Hello misc@,
I have discovered what may be an oversight in iked(8)'s NAT detection
code, as well as traffic blocking after the first rekey of the Child SA
when NAT has been detected by one of the IKE daemons.
I have the following passive config on a host with a static IP
(1.2.3.4):
ikev2 "demo" passive esp \
from 10.1.0.0/16 to 10.2.0.0/16 \
local 1.2.3.4 peer any \
lifetime 1m \
rsa
And the following active config on a host with a dynamic IP (currently,
5.6.7.8):
ikev2 "demo" active esp \
from 10.2.0.0/16 to 10.1.0.0/16 \
peer 1.2.3.4 \
rsa
I start iked(8) on both hosts, the active host starts the negotiation
and flows and SAs are set up. The networks can ping one another and all
is well. There is no NAT between the hosts on the Internet. I then
observe two, possibly dependent, problems (full logs at end):
==== Problem 1:
The passive host decides that there is a NAT involved due to the active
side's choice of 0.0.0.0 for NAT_DETECTION_SOURCE_IP (see debug logs
below, search for "0.0.0.0:500"). This surprised me--I expected iked(8)
to either 1) figure out what the source IP really would be and use it in
the NAT_DETECTION_SOURCE_IP payload, or 2) add multiple
NAT_DETECTION_SOURCE_IP payloads, one for each possible source address.
I have verified that adding "local 5.6.7.8" to the active config
alongside "peer" causes that address to be used in the
NAT_DETECTION_SOURCE_IP instead of 0.0.0.0, and then no NAT is detected
by the passive host.
Flows and SAs as of Problem 1:
---- Passive host:
FLOWS:
flow esp in from 10.2.0.0/16 to 10.1.0.0/16 peer 5.6.7.8 srcid
FQDN/foo.example.com dstid FQDN/bar.example.com type use
flow esp out from 10.1.0.0/16 to 10.2.0.0/16 peer 5.6.7.8 srcid
FQDN/foo.example.com dstid FQDN/bar.example.com type require
SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x236518d7 auth hmac-sha2-256 enc aes-256
sa: spi 0x236518d7 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 192 add 1498100037 first 1498100038
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 478351982 add 53 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100039
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x746f493b auth hmac-sha2-256 enc aes-256
sa: spi 0x746f493b auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 168 add 1498100037 first 1498100038
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 508953624 add 56 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100039
---- Active host:
FLOWS:
flow esp in from 10.1.0.0/16 to 10.2.0.0/16 peer 1.2.3.4 srcid
FQDN/bar.example.com dstid FQDN/foo.example.com type use
flow esp out from 10.2.0.0/16 to 10.1.0.0/16 peer 1.2.3.4 srcid
FQDN/bar.example.com dstid FQDN/foo.example.com type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x236518d7 auth hmac-sha2-256 enc aes-256
sa: spi 0x236518d7 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 252 add 1498100071 first 1498100072
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 468688306 add 9428 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100074
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x746f493b auth hmac-sha2-256 enc aes-256
sa: spi 0x746f493b auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 288 add 1498100071 first 1498100072
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 493921239 add 9936 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100074
==== Problem 2:
Given that NAT has been detected in Problem 1 by the passive host,
rekeying of the Child SA stops further traffic from flowing in either
direction. I'm not sure how to debug this further. I have verified via
pflog that no packets are being dropped by pf. (This rekeying is also
included in the debug logs below.)
Note the addition of "udpencap" to the SA flags on only the passive host
below (this may be correct--it's just the only salient difference I've
noticed between the two sets of SAs).
