Electric Fence 2.1 Copyright (C) 1987-1998 Bruce Perens. ../parentR2 ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) ../parentR2 ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) ../parentR2 ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) ../parentR2 ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) ../parentR2 ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) ../parentR2 ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) ../parentR2 ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) | interface "eth0" matched right side ../parentR2 added connection description "westnet--eastnet-ikev2" | base debugging = crypt+control+controlmore RC=0 "westnet--eastnet-ikev2": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.2.45<192.1.2.45>[@west]===192.0.1.0/24; unrouted; eroute owner: #0 RC=0 "westnet--eastnet-ikev2": myip=unset; hisip=unset; RC=0 "westnet--eastnet-ikev2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 RC=0 "westnet--eastnet-ikev2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_DISABLE+IKEv2ALLOW+IKEV2_PROPOSE; prio: 24,24; interface: eth0; RC=0 "westnet--eastnet-ikev2": newest ISAKMP SA: #0; newest IPsec SA: #0; | *received 508 bytes from 192.1.2.45:500 on eth0 (port=500) | 00 01 02 03 04 05 06 07 00 00 00 00 00 00 00 00 | 21 20 22 08 00 00 00 00 00 00 01 fc 22 80 00 f4 | 02 00 00 28 01 01 00 04 03 00 00 08 01 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 05 02 00 00 28 02 01 00 04 | 03 00 00 08 01 00 00 0c 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05 | 02 00 00 28 03 01 00 04 03 00 00 08 01 00 00 03 | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 05 02 00 00 28 04 01 00 04 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 05 | 02 00 00 28 05 01 00 04 03 00 00 08 01 00 00 03 | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 02 00 00 00 28 06 01 00 04 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 03 00 00 08 02 00 00 01 00 00 00 08 04 00 00 02 | 28 00 00 c8 00 05 00 00 ff bc 6a 92 a6 b9 55 9b | 05 fa 96 a7 a4 35 07 b4 c1 e1 c0 86 1a 58 71 d9 | ba 73 a1 63 11 37 88 c0 de bb 39 79 e7 ff 0c 52 | b4 ce 60 50 eb 05 36 9e a4 30 0d 2b ff 3b 1b 29 | 9f 3b 80 2c cb 13 31 8c 2a b9 e3 b5 62 7c b4 b3 | 5e b9 39 98 20 76 b5 7c 05 0d 7b 35 c3 c5 c7 cc | 8c 0f ea b7 b6 4a 7d 7b 6b 8f 6b 4d ab f4 ac 40 | 6d d2 01 26 b9 0a 98 ac 76 6e fa 37 a7 89 0c 43 | 94 ff 9a 77 61 5b 58 f5 2d 65 1b bf a5 8d 2a 54 | 9a f8 b0 1a a4 bc a3 d7 62 42 66 63 b1 55 d4 eb | da 9f 60 a6 a1 35 73 e6 a8 88 13 5c dc 67 3d d4 | 83 02 99 03 f3 a9 0e ca 23 e1 ec 1e 27 03 31 b2 | d0 50 f4 f7 58 f4 99 27 2b 80 00 14 b5 ce 84 19 | 09 5c 6e 2b 6b 62 d3 05 53 05 b3 c4 00 00 00 10 | 4f 45 VENDOR | processing version=2.0 packet with exchange type=ISAKMP_v2_SA_INIT (34) | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | v2 state object not found | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | v2 state object not found | find_host_connection called from ikev2parent_inI1outR1, me=192.1.2.23:500 him=192.1.2.45:500 policy=IKEv2ALLOW | find_host_pair: comparing to 192.1.2.23:500 192.1.2.45:500 | find_host_pair_conn (find_host_connection2): 192.1.2.23:500 192.1.2.45:500 -> hp:westnet--eastnet-ikev2 | searching for policy=IKEv2ALLOW, found=IKEv2ALLOW (westnet--eastnet-ikev2) | find_host_connection returns westnet--eastnet-ikev2 | found connection: westnet--eastnet-ikev2 | creating state object #1 at ADDR | interface "eth0" matched right side | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | inserting state object #1 on chain 4 | complete v2 state transition with STF_SUSPEND | ikev2 parent inI1outR1: calculated ke+nonce, sending R1 | no IKE algorithms for this connection | DH public value received: | ff bc 6a 92 a6 b9 55 9b 05 fa 96 a7 a4 35 07 b4 | c1 e1 c0 86 1a 58 71 d9 ba 73 a1 63 11 37 88 c0 | de bb 39 79 e7 ff 0c 52 b4 ce 60 50 eb 05 36 9e | a4 30 0d 2b ff 3b 1b 29 9f 3b 80 2c cb 13 31 8c | 2a b9 e3 b5 62 7c b4 b3 5e b9 39 98 20 76 b5 7c | 05 0d 7b 35 c3 c5 c7 cc 8c 0f ea b7 b6 4a 7d 7b | 6b 8f 6b 4d ab f4 ac 40 6d d2 01 26 b9 0a 98 ac | 76 6e fa 37 a7 89 0c 43 94 ff 9a 77 61 5b 58 f5 | 2d 65 1b bf a5 8d 2a 54 9a f8 b0 1a a4 bc a3 d7 | 62 42 66 63 b1 55 d4 eb da 9f 60 a6 a1 35 73 e6 | a8 88 13 5c dc 67 3d d4 83 02 99 03 f3 a9 0e ca | 23 e1 ec 1e 27 03 31 b2 d0 50 f4 f7 58 f4 99 27 | complete v2 state transition with STF_OK ../parentR2 transition from state STATE_IKEv2_START to state STATE_PARENT_R1 ../parentR2 STATE_PARENT_R1: received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_128 integ=sha1 prf=oakley_sha group=modp1536} | sending reply packet to 192.1.2.45:500 (from port 500) sending 308 bytes for STATE_IKEv2_START through eth0:500 to 192.1.2.45:500 (using #1) | 00 01 02 03 04 05 06 07 c0 2e 7a 30 31 a0 31 88 | 21 20 22 20 00 00 00 00 00 00 01 34 22 80 00 2c | 00 00 00 28 01 01 00 04 03 00 00 08 01 00 00 0c | 03 00 00 08 03 00 00 02 03 00 00 08 02 00 00 02 | 00 00 00 08 04 00 00 05 28 00 00 c8 00 05 00 00 | cd 30 df 6e c0 85 44 12 53 01 80 d8 7e 1a fb b3 | 26 79 3e 99 56 c8 6a 96 25 53 c2 77 ad 5b ab 50 | f8 32 5a d8 64 0b 0e fe a5 1d 6c 83 1f a1 7c fb | 0f 2e 1a f4 b1 66 a0 fe 30 75 12 ad 0f 81 ab b8 | aa fb 68 48 ec 10 a4 97 6c 3d b1 17 ec e1 e6 61 | db bf 48 0c 28 2e 3f 11 07 c1 86 42 80 1e e8 3f | 9e 4a b9 ab 63 6f 23 7d aa f6 a7 aa d8 22 99 3e | a4 1e a3 31 ee 27 82 0b 93 f5 0b 8f 3f 71 05 61 | c9 25 70 26 97 ba 6b 1e 95 3c 21 fb c9 a7 7d 2b | 5f 87 3c fc 50 99 e7 7d 48 4c dd 52 66 4b cf 0d | bf 00 ca fd ae 6d e7 14 6d 11 35 f6 5d 93 5f 60 | b9 73 0f e0 49 2c 2a f8 c9 04 f6 4c 59 16 90 9d | 2b 80 00 14 47 e9 f9 25 8c a2 38 58 f6 75 b1 66 | b0 2c c2 92 00 00 00 10 4f 45 70 6c 75 74 6f 75 | 6e 69 74 30 | *received 476 bytes from 192.1.2.45:500 on eth0 (port=500) | 00 01 02 03 04 05 06 07 c0 2e 7a 30 31 a0 31 88 | 2e 20 23 08 00 00 00 01 00 00 01 dc 23 80 01 c0 | 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | 19 15 f1 05 5d 13 fc 7c f5 6b 16 12 a6 e9 10 34 | b0 78 7d a5 df 6a d3 76 27 49 3e d4 ae ca bf 5f | fd 1b b0 55 64 fa 3d a7 32 85 61 85 95 6b 81 d9 | b7 e1 85 00 40 87 dd cd 35 84 f9 a9 0f ea 78 b2 | 79 53 10 cf 54 d3 03 e6 23 75 81 8d 53 dd 1d 30 | 38 d5 6e 20 5b a1 08 63 1f 5a 7b 8d c7 6f 5c a9 | b4 69 72 43 f4 09 a0 6e 08 6e 36 00 69 10 a0 a5 | 31 49 5a 59 66 46 94 a0 ab 6f 8c f6 25 7e 02 8a | d4 69 66 4a eb 5f 42 d5 76 7f 68 db 1f df a5 b3 | c3 fe d6 5a 3d 92 5b 51 21 08 c8 7d 47 e8 74 e7 | db 91 23 b8 7f 1c 14 d2 f7 f8 46 c0 7e 89 9f ea | 75 37 06 75 1b 74 a9 2a 3e 6f 94 cb 7b af 56 8f | cd 70 58 b4 ec 6d b6 ef 07 02 40 11 f0 65 80 1d | f9 7d 5b bd 57 61 a4 8c f6 3e 87 41 49 a8 79 c5 | ba 7e cb 85 70 2a a8 17 20 48 ca c2 1e 8c 95 9f | c6 41 2f c2 4d 20 00 13 b9 10 1c 82 bc 70 04 3a | 07 52 7e 8a 4d 