On Wed, Mar 23, 2022 at 02:10:03PM +0100, Tobias Heider wrote:
>On Mon, Mar 21, 2022 at 01:04:28PM -0500, rea...@catastrophe.net wrote:
>> I have two openbsd machines configured to connect their respective
>> downstream networks over ipsec. When I try to generate traffic (ping)
>> from server-west's enc0 interface (10.255.255.1) to server-east's enc0
>> interface (10.254.255.1), traffic is sent out the corresponding
>> SA but is never seen on server-east's enc0 interface. Only when I
>> simultaneously generate traffic (ping, again) on server-east back to
>> server-west do I see the echo replies from server-east on server-west.
>>
>I don't fully understand your setup but having both 10.255.255.0/24 to
>10.254.255.0/24 and 10.254.255.0/24 to 10.255.255.0/24 configured on both
>sides does not make sense to me.
Good point, I've cleaned the configs up and just created statements
necessary following your configs here, with one addition on each side (so
the servers can ping each other over the tunnel without using their
respective enc0 interfaces as a source.
>Assuming 10.255.255.0/24 is reachable via server-west and 10.254.255.0/24 via
>server-east the configs should probably be:
>
>server-west:/etc/iked.conf
>-------------------------
>ikev2 'server-east.example.com' passive esp \
> from 10.255.255.0/24 to 10.254.255.0/24 \
> from 203.0.113.50/32 to 10.254.255.0/24 \
+from 203.0.113.50/32 to 100.64.1.92/32 \
> local 203.0.113.50 peer server-east.example.com \
> srcid server-west.example.com \
> dstid server-east.example.com \
> psk "12345" \
> tag "VPN.EAST"
>
>server-east:/etc/iked.conf
>-------------------------
>ikev2 'server-west.example.com' active esp \
> from 10.254.255.0/24 to 10.255.255.0/24 \
> from 100.64.1.92/32 to 10.255.255.0/24 \
+from 100.64.1.92/32 to 203.0.113.50/32 \
> local 100.64.1.92 peer server-west.example.com \
> srcid server-east.example.com \
> dstid server-west.example.com \
> psk "12345" \
> tag "VPN.WEST"
>
The general diagram of what this looks like is:
em0:203.0.113.50 -~-~- ipsec tunnel -~-~-~- vio0:100.64.1.92
| SERVER-WEST | | SERVER-EAST |
enc0:10.255.255.1/24 enc0:10.254.255.1/24
Trying to generate traffic from the physical interfaces on either server
(em0 or vio) fails towards either the remote physical interface or the
remote enc0 interface. I've included flows and `iked -dvvv` at the bottom.
Ping from enc0 on server-west to enc0 on server-east. Works as expected.
server-west# ping -I 10.255.255.1 10.254.255.1
PING 10.254.255.1 (10.254.255.1): 56 data bytes
64 bytes from 10.254.255.1: icmp_seq=0 ttl=255 time=46.493 ms
64 bytes from 10.254.255.1: icmp_seq=1 ttl=255 time=46.439 ms
64 bytes from 10.254.255.1: icmp_seq=2 ttl=255 time=46.222 ms
^C
--- 10.254.255.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 46.222/46.385/46.493/0.117 ms
Now try pinging from em0 on server-west to the remote side with no success.
server-west# ifconfig em0 |grep 174.136.105
inet 203.0.113.50 netmask 0xfffffffc broadcast 174.136.105.51
server-west# ping -I 203.0.113.50 10.254.255.1
PING 10.254.255.1 (10.254.255.1): 56 data bytes
^C
--- 10.254.255.1 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
Shouldn't this be covered by the following flow?
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded flows:
ESP-10.254.255.0/24=10.255.255.0/24(0),ESP-100.64.1.92/32=10.255.255.0/24(0),
ESP-100.64.1.92/32=203.0.113.50/32(0) spi=0x3a561aeb30f190ce: sa_state: VALID
-> ESTABLISHED from 203.0.113.50:500 to 100.64.1.92:500 policy
'server-west.example.com'
Same problem on server-east.... ping server-west enc0 with traffic sourcing
from server-east enc0
server-east# ping -I 10.254.255.1 10.255.255.1
PING 10.255.255.1 (10.255.255.1): 56 data bytes
64 bytes from 10.255.255.1: icmp_seq=0 ttl=255 time=46.407 ms
64 bytes from 10.255.255.1: icmp_seq=1 ttl=255 time=46.360 ms
64 bytes from 10.255.255.1: icmp_seq=2 ttl=255 time=46.361 ms
^C
--- 10.255.255.1 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 46.360/46.376/46.407/0.022 ms
Now try and ping from server-east vio0 to the remote side. This fails.