Flows and SAs as of Problem 2:
---- Passive host:
FLOWS:
flow esp in from 10.2.0.0/16 to 10.1.0.0/16 peer 5.6.7.8 srcid
FQDN/foo.example.com dstid FQDN/bar.example.com type use
flow esp out from 10.1.0.0/16 to 10.2.0.0/16 peer 5.6.7.8 srcid
FQDN/foo.example.com dstid FQDN/bar.example.com type require
SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x6e014192 auth hmac-sha2-256 enc aes-256
sa: spi 0x6e014192 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x604<tunnel,udpencap,esn>
lifetime_cur: alloc 0 bytes 0 add 1498100090 first 0
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 483183820 add 54 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
udpencap: udpencap port 4500
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x88ab44fd auth hmac-sha2-256 enc aes-256
sa: spi 0x88ab44fd auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x604<tunnel,udpencap,esn>
lifetime_cur: alloc 0 bytes 420 add 1498100090 first 1498100091
lifetime_hard: alloc 0 bytes 536870912 add 60 first 0
lifetime_soft: alloc 0 bytes 471372660 add 52 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
udpencap: udpencap port 4500
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100095
---- Active host:
FLOWS:
flow esp in from 10.1.0.0/16 to 10.2.0.0/16 peer 1.2.3.4 srcid
FQDN/bar.example.com dstid FQDN/foo.example.com type use
flow esp out from 10.2.0.0/16 to 10.1.0.0/16 peer 1.2.3.4 srcid
FQDN/bar.example.com dstid FQDN/foo.example.com type require
flow esp out from ::/0 to ::/0 type deny
SAD:
esp tunnel from 5.6.7.8 to 1.2.3.4 spi 0x6e014192 auth hmac-sha2-256 enc aes-256
sa: spi 0x6e014192 auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 246 add 1498100124 first 1498100125
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 457950887 add 9212 first 0
address_src: 5.6.7.8
address_dst: 1.2.3.4
identity_src: type fqdn id 0: FQDN/bar.example.com
identity_dst: type fqdn id 0: FQDN/foo.example.com
lifetime_lastuse: alloc 0 bytes 0 add 0 first 1498100130
esp tunnel from 1.2.3.4 to 5.6.7.8 spi 0x88ab44fd auth hmac-sha2-256 enc aes-256
sa: spi 0x88ab44fd auth hmac-sha2-256 enc aes
state mature replay 64 flags 0x404<tunnel,esn>
lifetime_cur: alloc 0 bytes 0 add 1498100124 first 0
lifetime_hard: alloc 0 bytes 536870912 add 10800 first 0
lifetime_soft: alloc 0 bytes 500900560 add 10076 first 0
address_src: 1.2.3.4
address_dst: 5.6.7.8
identity_src: type fqdn id 0: FQDN/foo.example.com
identity_dst: type fqdn id 0: FQDN/bar.example.com
==== Logs (-vv):
---- Passive host:
ikev2 "demo" passive esp inet from 10.1.0.0/16 to 10.2.0.0/16 local 1.2.3.4
peer any ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1
auth hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 60 bytes
536870912 rsa
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
config_getpolicy: received policy
ca_getkey: received private key type RSA_KEY length 1192
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=US/ST=New York/L=New York City/O=Example Labs/OU=iked/CN=VPN
CA/emailAddress=ad...@example.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file foo.example.com.crt
ca_validate_cert: /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=foo.example.com/emailAddress=ad...@example.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
... idle ...