3f 76 0e 68 59 9c 1b a3 32 fa 04 | 49 05 4d fa b7 1b 53 f1 5b 3f 73 20 15 02 83 e4 | ef 80 c6 c7 a1 89 d6 ce 42 3c 3e 05 0e 57 f2 ef | e8 d8 4b 0b 69 87 fb 29 ee f7 43 52 33 1b 60 11 | 91 44 13 9f 5d 8b a1 f8 7a de 4c f6 be de de b0 | 44 59 e3 ef e8 a0 26 03 24 6a 3c 6b 68 c9 f9 83 | ff 5f 70 6b 2e 90 f5 f7 58 82 3e 20 cf eb 4d 33 | dd 83 a6 7a 18 72 4c 25 72 2a b6 46 13 10 19 1d | 52 bf d7 83 e3 a2 1b 38 f0 5e b0 33 87 95 bc ff | 95 d6 fd 53 b0 0a 3e 72 9a b2 fd c9 33 38 62 ec | ab ae c0 9d 32 ff e4 cb ff 74 5b 1a | processing version=2.0 packet with exchange type=ISAKMP_v2_AUTH (35) | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: c0 2e 7a 30 31 a0 31 88 | state hash entry 30 | v2 state object not found | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | v2 peer and cookies match on #1 | v2 state object #1 found, in STATE_PARENT_R1 | ikev2 parent inI2outR2: calculating g^{xy} in order to decrypt I2 | complete v2 state transition with STF_SUSPEND | ikev2 parent inI2outR2: calculating g^{xy}, sending R2 | ikev2 I 0x0001020304050607 0xc02e7a3031a03188 sha1:0x4ea8e662b07cdd430f6944c6723e4b82d5722418 aes128:0x3f44bf47cafd8150591deb088199fcbf | ikev2 R 0x0001020304050607 0xc02e7a3031a03188 sha1:0x515b0bd22e6d76b34fdb760aa7bfad80b109b75d aes128:0xbedb67ec7dc3d00cccac42e70cd63bde | data being hmac: 00 01 02 03 04 05 06 07 c0 2e 7a 30 31 a0 31 88 | 2e 20 23 08 00 00 00 01 00 00 01 dc 23 80 01 c0 | 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | 19 15 f1 05 5d 13 fc 7c f5 6b 16 12 a6 e9 10 34 | b0 78 7d a5 df 6a d3 76 27 49 3e d4 ae ca bf 5f | fd 1b b0 55 64 fa 3d a7 32 85 61 85 95 6b 81 d9 | b7 e1 85 00 40 87 dd cd 35 84 f9 a9 0f ea 78 b2 | 79 53 10 cf 54 d3 03 e6 23 75 81 8d 53 dd 1d 30 | 38 d5 6e 20 5b a1 08 63 1f 5a 7b 8d c7 6f 5c a9 | b4 69 72 43 f4 09 a0 6e 08 6e 36 00 69 10 a0 a5 | 31 49 5a 59 66 46 94 a0 ab 6f 8c f6 25 7e 02 8a | d4 69 66 4a eb 5f 42 d5 76 7f 68 db 1f df a5 b3 | c3 fe d6 5a 3d 92 5b 51 21 08 c8 7d 47 e8 74 e7 | db 91 23 b8 7f 1c 14 d2 f7 f8 46 c0 7e 89 9f ea | 75 37 06 75 1b 74 a9 2a 3e 6f 94 cb 7b af 56 8f | cd 70 58 b4 ec 6d b6 ef 07 02 40 11 f0 65 80 1d | f9 7d 5b bd 57 61 a4 8c f6 3e 87 41 49 a8 79 c5 | ba 7e cb 85 70 2a a8 17 20 48 ca c2 1e 8c 95 9f | c6 41 2f c2 4d 20 00 13 b9 10 1c 82 bc 70 04 3a | 07 52 7e 8a 4d 3f 76 0e 68 59 9c 1b a3 32 fa 04 | 49 05 4d fa b7 1b 53 f1 5b 3f 73 20 15 02 83 e4 | ef 80 c6 c7 a1 89 d6 ce 42 3c 3e 05 0e 57 f2 ef | e8 d8 4b 0b 69 87 fb 29 ee f7 43 52 33 1b 60 11 | 91 44 13 9f 5d 8b a1 f8 7a de 4c f6 be de de b0 | 44 59 e3 ef e8 a0 26 03 24 6a 3c 6b 68 c9 f9 83 | ff 5f 70 6b 2e 90 f5 f7 58 82 3e 20 cf eb 4d 33 | dd 83 a6 7a 18 72 4c 25 72 2a b6 46 13 10 19 1d | 52 bf d7 83 e3 a2 1b 38 f0 5e b0 33 87 95 bc ff | 95 d6 fd 53 b0 0a 3e 72 9a b2 fd c9 33 38 62 ec | R2 calculated auth: ab ae c0 9d 32 ff e4 cb ff 74 5b 1a | R2 provided auth: ab ae c0 9d 32 ff e4 cb ff 74 5b 1a | authenticator matched | data before decryption: | 19 15 f1 05 5d 13 fc 7c f5 6b 16 12 a6 e9 10 34 | b0 78 7d a5 df 6a d3 76 27 49 3e d4 ae ca bf 5f | fd 1b b0 55 64 fa 3d a7 32 85 61 85 95 6b 81 d9 | b7 e1 85 00 40 87 dd cd 35 84 f9 a9 0f ea 78 b2 | 79 53 10 cf 54 d3 03 e6 23 75 81 8d 53 dd 1d 30 | 38 d5 6e 20 5b a1 08 63 1f 5a 7b 8d c7 6f 5c a9 | b4 69 72 43 f4 09 a0 6e 08 6e 36 00 69 10 a0 a5 | 31 49 5a 59 66 46 94 a0 ab 6f 8c f6 25 7e 02 8a | d4 69 66 4a