 2-- packet from 192.1.2.45:500: received and ignored informational message | complete state transition with STF_IGNORE | * processed 0 messages from cryptographic helpers | next event EVENT_SHUNT_SCAN in 53 seconds | | *received kernel message | pfkey_async: SADB_ACQUIRE len=29, errno=0, satype=3, seq=1, pid=0 | find_connection: looking for policy for connection: 192.0.2.1:0/0 -> 192.0.1.1:0/0 | find_connection: conn "westnet-eastnet" has compatible peers: 192.0.2.0/24 -> 192.0.1.0/24 [pri: 12632077] | find_connection: comparing best "westnet-eastnet" [pri:12632077]{0x8141498} (child none) to "westnet-eastnet" [pri:12632077]{0x8141498} (child none) | find_connection: concluding with "westnet-eastnet" [pri:12632077]{0x8141498} kind=CK_PERMANENT | assign hold, routing was prospective erouted, needs to be erouted HOLD | eroute_connection replace %trap with broad %hold eroute 192.0.2.0/24:0 --0-> 192.0.1.0/24:0 => %hold (raw_eroute) | raw_eroute result=1 | delete narrow %hold eroute 192.0.2.1/32:0 --0-> 192.0.1.1/32:0 => %hold (raw_eroute) | raw_eroute result=1 initiate on demand from 192.0.2.1:0 to 192.0.1.1:0 proto=0 state: fos_start because: acquire | creating state object #3 at 0x8150bc0 | processing connection westnet-eastnet | ICOOKIE: 53 2b 6f db 28 d2 89 b6 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 3 | inserting state object #3 on chain 3 | inserting event EVENT_SO_DISCARD, timeout in 0 seconds for #3 | processing connection westnet-eastnet | Queuing pending Quick Mode with 192.1.2.45 "westnet-eastnet" "westnet-eastnet" #3: initiating Main Mode | no IKE algorithms for this connection | sending 404 bytes for main_outI1 through eth1:500 to 192.1.2.45:500 (using #3) | inserting event EVENT_RETRANSMIT, timeout in 10 seconds for #3 | * processed 0 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 10 seconds for #3 | | *received whack message | kernel_alg_esp_auth_keylen(auth=1, sadb_aalg=2): a_keylen=16 | * processed 0 messages from cryptographic helpers | next event EVENT_RETRANSMIT in 6 seconds for #3 east:~# : ==== tuc ==== east:~# if [ -f /tmp/core ]; then echo CORE FOUND; mv /tmp/core /var/tmp; fi east:~# : ==== end ==== east:~# ipsec setup stop IPSEC EVENT: KLIPS device ipsec0 shut down. ipsec_setup: Stopping Libreswan IPsec... east:~# kill `cat /var/run/klogd.pid`; cat /tmp/klog.log klogd 1.3-3#33.1, log source = /proc/kmsg started. <5>Linux version 2.6.18.6 (antony@cyclops) (gcc version 4.1.2 20061115 (prerelease) (Debian 4.1.1-21)) #1 Mon Jan 14 16:26:00 EST 2008 <7>On node 0 totalpages: 8192 <7> DMA zone: 8192 pages, LIFO batch:1 <4>Built 1 zonelists. Total pages: 8192 <5>Kernel command line: initrd=/btmp/antony/ikev2/2008_01_14/UMLPOOL/initrd.uml umlroot=/btmp/antony/ikev2/2008_01_14/UMLPOOL/east/root root=/dev/ram0 rw ssl=pty eth0=daemon,10:00:00:dc:bc:ff,unix,/tmp/umlN7rfs9.d/east/ctl,/tmp/umlN7rfs9.d/east/data eth1=daemon,10:00:00:64:64:23,unix,/tmp/umlN7rfs9.d/public/ctl,/tmp/umlN7rfs9.d/public/data eth2=daemon,10:00:00:32:64:23,unix,/tmp/umlN7rfs9.d/admin/ctl,/tmp/umlN7rfs9.d/admin/data init=/linuxrc single <4>PID hash table entries: 256 (order: 8, 1024 bytes) <4>Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) <4>Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) <6>Memory: 27292k available <7>Calibrating delay loop... 3827.30 BogoMIPS (lpj=19136512) <4>Mount-cache hash table entries: 512 <4>Checking for host processor cmov support...Yes <4>Checking for host processor xmm support...No <4>Checking that host ptys support output SIGIO...Yes <4>Checking that host ptys support SIGIO on close...No, enabling workaround <6>checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd <4>Freeing initrd memory: 1212k freed <4>Using 2.6 host AIO <6>NET: Registered protocol family 16 <6>NET: Registered protocol family 2 <4>IP route cache hash table entries: 256 (order: -2, 1024 bytes) <4>TCP established hash table entries: 1024 (order: 0, 4096 bytes) <4>TCP bind hash table entries: 512 (order: -1, 2048 bytes) <6>TCP: Hash tables configured (established 1024 bind 512) <6>TCP reno registered <6>klips_info:ipsec_init: KLIPS startup, Libreswan KLIPS IPsec stack version: 2.5.testing-g70d71a2f-dirty <6>NET: Registered protocol family 15 <6>klips_info:ipsec_alg_init: KLIPS alg v=0.8.1-0 (EALG_MAX=255, AALG_MAX=251) <6>klips_info:ipsec_alg_init: calling ipsec_alg_static_init() <4>ipsec_aes_init(alg_type=15 alg_id=12 name=aes): ret=0 <4>ipsec_aes_init(alg_type=14 alg_id=9 name=aes_mac): ret=0 <4>ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 <4>daemon_setup : Ignoring data socket specification <6>Netdevice 0 (10:00:00:dc:bc:ff) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/east/ctl <4>daemon_setup : Ignoring data socket specification <6>Netdevice 1 (10:00:00:64:64:23) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/public/ctl <4>daemon_setup : Ignoring data socket specification <6>Netdevice 2 (10:00:00:32:64:23) : daemon backend (uml_switch version 3) - unix:/tmp/umlN7rfs9.d/admin/ctl <4>Checking host MADV_REMOVE support...OK <4>mconsole (version 2) initialized on /home/antony/.uml/east/mconsole <6>Host TLS support detected <6>Detected host type: i386 <5>VFS: Disk quotas dquot_6.5.1 <4>Dquot-cache hash table entries: 1024 (order 0, 4096 bytes) <6>Initializing Cryptographic API <6>io scheduler noop registered <6>io scheduler anticipatory registered (default) <6>io scheduler deadline registered <6>io scheduler cfq registered <4>RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize <6>loop: loaded (max 8 devices) <6>nbd: registered device at major 43 <6>PPP generic driver version 2.4.2 <6>SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256). <6>tun: Universal TUN/TAP device driver, 1.6 <6>tun: (C) 1999-2004 Max Krasnyansky <4>Netfilter messages via NETLINK v0.30. <6>IPv4 over IPv4 tunneling driver <6>GRE over IPv4 tunneling driver <4>ip_conntrack version 2.4 (213 buckets, 1704 max) - 204 bytes per conntrack <4>ip_tables: (C) 2000-2006 Netfilter Core Team <4>arp_tables: (C) 2002 David S. Miller <6>TCP bic registered <6>TCP cubic registered <6>TCP westwood registered <6>TCP highspeed registered <6>TCP hybla registered <6>TCP htcp registered <6>TCP vegas registered <6>TCP scalable registered <6>NET: Registered protocol family 1 <6>NET: Registered protocol family 17 <6>Initialized stdio console driver <4>Console initialized on /dev/tty0 <6>Initializing software serial port version 1 <4>Failed to open 'root_fs', errno = 2 <5>RAMDISK: cramfs filesystem found at block 0 <5>RAMDISK: Loading 1212KiB [1 disk] into ram disk... |/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\|/-\done. <4>VFS: Mounted root (cramfs filesystem) readonly. <6>line_ioctl: tty0: ioctl KDSIGACCEPT called <4> <2>IPSEC EVENT: KLIPS device ipsec0 shut down. <4> Kernel logging (proc) stopped. Kernel log daemon terminating. east:~# halt -p -f System halted.