ikev2_recv: IKE_SA_INIT request from initiator 5.6.7.8:500 to 1.2.3.4:500
policy 'demo' id 0, 510 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/foo.example.com length 19
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112
ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0
xforms 11 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xf2ef7a9d4e3a31b3 0x0000000000000000
5.6.7.8:500
ikev2_pld_notify: NAT_DETECTION_SOURCE_IP detected NAT, enabling UDP
encapsulation
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xf2ef7a9d4e3a31b3 0x0000000000000000
1.2.3.4:500
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
sa_state: INIT -> SA_INIT
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_add_proposals: length 44
ikev2_next_payload: length 48 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xf2ef7a9d4e3a31b3 0xc5a31acf4810170c
1.2.3.4:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xf2ef7a9d4e3a31b3 0xc5a31acf4810170c
5.6.7.8:500
ikev2_next_payload: length 28 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT response from 1.2.3.4:500 to 5.6.7.8:500 msgid 0,
471 bytes
config_free_proposals: free 0x15e20975780
ikev2_recv: IKE_AUTH request from initiator 5.6.7.8:500 to 1.2.3.4:500 policy
'demo' id 1, 1552 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 5.6.7.8:500 local 1.2.3.4:500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1552
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1524
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1488
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1488/1488 padding 1
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length
23
ikev2_pld_id: id FQDN/bar.example.com length 19
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00
length 1026
ikev2_pld_cert: type X509_CERT length 1021
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_policy2id: srcid FQDN/foo.example.com length 19
sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 )
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0x746f493b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
sa_stateok: SA_INIT flags 0x0000, require 0x0000
policy_lookup: peerid 'bar.example.com'
ikev2_msg_auth: responder auth data length 535
ca_setauth: switching RSA_SIG to SIG
ca_setauth: auth length 535
ikev2_msg_auth: initiator auth data length 574
ikev2_msg_authverify: method SIG keylen 1021 type X509_CERT
_dsa_verify_init: signature scheme 0 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
ikev2_sa_negotiate: score 3
sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x15e48d0c980
ca_getreq: found CA /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=VPN CA/emailAddress=ad...@example.com
ca_x509_subjectaltname: FQDN/foo.example.com
ca_getreq: found local certificate /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=foo.example.com/emailAddress=ad...@example.com
ca_setauth: auth length 272
ca_validate_pubkey: could not open public key pubkeys/fqdn/bar.example.com
ca_x509_subjectaltname: FQDN/bar.example.com
ca_validate_cert: /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=bar.example.com/emailAddress=ad...@example.com ok
ikev2_getimsgdata: imsg 19 rspi 0xc5a31acf4810170c ispi 0xf2ef7a9d4e3a31b3
initiator 0 sa valid type 4 data length 1021
ikev2_dispatch_cert: cert type X509_CERT length 1021, ok
sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_getimsgdata: imsg 24 rspi 0xc5a31acf4810170c ispi 0xf2ef7a9d4e3a31b3
initiator 0 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b
cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x003b cert,certvalid,auth,authvalid,sa)
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x236518d7
pfkey_sa_init: new spi 0x236518d7
ikev2_next_payload: length 23 nextpayload CERT
ikev2_next_payload: length 1026 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1421
ikev2_msg_encrypt: padded length 1424
ikev2_msg_encrypt: length 1422, padding 2, output length 1456
ikev2_next_payload: length 1460 nextpayload IDr
ikev2_msg_integr: message length 1488
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1488
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1424
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 2
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length
23
ikev2_pld_id: id FQDN/foo.example.com length 19
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length 1026
ikev2_pld_cert: type X509_CERT length 1021
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x236518d7
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_msg_send: IKE_AUTH response from 1.2.3.4:500 to 5.6.7.8:500 msgid 1, 1488
bytes
pfkey_sa_add: update spi 0x236518d7
ikev2_childsa_enable: loaded CHILD SA spi 0x236518d7
pfkey_sa_add: add spi 0x746f493b
ikev2_childsa_enable: loaded CHILD SA spi 0x746f493b
ikev2_childsa_enable: loaded flow 0x15e7a85b800
ikev2_childsa_enable: loaded flow 0x15dfcc79800
sa_state: VALID -> ESTABLISHED from 5.6.7.8:500 to 1.2.3.4:500 policy 'demo'
... 1 minute passes, then CHILD SA rekey starts ...