eb 5f 42 d5 76 7f 68 db 1f df a5 b3 | c3 fe d6 5a 3d 92 5b 51 21 08 c8 7d 47 e8 74 e7 | db 91 23 b8 7f 1c 14 d2 f7 f8 46 c0 7e 89 9f ea | 75 37 06 75 1b 74 a9 2a 3e 6f 94 cb 7b af 56 8f | cd 70 58 b4 ec 6d b6 ef 07 02 40 11 f0 65 80 1d | f9 7d 5b bd 57 61 a4 8c f6 3e 87 41 49 a8 79 c5 | ba 7e cb 85 70 2a a8 17 20 48 ca c2 1e 8c 95 9f | c6 41 2f c2 4d 20 00 13 b9 10 1c 82 bc 70 04 3a | 07 52 7e 8a 4d 3f 76 0e 68 59 9c 1b a3 32 fa 04 | 49 05 4d fa b7 1b 53 f1 5b 3f 73 20 15 02 83 e4 | ef 80 c6 c7 a1 89 d6 ce 42 3c 3e 05 0e 57 f2 ef | e8 d8 4b 0b 69 87 fb 29 ee f7 43 52 33 1b 60 11 | 91 44 13 9f 5d 8b a1 f8 7a de 4c f6 be de de b0 | 44 59 e3 ef e8 a0 26 03 24 6a 3c 6b 68 c9 f9 83 | ff 5f 70 6b 2e 90 f5 f7 58 82 3e 20 cf eb 4d 33 | dd 83 a6 7a 18 72 4c 25 72 2a b6 46 13 10 19 1d | 52 bf d7 83 e3 a2 1b 38 f0 5e b0 33 87 95 bc ff | 95 d6 fd 53 b0 0a 3e 72 9a b2 fd c9 33 38 62 ec | decrypted payload: 27 00 00 0c 02 00 00 00 77 65 73 74 21 00 00 c8 | 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 2c 80 00 94 02 00 00 24 01 03 04 03 | 12 34 56 78 03 00 00 08 01 00 00 0c 03 00 00 08 | 03 00 00 02 00 00 00 08 05 00 00 00 02 00 00 24 | 02 03 04 03 12 34 56 78 03 00 00 08 01 00 00 0c | 03 00 00 08 03 00 00 02 00 00 00 08 05 00 00 00 | 02 00 00 24 03 03 04 03 12 34 56 78 03 00 00 08 | 01 00 00 03 03 00 00 08 03 00 00 02 00 00 00 08 | 05 00 00 00 00 00 00 24 04 03 04 03 12 34 56 78 | 03 00 00 08 01 00 00 03 03 00 00 08 03 00 00 02 | 00 00 00 08 05 00 00 00 2d 00 00 18 01 00 00 00 | 07 00 00 10 00 00 ff ff c0 00 01 00 c0 00 01 ff | 00 00 00 18 01 00 00 00 07 00 00 10 00 00 ff ff | c0 00 02 00 c0 00 02 ff 00 01 02 03 04 05 06 07 | striping 8 bytes as pad | **parse IKEv2 Identification Payload: | next payload type: ISAKMP_NEXT_v2AUTH | length: 12 | id_type: ID_FQDN | processing payload: ISAKMP_NEXT_v2IDi (len=12) | **parse IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA | length: 200 | auth method: v2_AUTH_RSA | processing payload: ISAKMP_NEXT_v2AUTH (len=200) | **parse IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi | critical bit: Payload-Critical | length: 148 | processing payload: ISAKMP_NEXT_v2SA (len=148) | **parse IKEv2 Traffic Selectors: | next payload type: ISAKMP_NEXT_v2TSr | length: 24 | number of TS: 1 | processing payload: ISAKMP_NEXT_v2TSi (len=24) | **parse IKEv2 Traffic Selectors: | next payload type: ISAKMP_NEXT_NONE | length: 24 | number of TS: 1 | processing payload: ISAKMP_NEXT_v2TSr (len=24) | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: 00 00 00 00 00 00 00 00 | state hash entry 4 | rehashing state object #1, removed from chain 4 | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: c0 2e 7a 30 31 a0 31 88 | state hash entry 30 | inserting state object #1 on chain 30 ../parentR2 IKEv2 mode peer ID is ID_FQDN: '@west' | idhash verify pi cc 07 97 44 b4 a3 4e 8a 0d 2f 27 8b ee 06 6d 07 | a5 a5 75 2e | idhash verify I2 02 00 00 00 77 65 73 74 | **emit ISAKMP Message: | initiator cookie: | 00 01 02 03 04 05 06 07 | responder cookie: | c0 2e 7a 30 31 a0 31 88 | next payload type: ISAKMP_NEXT_v2E | ISAKMP version: IKEv2 version 2.0 (rfc4306) | exchange type: ISAKMP_v2_AUTH | flags: ISAKMP_FLAG_RESPONSE | message ID: 00 00 00 01 | ***emit IKEv2 Encryption Payload: | next payload type: ISAKMP_NEXT_v2IDr | critical bit: Payload-Critical | emitting 16 zero bytes of iv