server-east# ifconfig vio0 |grep 45.76.227
inet 100.64.1.92 netmask 0xfffffe00 broadcast 45.76.227.255
server-east# ping -I 100.64.1.92 10.255.255.1
PING 10.255.255.1 (10.255.255.1): 56 data bytes
^C
--- 10.255.255.1 ping statistics ---
7 packets transmitted, 0 packets received, 100.0% packet loss
FLOWS
=====
server-west# ipsecctl -sa
FLOWS:
flow esp in from 10.254.255.0/24 to 10.255.255.0/24 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp in from 10.254.255.0/24 to 203.0.113.50 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp in from 100.64.1.92 to 203.0.113.50 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 10.255.255.0/24 to 10.254.255.0/24 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 203.0.113.50 to 10.254.255.0/24 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
flow esp out from 203.0.113.50 to 100.64.1.92 peer 100.64.1.92 srcid
FQDN/server-west.example.com dstid FQDN/server-east.example.com type require
SAD:
esp tunnel from 100.64.1.92 to 203.0.113.50 spi 0x3d86fc1b enc aes-256-gcm
esp tunnel from 203.0.113.50 to 100.64.1.92 spi 0x3da1b697 enc aes-256-gcm
server-east# ipsecctl -sa
FLOWS:
flow esp in from 10.255.255.0/24 to 10.254.255.0/24 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp in from 10.255.255.0/24 to 100.64.1.92 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp in from 203.0.113.50 to 100.64.1.92 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 10.254.255.0/24 to 10.255.255.0/24 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 100.64.1.92 to 10.255.255.0/24 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
flow esp out from 100.64.1.92 to 203.0.113.50 peer 203.0.113.50 srcid
FQDN/server-east.example.com dstid FQDN/server-west.example.com type require
SAD:
esp tunnel from 100.64.1.92 to 203.0.113.50 spi 0x3d86fc1b enc aes-256-gcm
esp tunnel from 203.0.113.50 to 100.64.1.92 spi 0x3da1b697 enc aes-256-gcm
DEBUG OUTPUT
============
server-west# iked -dvvv
create_ike: using unknown for peer server-west.example.com
ikev2 "server-west.example.com" active tunnel esp inet from 10.254.255.0/24 to
10.255.255.0/24 from 100.64.1.92/32 to 10.255.255.0/24 from 100.64.1.92/32 to
203.0.113.50/32 local 100.64.1.92 peer 203.0.113.50 ikesa enc aes-256-gcm-12
prf hmac-sha2-512 group ecp521 childsa enc aes-256-gcm group ecp521 esn noesn
srcid server-east.example.com dstid server-west.example.com lifetime 14400
bytes 4294967296 psk
0x4935535056446657336c2f4643625779364c7075414b764f526a4146545a763332562b79787058657a78454e314d6b34737a6c53434b3863522f3564686b68486443534369445145694d6a756b6f646153654f594c766755427479664c495550
tag "VPN.LAX"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1191
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1191
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
ikev2_init_ike_sa: initiating "server-west.example.com"
ikev2_policy2id: srcid FQDN/server-east.example.com length 23
ikev2_add_proposals: length 36
ikev2_next_payload: length 40 nextpayload KE
ikev2_next_payload: length 140 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x3a561aeb30f190ce 0x0000000000000000
100.64.1.92:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x3a561aeb30f190ce 0x0000000000000000
203.0.113.50:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 314
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
xforms 3 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
ikev2_pld_ke: dh group ECP_521 reserved 0
00a5b67f 475a5950 1921c83e 28908542 df695f04 78c4fa0b 2960def0 9389a54e
21aada3a 785ec166 2e6a4d26 e39077dd 76d8690b 97b99a55 54372161 c204da0c
cbf50029 94530e59 65e29088 ed3e2b23 c240a3f7 d00edf68 08438cf3 728cb083
9ab2783e f6202328 6c4431fe 88c0504b c2cdf558 f59fac7b 16626f5b 94c714c4
8fc571e4
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
2a97404b 424ab80c 8d948323 3c95d486 40271357 79864902 6076a139 e4f44f12
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ffe3f869 54342422 cb6d4d65 84aba7aa 4ac4d04c
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