pfkey_process: SA 0x236518d7 is expired, pending rekeying
ikev2_send_create_child_sa: rekeying ESP spi 0x746f493b
config_free_proposals: free 0x15e7d072600
pfkey_sa_getspi: spi 0x6e014192
pfkey_sa_init: new spi 0x6e014192
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NOTIFY
ikev2_next_payload: length 12 nextpayload NONE
ikev2_msg_encrypt: decrypted length 180
ikev2_msg_encrypt: padded length 192
ikev2_msg_encrypt: length 181, padding 11, output length 224
ikev2_next_payload: length 228 nextpayload SA
ikev2_msg_integr: message length 256
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 0 length
256 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 11
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0x6e014192
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid ESP spisize 4 type REKEY_SA
ikev2_msg_send: CREATE_CHILD_SA request from 1.2.3.4:500 to 5.6.7.8:500 msgid
0, 256 bytes
ikev2_recv: CREATE_CHILD_SA response from initiator 5.6.7.8:500 to 1.2.3.4:500
policy 'demo' id 0, 208 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 5.6.7.8:500 local 1.2.3.4:500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 0 length
208 response 1
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 180
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 144
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 144/144 padding 15
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x88ab44fd
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_init_recv: NAT detected, updated SA to peer 5.6.7.8:4500 local
1.2.3.4:4500
ikev2_sa_negotiate: score 3
config_free_proposals: free 0x15e7d072300
ikev2_init_create_child_sa: rekeying CHILD SA old 0x236518d7 spi 0x88ab44fd
sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
ikev2_next_payload: length 12 nextpayload NONE
ikev2_msg_encrypt: decrypted length 12
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 13, padding 3, output length 48
ikev2_next_payload: length 52 nextpayload DELETE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 3
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00
length 12
ikev2_pld_delete: proto ESP spisize 4 nspi 1
ikev2_pld_delete: spi 0x236518d7
ikev2_msg_send: INFORMATIONAL request from 1.2.3.4:4500 to 5.6.7.8:4500 msgid
1, 80 bytes, NAT-T
pfkey_sa_add: add spi 0x88ab44fd
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x88ab44fd
pfkey_sa_add: update spi 0x6e014192
pfkey_sa: udpencap port 4500
ikev2_childsa_enable: loaded CHILD SA spi 0x6e014192
ikev2_childsa_delete: deleted CHILD SA spi 0x236518d7
ikev2_childsa_delete: deleted CHILD SA spi 0x746f493b
config_free_proposals: free 0x15e72741480
pfkey_sa_last_used: last_used 1498100097
ikev2_ike_sa_alive: outgoing CHILD SA spi 0x88ab44fd last used 0 second(s) ago
ikev2_ike_sa_alive: sending alive check
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 2 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL request from 1.2.3.4:4500 to 5.6.7.8:4500 msgid
2, 80 bytes, NAT-T
ikev2_recv: INFORMATIONAL response from initiator 5.6.7.8:4500 to 1.2.3.4:4500
policy 'demo' id 2, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 5.6.7.8:4500 local 1.2.3.4:4500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 2 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_recv: INFORMATIONAL request from initiator 5.6.7.8:4500 to 1.2.3.4:4500
policy 'demo' id 2, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 5.6.7.8:4500 local 1.2.3.4:4500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 2 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL response from 1.2.3.4:4500 to 5.6.7.8:4500 msgid
2, 80 bytes, NAT-T
---- Active host:
ikev2 "demo" active esp inet from 10.2.0.0/16 to 10.1.0.0/16 local any peer
1.2.3.4 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1 auth
hmac-sha2-256,hmac-sha1 group modp2048,modp1536,modp1024 childsa enc
aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes
536870912 rsa
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
config_getpolicy: received policy
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1192
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
ca_reload: loaded ca file ca.crt
ca_reload: loaded crl file ca.crl
ca_reload: /C=US/ST=New York/L=New York City/O=Example Labs/OU=iked/CN=VPN
CA/emailAddress=ad...@example.com
ca_reload: loaded 1 ca certificate
ca_reload: loaded cert file bar.example.com.crt
ca_validate_cert: /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=bar.example.com/emailAddress=ad...@example.com ok
ca_reload: local cert type X509_CERT
config_getocsp: ocsp_url none
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
... idle ...