into IKEv2 Encryption Payload | IKEv2 thinking whether to send my certificate: | my policy has RSASIG, the policy is : RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_DISABLE+IKEv2ALLOW+IKEV2_PROPOSE | sendcert: CERT_SENDIFASKED and I did not get a certificate request | so do not send cert. | I did not send a certificate because I do not have one. | *****emit IKEv2 Identification Payload: | next payload type: ISAKMP_NEXT_v2AUTH | id_type: ID_FQDN | emitting 4 raw bytes of my identity into IKEv2 Identification Payload | my identity 65 61 73 74 | emitting length of IKEv2 Identification Payload: 12 | idhash calc pr e9 00 11 7e 41 d4 31 62 40 b8 63 22 bf 06 9f bc | eb 81 58 e7 | idhash calc R2 02 00 00 00 65 61 73 74 | assembled IDr payload -- CERT next | going to assemble AUTH payload | *****emit IKEv2 Authentication Payload: | next payload type: ISAKMP_NEXT_v2SA | auth method: v2_AUTH_RSA | emitting 192 zero bytes of fake rsa sig into IKEv2 Authentication Payload | emitting length of IKEv2 Authentication Payload: 200 | duplicating state object #1 | creating state object #2 at ADDR | ICOOKIE: 00 01 02 03 04 05 06 07 | RCOOKIE: c0 2e 7a 30 31 a0 31 88 | state hash entry 30 | inserting state object #2 on chain 30 | *****emit IKEv2 Security Association Payload: | next payload type: ISAKMP_NEXT_v2TSi | critical bit: Payload-Critical | empty esp_info, returning defaults | ***parse IKEv2 Proposal Substructure Payload: | next payload type: ISAKMP_NEXT_P | length: 36 | prop #: 1 | proto ID: 3 | spi size: 4 | # transforms: 3 | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into CHILD SA SPI | CHILD SA SPI 12 34 56 78 | SPI received: 12345678 | ****parse IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_T | length: 8 | transform type: 1 | transform ID: 12 | ****parse IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_T | length: 8 | transform type: 3 | transform ID: 2 | ****parse IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_NONE | length: 8 | transform type: 5 | transform ID: 0 | ***parse IKEv2 Proposal Substructure Payload: | next payload type: ISAKMP_NEXT_P | length: 36 | prop #: 2 | proto ID: 3 | spi size: 4 | # transforms: 3 | parsing 4 raw bytes of IKEv2 Proposal Substructure Payload into CHILD SA SPI | CHILD SA SPI 12 34 56 78 | SPI received: 12345678 | ******emit IKEv2 Proposal Substructure Payload: | next payload type: ISAKMP_NEXT_NONE | prop #: 1 | proto ID: 3 | spi size: 4 | # transforms: 3 | emitting 4 raw bytes of our spi into IKEv2 Proposal Substructure Payload | our spi 12 34 56 78 | *******emit IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_T | transform type: 1 | transform ID: 12 | emitting length of IKEv2 Transform Substructure Payload: 8 | *******emit IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_T | transform type: 3 | transform ID: 2 | emitting length of IKEv2 Transform Substructure Payload: 8 | *******emit IKEv2 Transform Substructure Payload: | next payload type: ISAKMP_NEXT_NONE | transform type: 5 | transform ID: 0 | emitting length of IKEv2 Transform Substructure Payload: 8 | emitting length of IKEv2 Proposal Substructure Payload: 36 | emitting length of IKEv2 Security Association Payload: 40 | ***parse IKEv2 Traffic Selectors: | TS type: ID_IPV4_ADDR_RANGE | IP Protocol ID: 0 | length: 16 | start port: 0 | end port: 65535 | parsing 4 raw