5ece1a6e c0a15a60 404e006c d15c7320 a04a7053
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
spi=0x3a561aeb30f190ce: send IKE_SA_INIT req 0 peer 203.0.113.50:500 local
100.64.1.92:500, 314 bytes
spi=0x3a561aeb30f190ce: sa_state: INIT -> SA_INIT
spi=0x3a561aeb30f190ce: recv IKE_SA_INIT res 0 peer 203.0.113.50:500 local
100.64.1.92:500, 314 bytes, policy 'server-west.example.com'
ikev2_recv: ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
ikev2_recv: updated SA to peer 203.0.113.50:500 local 100.64.1.92:500
ikev2_policy2id: srcid FQDN/server-east.example.com length 23
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 314
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
xforms 3 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
ikev2_pld_ke: dh group ECP_521 reserved 0
015752d0 accd0619 2f54831e 1abbef93 21ff4021 22fc285c cf132d9f 9efe7e80
75c1101c d30037ee 154bf598 d952e1c5 ba8a7e07 2ad6c5fc 85bb5d51 89617893
cac800fb e981067a a9e65791 58350658 2cf93249 afb4bb4d d3d34b71 cd952160
4bc85294 ade7b1c0 39d85bc0 c3434f62 a8e120db 8c940d54 434f24d7 ed080bf0
b2eba736
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
12040420 75911c4f 8c44c64a 5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
e60c8e8c b474e69e 518a73c8 78f69e62 1e2c1ac3
ikev2_nat_detection: peer source 0x3a561aeb30f190ce 0x852ee1663e8d7237
203.0.113.50:500
e60c8e8c b474e69e 518a73c8 78f69e62 1e2c1ac3
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
09ed9115 7d93e1d4 677aacfd b7785fda c0106fb4
ikev2_nat_detection: peer destination 0x3a561aeb30f190ce 0x852ee1663e8d7237
100.64.1.92:500
09ed9115 7d93e1d4 677aacfd b7785fda c0106fb4
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_12 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_512 (keylength 0 <-> 512)
proposals_match: xform 1 <-> 1 (1): DH ECP_521 (keylength 0 <-> 0)
proposals_negotiate: score 3
proposals_negotiate: score 1: ENCR AES_GCM_12 256
proposals_negotiate: score 1: PRF HMAC_SHA2_512
proposals_negotiate: score 1: DH ECP_521
sa_stateok: SA_INIT flags 0x0000, require 0x0008 auth
spi=0x3a561aeb30f190ce: ikev2_sa_keys: DHSECRET with 66 bytes
00769c28 880c31cb ac39b75d 24a6a509 4c125e38 6a524680 46828fca f839de68
80b143af 7a8a49cc 151442e6 5f23be7f 96a54a03 49657eb9 e2860c05 3e130703
6f72
ikev2_sa_keys: SKEYSEED with 64 bytes
f498a53d 00ab62a4 6c60cd6f 9bdcb5fe 793cbb91 d3c480ae 900d5b65 d4ea4560
aa68331d 632dff7e c3c004ac 821e3ec7 c77776e4 357fb552 65d27d28 be332f8b
spi=0x3a561aeb30f190ce: ikev2_sa_keys: S with 80 bytes
2a97404b 424ab80c 8d948323 3c95d486 40271357 79864902 6076a139 e4f44f12
12040420 75911c4f 8c44c64a 5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242
3a561aeb 30f190ce 852ee166 3e8d7237
ikev2_prfplus: T1 with 64 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
ikev2_prfplus: T2 with 64 bytes
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9 1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146
ikev2_prfplus: T3 with 64 bytes
fe0fcfa2 9c50b5a8 e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884
0402ac13 4b991d3f 773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179
ikev2_prfplus: T4 with 64 bytes
e98728b9 c9852673 f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443
8e65d9e2 08b01bc7 5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618
ikev2_prfplus: T5 with 64 bytes
4a4523fd 7eade290 2735addd 2ccd62e5 5951fd9f fb99487b 6368298c 520dd21d
6cb273d5 7e5bb87c 7a990bc7 325d61b8 a22036ff db1ffcf0 8287eb90 58ca1185
ikev2_prfplus: Tn with 320 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9 1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146
fe0fcfa2 9c50b5a8 e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884
0402ac13 4b991d3f 773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179
e98728b9 c9852673 f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443
8e65d9e2 08b01bc7 5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618
4a4523fd 7eade290 2735addd 2ccd62e5 5951fd9f fb99487b 6368298c 520dd21d