ikev2_init_ike_sa: initiating "demo"
ikev2_policy2id: srcid FQDN/bar.example.com length 19
ikev2_add_proposals: length 108
ikev2_next_payload: length 112 nextpayload KE
ikev2_next_payload: length 264 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0xf2ef7a9d4e3a31b3 0x0000000000000000
0.0.0.0:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0xf2ef7a9d4e3a31b3 0x0000000000000000
1.2.3.4:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 510
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 112
ikev2_pld_sa: more 0 reserved 0 length 108 proposal #1 protoid IKE spisize 0
xforms 11 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_msg_send: IKE_SA_INIT request from 0.0.0.0:500 to 1.2.3.4:500 msgid 0,
510 bytes
sa_state: INIT -> SA_INIT
ikev2_recv: IKE_SA_INIT response from responder 1.2.3.4:500 to 5.6.7.8:500
policy 'demo' id 0, 471 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:500 local 5.6.7.8:500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0
xforms 4 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264
ikev2_pld_ke: dh group MODP_2048 reserved 0
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ikev2_nat_detection: peer source 0xf2ef7a9d4e3a31b3 0xc5a31acf4810170c
1.2.3.4:500
ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
ikev2_nat_detection: peer destination 0xf2ef7a9d4e3a31b3 0xc5a31acf4810170c
5.6.7.8:500
ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_policy2id: srcid FQDN/bar.example.com length 19
sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
ikev2_sa_negotiate: score 4
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
ikev2_sa_keys: SKEYSEED with 32 bytes
ikev2_sa_keys: S with 80 bytes
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: T5 with 32 bytes
ikev2_prfplus: T6 with 32 bytes
ikev2_prfplus: T7 with 32 bytes
ikev2_prfplus: Tn with 224 bytes
ikev2_sa_keys: SK_d with 32 bytes
ikev2_sa_keys: SK_ai with 32 bytes
ikev2_sa_keys: SK_ar with 32 bytes
ikev2_sa_keys: SK_ei with 32 bytes
ikev2_sa_keys: SK_er with 32 bytes
ikev2_sa_keys: SK_pi with 32 bytes
ikev2_sa_keys: SK_pr with 32 bytes
ikev2_msg_auth: initiator auth data length 574
ca_setauth: switching RSA_SIG to SIG
ca_setauth: auth length 574
sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
config_free_proposals: free 0x14e6394e8380
ca_getreq: found CA /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=VPN CA/emailAddress=ad...@example.com
ca_x509_subjectaltname: FQDN/bar.example.com
ca_getreq: found local certificate /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=bar.example.com/emailAddress=ad...@example.com
ca_setauth: auth length 272
ikev2_getimsgdata: imsg 19 rspi 0xc5a31acf4810170c ispi 0xf2ef7a9d4e3a31b3
initiator 1 sa valid type 4 data length 1021
ikev2_dispatch_cert: cert type X509_CERT length 1021, ok
sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
ikev2_getimsgdata: imsg 24 rspi 0xc5a31acf4810170c ispi 0xf2ef7a9d4e3a31b3
initiator 1 sa valid type 14 data length 272
ikev2_dispatch_cert: AUTH type 14 len 272
sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
ikev2_next_payload: length 23 nextpayload CERT
ikev2_next_payload: length 1026 nextpayload CERTREQ
ikev2_add_certreq: type X509_CERT length 21
ikev2_next_payload: length 25 nextpayload AUTH
ikev2_next_payload: length 280 nextpayload SA
pfkey_sa_getspi: spi 0x746f493b
pfkey_sa_init: new spi 0x746f493b
ikev2_add_proposals: length 80
ikev2_next_payload: length 84 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 1486
ikev2_msg_encrypt: padded length 1488
ikev2_msg_encrypt: length 1487, padding 1, output length 1520
ikev2_next_payload: length 1524 nextpayload IDi
ikev2_msg_integr: message length 1552
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1552
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1524
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1488
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1488/1488 padding 1
ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length
23
ikev2_pld_id: id FQDN/bar.example.com length 19
ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00
length 1026
ikev2_pld_cert: type X509_CERT length 1021
ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00
length 25
ikev2_pld_certreq: type X509_CERT length 20