bytes of IKEv2 Traffic Selectors into ipv4 ts | ipv4 ts c0 00 01 00 | parsing 4 raw bytes of IKEv2 Traffic Selectors into ipv4 ts | ipv4 ts c0 00 01 ff | ***parse IKEv2 Traffic Selectors: | TS type: ID_IPV4_ADDR_RANGE | IP Protocol ID: 0 | length: 16 | start port: 0 | end port: 65535 | parsing 4 raw bytes of IKEv2 Traffic Selectors into ipv4 ts | ipv4 ts c0 00 02 00 | parsing 4 raw bytes of IKEv2 Traffic Selectors into ipv4 ts | ipv4 ts c0 00 02 ff | ikev2_eval_conn evaluating I=westnet--eastnet-ikev2:192.0.1.0/24:0/0 R=192.0.2.0/24:0/0 | tsi[0]=192.0.1.0/192.0.1.255 tsr[0]=192.0.2.0/192.0.2.255 | has ts_range1=8 maskbits1=24 ts_range2=8 maskbits2=24 fitbits=8224 <> -1 | find_host_pair: comparing to 192.1.2.23:500 192.1.2.45:500 | checking hostpair 192.0.2.0/24 -> 192.0.1.0/24 is not found | *****emit IKEv2 Traffic Selectors: | next payload type: ISAKMP_NEXT_v2TSr | number of TS: 1 | ******emit IKEv2 Traffic Selectors: | TS type: ID_IPV4_ADDR_RANGE | IP Protocol ID: 0 | start port: 0 | end port: 65535 | emitting 4 raw bytes of ipv4 low into IKEv2 Traffic Selectors | ipv4 low c0 00 01 00 | emitting 4 raw bytes of ipv4 high into IKEv2 Traffic Selectors | ipv4 high c0 00 01 ff | emitting length of IKEv2 Traffic Selectors: 16 | emitting length of IKEv2 Traffic Selectors: 24 | *****emit IKEv2 Traffic Selectors: | next payload type: ISAKMP_NEXT_NONE | number of TS: 1 | ******emit IKEv2 Traffic Selectors: | TS type: ID_IPV4_ADDR_RANGE | IP Protocol ID: 0 | start port: 0 | end port: 65535 | emitting 4 raw bytes of ipv4 low into IKEv2 Traffic Selectors | ipv4 low c0 00 02 00 | emitting 4 raw bytes of ipv4 high into IKEv2 Traffic Selectors | ipv4 high c0 00 02 ff | emitting length of IKEv2 Traffic Selectors: 16 | emitting length of IKEv2 Traffic Selectors: 24 | kernel_alg_esp_info():transid=12, auth=2, ei=0xADDR enckeylen=16, authkeylen=20, encryptalg=12, authalg=3 | prf+[0]: 1b c2 c7 bb 61 1e 4a 70 7b a5 60 70 86 8a 23 2a | ff 38 45 b2 | prf+[1]: 39 f1 e3 e0 ba e2 7f 09 e9 ca 7f 12 40 74 0c 81 | 79 68 c6 4f | prf+[2]: 47 72 9c d3 66 f4 a1 70 9d c8 71 c8 01 64 a7 fa | e5 49 da 1c | prf+[3]: c0 c1 23 75 5a 95 2f b1 d9 83 32 13 b7 7f 0f 3c | ce a3 ed 85 | our keymat 79 68 c6 4f 47 72 9c d3 66 f4 a1 70 9d c8 71 c8 | 01 64 a7 fa e5 49 da 1c c0 c1 23 75 5a 95 2f b1 | d9 83 32 13 | peer keymat 1b c2 c7 bb 61 1e 4a 70 7b a5 60 70 86 8a 23 2a | ff 38 45 b2 39 f1 e3 e0 ba e2 7f 09 e9 ca 7f 12 | 40 74 0c 81 | emitting 4 raw bytes of padding and length into cleartext | padding and length 00 01 02 03 | emitting 12 zero bytes of 96-bits of truncated HMAC into IKEv2 Encryption Payload | emitting length of IKEv2 Encryption Payload: 336 | emitting length of ISAKMP Message: 364 | data before encryption: | 27 00 00 0c 02 00 00 00 65 61 73 74 21 00 00 c8 | 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | 00 00 00 00 2c 80 00 28 00 00 00 24 01 03 04 03 | 12 34 56 78 03 00 00 08 01 00 00 0c 03 00 00 08 | 03 00 00 02 00 00 00 08 05 00 00 00 2d 00 00 18 | 01 00 00 00 07 00 00 10 00 00 ff ff c0 00 01 00 | c0 00 01 ff 00 00 00 18 01 00 00 00 07 00 00 10 | 00 00 ff ff c0 00 02 00 c0 00 02 ff 00 01 02 03 | data after encryption: | fa 2a 97 14 eb 12 1b 1a 79 18 e9 85 bc ee b3 28 | f1 c5 e2 4b 11 b9 b9 9c fe 1d 23 8a c6 15 7d a1 | 2c 55 c0 42 51 3c 8c 46 0c 80 6d 8f e1 5c c1 d5 | a4 1c 53 ba 2f 07 79 86 ab d1 74 fa 13 c0 87 74 | ec