6cb273d5 7e5bb87c 7a990bc7 325d61b8 a22036ff db1ffcf0 8287eb90 58ca1185
ikev2_sa_keys: SK_d with 64 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
ikev2_sa_keys: SK_ei with 36 bytes
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9
ikev2_sa_keys: SK_er with 36 bytes
1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146 fe0fcfa2
9c50b5a8
ikev2_sa_keys: SK_pi with 64 bytes
e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884 0402ac13 4b991d3f
773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179 e98728b9 c9852673
ikev2_sa_keys: SK_pr with 64 bytes
f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443 8e65d9e2 08b01bc7
5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618 4a4523fd 7eade290
ikev2_msg_auth: initiator auth data length 410
3a561aeb 30f190ce 00000000 00000000 21202208 00000000 0000013a 22000028
00000024 01010003 0300000c 01000013 800e0100 03000008 04000015 00000008
02000007 2800008c 00150000 00a5b67f 475a5950 1921c83e 28908542 df695f04
78c4fa0b 2960def0 9389a54e 21aada3a 785ec166 2e6a4d26 e39077dd 76d8690b
97b99a55 54372161 c204da0c cbf50029 94530e59 65e29088 ed3e2b23 c240a3f7
d00edf68 08438cf3 728cb083 9ab2783e f6202328 6c4431fe 88c0504b c2cdf558
f59fac7b 16626f5b 94c714c4 8fc571e4 29000024 2a97404b 424ab80c 8d948323
3c95d486 40271357 79864902 6076a139 e4f44f12 2900001c 00004004 ffe3f869
54342422 cb6d4d65 84aba7aa 4ac4d04c 2900001c 00004005 5ece1a6e c0a15a60
404e006c d15c7320 a04a7053 0000000e 0000402f 00020003 00041204 04207591
1c4f8c44 c64a5924 a40327bd 065132ea 5ef66b46 24079b8b b242e678 4a361aea
50f16412 ff9ecded dab7870a 721a856f 10688000 038ec051 dcc09d89 261e604c
1d287286 ac91a2bd 8ef15c71 f690097d 7a1e0e46 ee2122e1 b1e1
sa_stateok: SA_INIT flags 0x0008, require 0x0008 auth
ikev2_next_payload: length 27 nextpayload AUTH
spi=0x3a561aeb30f190ce: ikev2_cp_request_configured: no
ikev2_next_payload: length 72 nextpayload SA
pfkey_sa_getspi: spi 0x3da1b697
pfkey_sa_init: new spi 0x3da1b697
ikev2_add_proposals: length 40
ikev2_next_payload: length 44 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 248 nextpayload IDi
ikev2_msg_encrypt: decrypted length 223
2700001b 02000000 6f72642e 63617461 7374726f 7068652e 6e657421 00004802
00000032 b161d135 eb25d30b ff32fe97 a5ba03d1 0a785af9 38f303f6 470ef097
9e500ff0 5907ed6a 9cfd5f8c ec921e45 fea3e78b 37cfef9f cbc46771 81e5ce1a
da9afa2c 00002c00 00002801 0304033d a1b69703 00000c01 00001480 0e010003
00000805 00000100 00000805 0000002d 00002802 00000007 00001000 00ffff0a
feff000a feffff07 00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007
00001000 00ffff0a ffff000a ffffff07 00001000 00ffffae 886932ae 886932
ikev2_msg_encrypt: padded length 224
2700001b 02000000 6f72642e 63617461 7374726f 7068652e 6e657421 00004802
00000032 b161d135 eb25d30b ff32fe97 a5ba03d1 0a785af9 38f303f6 470ef097
9e500ff0 5907ed6a 9cfd5f8c ec921e45 fea3e78b 37cfef9f cbc46771 81e5ce1a
da9afa2c 00002c00 00002801 0304033d a1b69703 00000c01 00001480 0e010003
00000805 00000100 00000805 0000002d 00002802 00000007 00001000 00ffff0a
feff000a feffff07 00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007
00001000 00ffff0a ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_msg_encrypt: length 224, padding 0, output length 244
00000000 00000000 8990a99f 005888d4 3b0027dd 2a3b35b6 931f2786 a905587a
bbd3267f eca9810e 5c6aec21 a1ebf186 84db321c 0f4631fe 26b865ec 3444c523
ddcd0278 ff91e4c6 43397cf0 97ee8b24 c071f7ba 1e7ce982 63eb43b4 d8b22cfd
c026a138 00581b68 e36ba1a7 2b542536 ee40e23c e34faa68 468b1b79 d541893b
c4a60ccd d4b5f00f 58fa0b8e ca5a0715 2a4b24b8 f7f4a1b7 b312792e dec384f6
7f583ec1 5c332149 25405b9e 49502ec5 5aa163e7 736e371b 944bb33b 1ad44290
822fbff2 895bee3d 642900fc 90bb8d44 68499d79 95fe04a5 65818321 fcc4d76e
b1c3d0ae 7d4a33e2 00000000 00000000 00000000
ikev2_msg_integr: message length 276
3a561aeb 30f190ce 852ee166 3e8d7237 2e202308 00000001 00000114 230000f8
00000000 00000000 8990a99f 005888d4 3b0027dd 2a3b35b6 931f2786 a905587a
bbd3267f eca9810e 5c6aec21 a1ebf186 84db321c 0f4631fe 26b865ec 3444c523