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0x746f493b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_msg_send: IKE_AUTH request from 5.6.7.8:500 to 1.2.3.4:500 msgid 1, 1552
bytes
ikev2_recv: IKE_AUTH response from responder 1.2.3.4:500 to 5.6.7.8:500 policy
'demo' id 1, 1488 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:500 local 5.6.7.8:500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1488
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1460
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 1424
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 1424/1424 padding 2
ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length
23
ikev2_pld_id: id FQDN/foo.example.com length 19
ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00
length 1026
ikev2_pld_cert: type X509_CERT length 1021
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
280
ikev2_pld_auth: method SIG length 272
sa_state: SA_INIT -> AUTH_REQUEST
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x236518d7
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_msg_auth: responder auth data length 535
ikev2_msg_authverify: method SIG keylen 1021 type X509_CERT
_dsa_verify_init: signature scheme 0 selected
ikev2_msg_authverify: authentication successful
sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x000d -> 0x001d cert,certreq,auth,authvalid (required 0x0032
certvalid,authvalid,sa)
ikev2_sa_negotiate: score 3
sa_stateflags: 0x001d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x0032
certvalid,authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x0032 certvalid,authvalid,sa
sa_state: cannot switch: AUTH_SUCCESS -> VALID
config_free_proposals: free 0x14e6c7922800
ca_validate_pubkey: could not open public key pubkeys/fqdn/foo.example.com
ca_x509_subjectaltname: FQDN/foo.example.com
ca_validate_cert: /C=US/ST=New York/L=New York City/O=Example
Labs/OU=iked/CN=foo.example.com/emailAddress=ad...@example.com ok
ikev2_dispatch_cert: peer certificate is valid
sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa
(required 0x0032 certvalid,authvalid,sa)
sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_add: add spi 0x236518d7
ikev2_childsa_enable: loaded CHILD SA spi 0x236518d7
pfkey_sa_add: update spi 0x746f493b
ikev2_childsa_enable: loaded CHILD SA spi 0x746f493b
ikev2_childsa_enable: loaded flow 0x14e66b02a000
ikev2_childsa_enable: loaded flow 0x14e67c77b400
sa_state: VALID -> ESTABLISHED from 1.2.3.4:500 to 5.6.7.8:500 policy 'demo'
... 1 minute passes, then CHILD SA rekey starts ...
ikev2_recv: CREATE_CHILD_SA request from responder 1.2.3.4:500 to 5.6.7.8:500
policy 'demo' id 0, 256 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:500 local 5.6.7.8:500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 0 length
256 response 0
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 192
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 192/192 padding 11
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
84
ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4
xforms 7 spi 0x6e014192
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00
length 24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00
length 12
ikev2_pld_notify: protoid ESP spisize 4 type REKEY_SA
ikev2_pld_notify: rekey ESP spi 0x236518d7
ikev2_resp_create_child_sa: rekey ESP spi 0x236518d7
ikev2_sa_negotiate: score 3
sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
ikev2_sa_tag: (0)
ikev2_childsa_negotiate: proposal 2
ikev2_childsa_negotiate: key material length 128
ikev2_prfplus: T1 with 32 bytes
ikev2_prfplus: T2 with 32 bytes
ikev2_prfplus: T3 with 32 bytes
ikev2_prfplus: T4 with 32 bytes
ikev2_prfplus: Tn with 128 bytes
pfkey_sa_getspi: spi 0x88ab44fd
pfkey_sa_init: new spi 0x88ab44fd
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload TSi
ikev2_next_payload: length 24 nextpayload TSr
ikev2_next_payload: length 24 nextpayload NONE
ikev2_msg_encrypt: decrypted length 128
ikev2_msg_encrypt: padded length 144
ikev2_msg_encrypt: length 129, padding 15, output length 176
ikev2_next_payload: length 180 nextpayload SA
ikev2_msg_integr: message length 208
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 0 length
208 response 1
ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 180
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 144
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 144/144 padding 15
ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length
44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4
xforms 3 spi 0x88ab44fd
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00
length 36
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.1.0.0 end 10.1.255.255
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
24
ikev2_pld_ts: count 1 length 16
ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535
ikev2_pld_ts: start 10.2.0.0 end 10.2.255.255
ikev2_msg_send: CREATE_CHILD_SA response from 5.6.7.8:500 to 1.2.3.4:500 msgid
0, 208 bytes
pfkey_sa_add: update spi 0x88ab44fd
ikev2_childsa_enable: loaded CHILD SA spi 0x88ab44fd
pfkey_sa_add: add spi 0x6e014192
ikev2_childsa_enable: loaded CHILD SA spi 0x6e014192
config_free_proposals: free 0x14e68e6b2880
config_free_proposals: free 0x14e6394e8000
ikev2_recv: INFORMATIONAL request from responder 1.2.3.4:4500 to 5.6.7.8:4500
policy 'demo' id 1, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:4500 local 5.6.7.8:4500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 3
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00
length 12
ikev2_pld_delete: proto ESP spisize 4 nspi 1
ikev2_pld_delete: spi 0x236518d7
ikev2_childsa_delete: deleted CHILD SA spi 0x236518d7
ikev2_childsa_delete: deleted CHILD SA spi 0x746f493b
ikev2_pld_delete: deleted 1 spis
ikev2_next_payload: length 12 nextpayload NONE
ikev2_msg_encrypt: decrypted length 12
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 13, padding 3, output length 48
ikev2_next_payload: length 52 nextpayload DELETE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 1 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 3
ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00
length 12
ikev2_pld_delete: proto ESP spisize 4 nspi 1
ikev2_pld_delete: spi 0x746f493b
ikev2_msg_send: INFORMATIONAL response from 5.6.7.8:4500 to 1.2.3.4:4500 msgid
1, 80 bytes
ikev2_resp_recv: NAT-T message received, updated SA
ikev2_recv: INFORMATIONAL request from responder 1.2.3.4:4500 to 5.6.7.8:4500
policy 'demo' id 1, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: INFORMATIONAL request from responder 1.2.3.4:4500 to 5.6.7.8:4500
policy 'demo' id 1, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_init_ike_sa: "demo" is already active
ikev2_recv: INFORMATIONAL request from responder 1.2.3.4:4500 to 5.6.7.8:4500
policy 'demo' id 2, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:4500 local 5.6.7.8:4500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 2 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 2 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL response from 5.6.7.8:4500 to 1.2.3.4:4500 msgid
2, 80 bytes, NAT-T
pfkey_sa_last_used: last_used 1498100131
ikev2_ike_sa_alive: outgoing CHILD SA spi 0x6e014192 last used 0 second(s) ago
ikev2_ike_sa_alive: sending alive check
ikev2_msg_encrypt: decrypted length 4
ikev2_msg_encrypt: padded length 16
ikev2_msg_encrypt: length 5, padding 11, output length 48
ikev2_next_payload: length 52 nextpayload NONE
ikev2_msg_integr: message length 80
ikev2_msg_integr: integrity checksum length 16
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 80
response 0
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
ikev2_msg_send: INFORMATIONAL request from 5.6.7.8:4500 to 1.2.3.4:4500 msgid
2, 80 bytes, NAT-T
ikev2_recv: INFORMATIONAL response from responder 1.2.3.4:4500 to 5.6.7.8:4500
policy 'demo' id 2, 80 bytes
ikev2_recv: ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
ikev2_recv: updated SA to peer 1.2.3.4:4500 local 5.6.7.8:4500
ikev2_pld_parse: header ispi 0xf2ef7a9d4e3a31b3 rspi 0xc5a31acf4810170c
nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 2 length 80
response 1
ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
ikev2_msg_decrypt: IV length 16
ikev2_msg_decrypt: encrypted payload length 16
ikev2_msg_decrypt: integrity checksum length 16
ikev2_msg_decrypt: integrity check succeeded
ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
-TimS
--
Tim Stewart
-----------
Mail: t...@stoo.org
Matrix: @tim:stoo.org