ba 59 26 cd 4b 33 9d 8d 33 a3 ab 1b c6 f9 c1 | f8 c0 ef d4 5a f4 09 6b 68 c4 53 09 e0 73 53 2f | dc 9c 40 0d a6 2e dc 8d 69 40 e9 d1 4e e0 a1 55 | 51 f7 2c 00 3e 20 90 1e 0b b7 7f b3 6c 99 c7 b1 | 67 b1 82 7a b9 b5 d3 f4 7d 47 5e d8 16 99 68 d6 | 09 58 82 cf 91 24 c8 84 45 b4 d8 1d af 34 f9 4a | 82 ab 1b fb 82 7d fa 63 0a e5 d0 b8 ff 57 09 4a | 73 18 5e d7 cb da 57 81 6d 3c 26 21 20 e4 68 c6 | fa 7e 61 5a 8e 54 cb 99 57 7a 69 7c 9c 51 50 40 | 3a 25 48 49 71 6c d8 45 7b 1f f9 ce bf b3 56 0a | 6b a8 fe 3d fa eb 34 ef 5d 0d 27 b9 c0 ea f2 95 | 3d f6 57 48 a6 f5 d3 66 4b e4 77 68 e1 84 b6 74 | 8c b9 11 31 89 e4 e4 03 d1 e0 af 40 35 bf ae ae | 59 5d e4 ae d6 db 1b d5 ca 30 67 e4 cd bc e3 8d | 93 f3 59 1e 95 ac f7 8e 88 c9 7a 0a e8 40 67 7c | data being hmac: 00 01 02 03 04 05 06 07 c0 2e 7a 30 31 a0 31 88 | 2e 20 23 20 00 00 00 01 00 00 01 6c 24 80 01 50 | 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | fa 2a 97 14 eb 12 1b 1a 79 18 e9 85 bc ee b3 28 | f1 c5 e2 4b 11 b9 b9 9c fe 1d 23 8a c6 15 7d a1 | 2c 55 c0 42 51 3c 8c 46 0c 80 6d 8f e1 5c c1 d5 | a4 1c 53 ba 2f 07 79 86 ab d1 74 fa 13 c0 87 74 | ec ba 59 26 cd 4b 33 9d 8d 33 a3 ab 1b c6 f9 c1 | f8 c0 ef d4 5a f4 09 6b 68 c4 53 09 e0 73 53 2f | dc 9c 40 0d a6 2e dc 8d 69 40 e9 d1 4e e0 a1 55 | 51 f7 2c 00 3e 20 90 1e 0b b7 7f b3 6c 99 c7 b1 | 67 b1 82 7a b9 b5 d3 f4 7d 47 5e d8 16 99 68 d6 | 09 58 82 cf 91 24 c8 84 45 b4 d8 1d af 34 f9 4a | 82 ab 1b fb 82 7d fa 63 0a e5 d0 b8 ff 57 09 4a | 73 18 5e d7 cb da 57 81 6d 3c 26 21 20 e4 68 c6 | fa 7e 61 5a 8e 54 cb 99 57 7a 69 7c 9c 51 50 40 | 3a 25 48 49 71 6c d8 45 7b 1f f9 ce bf b3 56 0a | 6b a8 fe 3d fa eb 34 ef 5d 0d 27 b9 c0 ea f2 95 | 3d f6 57 48 a6 f5 d3 66 4b e4 77 68 e1 84 b6 74 | 8c b9 11 31 89 e4 e4 03 d1 e0 af 40 35 bf ae ae | 59 5d e4 ae d6 db 1b d5 ca 30 67 e4 cd bc e3 8d | 93 f3 59 1e 95 ac f7 8e 88 c9 7a 0a e8 40 67 7c | out calculated auth: | 8c 83 d2 fd 2f 13 17 bb 64 45 a8 84 | complete v2 state transition with STF_OK ../parentR2 transition from state STATE_PARENT_R1 to state STATE_PARENT_R2 ../parentR2 negotiated tunnel [192.0.2.0,192.0.2.255] -> [192.0.1.0,192.0.1.255] ../parentR2 STATE_PARENT_R2: received v2I2, PARENT SA established tunnel mode {ESP=>0x12345678 <0x12345678 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none} | sending reply packet to 192.1.2.45:500 (from port 500) sending 364 bytes for STATE_PARENT_R1 through eth0:500 to 192.1.2.45:500 (using #2) | 00 01 02 03 04 05 06 07 c0 2e 7a 30 31 a0 31 88 | 2e 20 23 20 00 00 00 01 00 00 01 6c 24 80 01 50 | 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f | fa 2a 97 14 eb 12 1b 1a 79 18 e9 85 bc ee b3 28 | f1 c5 e2 4b 11 b9 b9 9c fe 1d 23 8a c6 15 7d a1 | 2c 55 c0 42 51 3c 8c 46 0c 80 6d 8f e1 5c c1 d5 | a4 1c 53 ba 2f 07 79 86 ab d1 74 fa 13 c0 87 74 | ec ba 59 26 cd 4b 33 9d 8d 33 a3 ab 1b c6 f9 c1 | f8 c0 ef d4 5a f4 09 6b 68 c4 53 09 e0 73 53 2f | dc 9c 40 0d a6 2e dc 8d 69 40 e9 d1 4e e0 a1 55 | 51 f7 2c 00 3e 20 90 1e 0b b7 7f b3 6c 99 c7 b1 | 67 b1 82 7a b9 b5 d3 f4 7d 47 5e d8 16 99 68 d6 | 09 58 82 cf 91 24 c8 84 45 b4 d8 1d af 34 f9 4a | 82 ab 1b fb 82 7d fa 63 0a e5 d0 b8 ff 57 09 4a | 73 18 5e d7 cb da 57 81 6d 3c 26 21 20 e4 68 c6 | fa 7e 61 5a 8e 54 cb 99 57 7a 69 7c 9c 51 50 40 | 3a 25 48 49 71 6c d8 45 7b 1f f9 ce bf b3 56 0a | 6b a8 fe 3d fa eb 34 ef 5d 0d 27 b9 c0 ea f2 95 | 3d f6 57 48 