ddcd0278 ff91e4c6 43397cf0 97ee8b24 c071f7ba 1e7ce982 63eb43b4 d8b22cfd
c026a138 00581b68 e36ba1a7 2b542536 ee40e23c e34faa68 468b1b79 d541893b
c4a60ccd d4b5f00f 58fa0b8e ca5a0715 2a4b24b8 f7f4a1b7 b312792e dec384f6
7f583ec1 5c332149 25405b9e 49502ec5 5aa163e7 736e371b 944bb33b 1ad44290
822fbff2 895bee3d 642900fc 90bb8d44 68499d79 95fe04a5 65818321 fcc4d76e
b1c3d0ae 7d4a33e2 00000000 00000000 00000000
ikev2_msg_integr: integrity checksum length 12
ccc7fdc8 63510a1b bd7095e1
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 276
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 248
ikev2_msg_decrypt: IV length 8
00000000 00000000
ikev2_msg_decrypt: encrypted payload length 224
8990a99f 005888d4 3b0027dd 2a3b35b6 931f2786 a905587a bbd3267f eca9810e
5c6aec21 a1ebf186 84db321c 0f4631fe 26b865ec 3444c523 ddcd0278 ff91e4c6
43397cf0 97ee8b24 c071f7ba 1e7ce982 63eb43b4 d8b22cfd c026a138 00581b68
e36ba1a7 2b542536 ee40e23c e34faa68 468b1b79 d541893b c4a60ccd d4b5f00f
58fa0b8e ca5a0715 2a4b24b8 f7f4a1b7 b312792e dec384f6 7f583ec1 5c332149
25405b9e 49502ec5 5aa163e7 736e371b 944bb33b 1ad44290 822fbff2 895bee3d
642900fc 90bb8d44 68499d79 95fe04a5 65818321 fcc4d76e b1c3d0ae 7d4a33e2
ikev2_msg_decrypt: integrity checksum length 12
ccc7fdc8 63510a1b bd7095e1
ikev2_msg_decrypt: AAD length 32
3a561aeb 30f190ce 852ee166 3e8d7237 2e202308 00000001 00000114 230000f8
ikev2_msg_decrypt: decrypted payload length 224/224 padding 0
2700001b 02000000 6f72642e 63617461 7374726f 7068652e 6e657421 00004802
00000032 b161d135 eb25d30b ff32fe97 a5ba03d1 0a785af9 38f303f6 470ef097
9e500ff0 5907ed6a 9cfd5f8c ec921e45 fea3e78b 37cfef9f cbc46771 81e5ce1a
da9afa2c 00002c00 00002801 0304033d a1b69703 00000c01 00001480 0e010003
00000805 00000100 00000805 0000002d 00002802 00000007 00001000 00ffff0a
feff000a feffff07 00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007
00001000 00ffff0a ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length
27
ikev2_pld_id: id FQDN/server-east.example.com length 23
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
72
ikev2_pld_auth: method SHARED_KEY_MIC length 64
32b161d1 35eb25d3 0bff32fe 97a5ba03 d10a785a f938f303 f6470ef0 979e500f
f05907ed 6a9cfd5f 8cec921e 45fea3e7 8b37cfef 9fcbc467 7181e5ce 1ada9afa
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x3da1b697
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.254.255.0 end 10.254.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 100.64.1.92 end 100.64.1.92
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.255.255.0 end 10.255.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 203.0.113.50 end 203.0.113.50
spi=0x3a561aeb30f190ce: send IKE_AUTH req 1 peer 203.0.113.50:500 local
100.64.1.92:500, 276 bytes
config_free_proposals: free 0xa079388a580
spi=0x3a561aeb30f190ce: recv IKE_AUTH res 1 peer 203.0.113.50:500 local
100.64.1.92:500, 268 bytes, policy 'server-west.example.com'
ikev2_recv: ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
ikev2_recv: updated SA to peer 203.0.113.50:500 local 100.64.1.92:500
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 268
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 240
ikev2_msg_decrypt: IV length 8
00000000 00000000
ikev2_msg_decrypt: encrypted payload length 216
5d906e6a f77049c7 ee2e990a 7eba0f3b b92e7c6c e601a8ce 6d059ced 89ed24ee
d5a5a440 6d6e908d 6e02a6a4 ba4ca7d1 a10e5594 408679a6 530eba7c e9679cf6
d66c5ed0 3f430d96 a1e60934 68e87eb3 1b6899e2 52dc1146 d689f9f0 558c9644
0e89fa33 20ea522a 19fe8ba6 95e113e0 b57afaa6 2b212da8 1be08c45 31eb91f2
7024ef1f e00a4721 ea098e69 09a19195 b91a3576 da862d6a 3f33f247 8812e7c5
a1d57237 da4189b8 3423c71f 9bcf9a42 728d8931 5a77ab9c cb19149c b3dbc4c7
09c4185d c0641acf 202f7906 69980c51 6b60a5e0 ff65f94b
ikev2_msg_decrypt: integrity checksum length 12
fbf3825c d85aac02 8a1e45fd
ikev2_msg_decrypt: AAD length 32
3a561aeb 30f190ce 852ee166 3e8d7237 2e202320 00000001 0000010c 240000f0
ikev2_msg_decrypt: decrypted payload length 216/216 padding 0
2700001b 02000000 6c61782e 63617461 7374726f 7068652e 6e657421 00004802