a6 f5 d3 66 4b e4 77 68 e1 84 b6 74 | 8c b9 11 31 89 e4 e4 03 d1 e0 af 40 35 bf ae ae | 59 5d e4 ae d6 db 1b d5 ca 30 67 e4 cd bc e3 8d | 93 f3 59 1e 95 ac f7 8e 88 c9 7a 0a e8 40 67 7c | 8c 83 d2 fd 2f 13 17 bb 64 45 a8 84 | releasing whack for #2 (sock=-1) | releasing whack for #1 (sock=-1) | deleting state #1 ../parentR2 leak: reply packet ../parentR2 leak: skeyseed_t1 ../parentR2 leak: responder keys ../parentR2 leak: initiator keys ../parentR2 leak: db_v2_trans ../parentR2 leak: db_v2_prop_conj ../parentR2 leak: db_v2_prop ../parentR2 leak: db_v2_trans ../parentR2 leak: db_v2_prop_conj ../parentR2 leak: db_v2_trans ../parentR2 leak: db_v2_prop_conj ../parentR2 leak: db_v2_trans ../parentR2 leak: db_v2_prop_conj ../parentR2 leak: 4 * sa copy attrs array ../parentR2 leak: sa copy trans array ../parentR2 leak: sa copy prop array ../parentR2 leak: sa copy prop conj array ../parentR2 leak: sa copy prop_conj ../parentR2 leak: st_skey_pr in duplicate_state ../parentR2 leak: st_skey_pi in duplicate_state ../parentR2 leak: st_skey_er in duplicate_state ../parentR2 leak: st_skey_ei in duplicate_state ../parentR2 leak: st_skey_ar in duplicate_state ../parentR2 leak: st_skey_ai in duplicate_state ../parentR2 leak: st_skey_d in duplicate_state ../parentR2 leak: st_skeyseed in duplicate_state ../parentR2 leak: st_enc_key in duplicate_state ../parentR2 leak: struct state in new_state() ../parentR2 leak: ikev2_inI2outR2 KE ../parentR2 leak: long term secret ../parentR2 leak: ikev2_inI1outR1 KE ../parentR2 leak: msg_digest ../parentR2 leak: host_pair ../parentR2 leak: host ip ../parentR2 leak: keep id name ../parentR2 leak: host ip ../parentR2 leak: keep id name ../parentR2 leak: connection name ../parentR2 leak: struct connection ../parentR2 leak: policies path ../parentR2 leak: ocspcerts path ../parentR2 leak: aacerts path ../parentR2 leak: certs path ../parentR2 leak: private path ../parentR2 leak: crls path ../parentR2 leak: cacert path ../parentR2 leak: acert path ../parentR2 leak: 7 * default conf ../parentR2 leak: 2 * hasher name Started ../parentR2 Pre-amble: #!-pluto-whack-file- recorded on east on 2007-10-31 06:13:08 TCPDUMP output reading from file parentR2.pcap, link-type NULL (BSD loopback) 00:00:00.000000 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 336, bad cksum 0 (->f556)!) 192.1.2.23.500 > 192.1.2.45.500: [no cksum] isakmp 2.0 msgid 00000000 cookie 0001020304050607->c02e7a3031a03188: parent_sa ikev2_init[]: (sa[C]: len=40 (p: #1 protoid=isakmp transform=4 len=40 (t: #1 type=encr id=aes ) (t: #2 type=integ id=hmac-sha ) (t: #3 type=prf id=hmac-sha ) (t: #4 type=dh id=modp1536 ))) (v2ke: len=192 group=modp1536) (nonce[C]: len=16 nonce=(47e9f9258ca23858f675b166b02cc292) ) (v2vid: len=12 vid=OEababababab) 00:00:00.000000 IP (tos 0x0, ttl 64, id 0, offset 0, flags [none], proto UDP (17), length 392, bad cksum 0 (->f51e)!) 192.1.2.23.500 > 192.1.2.45.500: [no cksum] isakmp 2.0 msgid 00000001 cookie 0001020304050607->c02e7a3031a03188: child_sa ikev2_auth[]: (v2e[C]: len=332 (v2IDr: len=8 fqdn:east) (v2auth: len=196 method=rsasig authdata=(000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000) ) (sa[C]: len=36 (p: #1 protoid=ipsec-esp transform=3 len=36 spi=12345678 (t: #1 type=encr id=aes ) (t: #2 type=integ id=hmac-sha ) (t: #3 type=esn id=no-esn ))) (v2TSi: len=20) (v2TSr: len=20))