000000e8 d88d33ab 9fda8a52 3dc334c2 3432c0a9 92bc6eb7 716ece95 9db37594
591f42b1 742f2325 2f40844a b3dd8312 c42ff97e 3f28314d 43a3db3c 67a83743
650d262c 00002400 00002001 0304023d 86fc1b03 00000c01 00001480 0e010000
00000805 0000012d 00002802 00000007 00001000 00ffff0a feff000a feffff07
00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007 00001000 00ffff0a
ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
27
ikev2_pld_id: id FQDN/server-west.example.com length 23
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
72
ikev2_pld_auth: method SHARED_KEY_MIC length 64
e8d88d33 ab9fda8a 523dc334 c23432c0 a992bc6e b7716ece 959db375 94591f42
b1742f23 252f4084 4ab3dd83 12c42ff9 7e3f2831 4d43a3db 3c67a837 43650d26
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4
xforms 2 spi 0x3d86fc1b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.254.255.0 end 10.254.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 100.64.1.92 end 100.64.1.92
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.255.255.0 end 10.255.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 203.0.113.50 end 203.0.113.50
spi=0x3a561aeb30f190ce: sa_state: SA_INIT -> AUTH_REQUEST
policy_lookup: peerid 'server-west.example.com'
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_12 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_512 (keylength 512 <-> 512)
proposals_match: xform 1 <-> 1 (1): DH ECP_521 (keylength 0 <-> 0)
proposals_negotiate: score 3
policy_lookup: setting policy 'server-west.example.com'
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_16 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): ESN ESN (keylength 0 <-> 0)
proposals_negotiate: score 2
proposals_negotiate: score 1: ENCR AES_GCM_16 256
proposals_negotiate: score 1: ESN ESN
sa_stateflags: 0x0008 -> 0x0028 auth,sa (required 0x0030 authvalid,sa)
ikev2_msg_auth: responder auth data length 410
3a561aeb 30f190ce 852ee166 3e8d7237 21202220 00000000 0000013a 22000028
00000024 01010003 0300000c 01000013 800e0100 03000008 02000007 00000008
04000015 2800008c 00150000 015752d0 accd0619 2f54831e 1abbef93 21ff4021
22fc285c cf132d9f 9efe7e80 75c1101c d30037ee 154bf598 d952e1c5 ba8a7e07
2ad6c5fc 85bb5d51 89617893 cac800fb e981067a a9e65791 58350658 2cf93249
afb4bb4d d3d34b71 cd952160 4bc85294 ade7b1c0 39d85bc0 c3434f62 a8e120db
8c940d54 434f24d7 ed080bf0 b2eba736 29000024 12040420 75911c4f 8c44c64a
5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242 2900001c 00004004 e60c8e8c
b474e69e 518a73c8 78f69e62 1e2c1ac3 2900001c 00004005 09ed9115 7d93e1d4
677aacfd b7785fda c0106fb4 0000000e 0000402f 00020003 00042a97 404b424a
b80c8d94 83233c95 d4864027 13577986 49026076 a139e4f4 4f125083 e5ddf7a5
d7d5954a bc10e64e 0b58959b e9e1eb73 a705c598 c5bd5e2f ca3074f4 8af68ebd
f37637bd 5855d3b2 ae62d2f5 e670fc87 e479ef81 a1c7c422 82ed
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 64 type NONE
ikev2_msg_authverify: authentication successful
spi=0x3a561aeb30f190ce: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0030 authvalid,sa)
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
spi=0x3a561aeb30f190ce: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
sa_stateok: VALID flags 0x0030, require 0x0030 authvalid,sa
ikev2_sa_tag: VPN.LAX (7)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 72
ikev2_prfplus: T1 with 64 bytes
1fafce8e bba3d969 8672901e b2ada10f 592f8912 10d398b0 8cd1d283 e0fd7b7c
e2c92882 f38f316e a3ca2846 29f63d8b 76862910 8e013579 d2ba2b09 830292ab
ikev2_prfplus: T2 with 64 bytes
13f3e388 0b300837 40cc40cb 36d1c22f 8146b517 24294cb2 c550e438 88f8b011
3ffa2ffc 8994262b 14ae76df d36c642f a71347ca 7e152ae4 ebc657d4 74346f86
ikev2_prfplus: Tn with 128 bytes
1fafce8e bba3d969 8672901e b2ada10f 592f8912 10d398b0 8cd1d283 e0fd7b7c
e2c92882 f38f316e a3ca2846 29f63d8b 76862910 8e013579 d2ba2b09 830292ab
13f3e388 0b300837 40cc40cb 36d1c22f 8146b517 24294cb2 c550e438 88f8b011
3ffa2ffc 8994262b 14ae76df d36c642f a71347ca 7e152ae4 ebc657d4 74346f86
pfkey_sa_add: add spi 0x3d86fc1b
ikev2_childsa_enable: loaded CHILD SA spi 0x3d86fc1b
pfkey_sa_add: update spi 0x3da1b697
ikev2_childsa_enable: loaded CHILD SA spi 0x3da1b697
ikev2_childsa_enable: loaded flow 0xa0793887400
ikev2_childsa_enable: loaded flow 0xa07938a5000
ikev2_childsa_enable: loaded flow 0xa0793883400
ikev2_childsa_enable: loaded flow 0xa0793883c00
ikev2_childsa_enable: loaded flow 0xa07938aa800
ikev2_childsa_enable: loaded flow 0xa07938b4c00
ikev2_childsa_enable: remember SA peer 203.0.113.50:500
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded SPIs: 0x3d86fc1b,
0x3da1b697 (enc aes-256-gcm esn)
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded flows:
ESP-10.254.255.0/24=10.255.255.0/24(0), ESP-100.64.1.92/32=10.255.255.0/24(0),
ESP-100.64.1.92/32=203.0.113.50/32(0)
spi=0x3a561aeb30f190ce: sa_state: VALID -> ESTABLISHED from 203.0.113.50:500 to
100.64.1.92:500 policy 'server-west.example.com'
spi=0x3a561aeb30f190ce: established peer
203.0.113.50:500[FQDN/server-west.example.com] local
100.64.1.92:500[FQDN/server-east.example.com] policy 'server-west.example.com'
as initiator (enc aes-256-gcm-12 group ecp521 prf hmac-sha2-512)
config_free_proposals: free 0xa079388a900
ikev2_init_ike_sa: "server-west.example.com" is already active
pfkey_sa_lookup: last_used 1648051540
ikev2_ike_sa_alive: outgoing CHILD SA spi 0x3d86fc1b last used 38 second(s) ago
pfkey_sa_lookup: last_used 1648051540
ikev2_ike_sa_alive: incoming CHILD SA spi 0x3da1b697 last used 38 second(s) ago
config_doreset: flushing policies
config_doreset: flushing SAs
config_free_proposals: free 0xa07938a4900
config_free_proposals: free 0xa07938b1180
config_free_childsas: free 0xa07938ae500
config_free_childsas: free 0xa07938b8900
sa_free_flows: free 0xa0793887400
sa_free_flows: free 0xa07938a5000
sa_free_flows: free 0xa0793883400
sa_free_flows: free 0xa0793883c00
sa_free_flows: free 0xa07938aa800
sa_free_flows: free 0xa07938b4c00
config_free_proposals: free 0xa0793898280
config_free_proposals: free 0xa07938a4400
config_free_flows: free 0xa0793887c00
config_free_flows: free 0xa07938be400
config_free_flows: free 0xa07938a5c00
config_doreset: flushing users
ca exiting, pid 20129
control exiting, pid 87255
ikev2 exiting, pid 87101
parent terminating
server-east# iked -dvvv
create_ike: using unknown for peer server-east.example.com
ikev2 "server-east.example.com" passive tunnel esp inet from 10.255.255.0/24 to
10.254.255.0/24 from 203.0.113.50/32 to 10.254.255.0/24 from 203.0.113.50/32 to
100.64.1.92/32 local 203.0.113.50 peer 100.64.1.92 ikesa enc aes-256-gcm-12 prf
hmac-sha2-512 group ecp521 childsa enc aes-256-gcm group ecp521 esn noesn srcid
server-west.example.com dstid server-east.example.com lifetime 14400 bytes
4294967296 psk
0x4935535056446657336c2f4643625779364c7075414b764f526a4146545a763332562b79787058657a78454e314d6b34737a6c53434b3863522f3564686b68486443534369445145694d6a756b6f646153654f594c766755427479664c495550
tag "VPN.ORD"
/etc/iked.conf: loaded 1 configuration rules
ca_privkey_serialize: type RSA_KEY length 1192
ca_pubkey_serialize: type RSA_KEY length 270
ca_privkey_to_method: type RSA_KEY method RSA_SIG
ca_getkey: received private key type RSA_KEY length 1192
ca_getkey: received public key type RSA_KEY length 270
ca_dispatch_parent: config reset
config_getpolicy: received policy
config_getpfkey: received pfkey fd 3
config_getcompile: compilation done
config_getsocket: received socket fd 4
config_getsocket: received socket fd 5
config_getsocket: received socket fd 6
config_getsocket: received socket fd 7
config_getstatic: dpd_check_interval 60
config_getstatic: no enforcesingleikesa
config_getstatic: no fragmentation
config_getstatic: mobike
config_getstatic: nattport 4500
config_getstatic: no stickyaddress
ca_reload: loaded cert file server-west.example.com.crt
ca_validate_cert:
/C=US/ST=Oregon/L=Anywhere/O=example.com/OU=FOOBAR/CN=server-west.example.com/emailAddress=r...@example.com
unable to get local issuer certificate
ca_reload: local cert type RSA_KEY
config_getocsp: ocsp_url none tolerate 0 maxage -1
ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0
policy_lookup: setting policy 'server-east.example.com'
spi=0x3a561aeb30f190ce: recv IKE_SA_INIT req 0 peer 100.64.1.92:500 local
203.0.113.50:500, 314 bytes, policy 'server-east.example.com'
ikev2_recv: ispi 0x3a561aeb30f190ce rspi 0x0000000000000000
ikev2_policy2id: srcid FQDN/server-west.example.com length 23
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x0000000000000000
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 314
response 0
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
xforms 3 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
ikev2_pld_ke: dh group ECP_521 reserved 0
00a5b67f 475a5950 1921c83e 28908542 df695f04 78c4fa0b 2960def0 9389a54e
21aada3a 785ec166 2e6a4d26 e39077dd 76d8690b 97b99a55 54372161 c204da0c
cbf50029 94530e59 65e29088 ed3e2b23 c240a3f7 d00edf68 08438cf3 728cb083
9ab2783e f6202328 6c4431fe 88c0504b c2cdf558 f59fac7b 16626f5b 94c714c4
8fc571e4
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
2a97404b 424ab80c 8d948323 3c95d486 40271357 79864902 6076a139 e4f44f12
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
ffe3f869 54342422 cb6d4d65 84aba7aa 4ac4d04c
ikev2_nat_detection: peer source 0x3a561aeb30f190ce 0x0000000000000000
100.64.1.92:500
ffe3f869 54342422 cb6d4d65 84aba7aa 4ac4d04c
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
5ece1a6e c0a15a60 404e006c d15c7320 a04a7053
ikev2_nat_detection: peer destination 0x3a561aeb30f190ce 0x0000000000000000
203.0.113.50:500
5ece1a6e c0a15a60 404e006c d15c7320 a04a7053
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
ikev2_pld_notify: signature hash SHA2_256 (2)
ikev2_pld_notify: signature hash SHA2_384 (3)
ikev2_pld_notify: signature hash SHA2_512 (4)
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_12 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): DH ECP_521 (keylength 0 <-> 0)
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_512 (keylength 0 <-> 512)
proposals_negotiate: score 3
policy_lookup: setting policy 'server-east.example.com'
spi=0x3a561aeb30f190ce: sa_state: INIT -> SA_INIT
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_12 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): DH ECP_521 (keylength 0 <-> 0)
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_512 (keylength 0 <-> 512)
proposals_negotiate: score 3
proposals_negotiate: score 1: ENCR AES_GCM_12 256
proposals_negotiate: score 1: PRF HMAC_SHA2_512
proposals_negotiate: score 1: DH ECP_521
sa_stateok: SA_INIT flags 0x0000, require 0x0000
sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
spi=0x3a561aeb30f190ce: ikev2_sa_keys: DHSECRET with 66 bytes
00769c28 880c31cb ac39b75d 24a6a509 4c125e38 6a524680 46828fca f839de68
80b143af 7a8a49cc 151442e6 5f23be7f 96a54a03 49657eb9 e2860c05 3e130703
6f72
ikev2_sa_keys: SKEYSEED with 64 bytes
f498a53d 00ab62a4 6c60cd6f 9bdcb5fe 793cbb91 d3c480ae 900d5b65 d4ea4560
aa68331d 632dff7e c3c004ac 821e3ec7 c77776e4 357fb552 65d27d28 be332f8b
spi=0x3a561aeb30f190ce: ikev2_sa_keys: S with 80 bytes
2a97404b 424ab80c 8d948323 3c95d486 40271357 79864902 6076a139 e4f44f12
12040420 75911c4f 8c44c64a 5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242
3a561aeb 30f190ce 852ee166 3e8d7237
ikev2_prfplus: T1 with 64 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
ikev2_prfplus: T2 with 64 bytes
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9 1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146
ikev2_prfplus: T3 with 64 bytes
fe0fcfa2 9c50b5a8 e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884
0402ac13 4b991d3f 773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179
ikev2_prfplus: T4 with 64 bytes
e98728b9 c9852673 f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443
8e65d9e2 08b01bc7 5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618
ikev2_prfplus: T5 with 64 bytes
4a4523fd 7eade290 2735addd 2ccd62e5 5951fd9f fb99487b 6368298c 520dd21d
6cb273d5 7e5bb87c 7a990bc7 325d61b8 a22036ff db1ffcf0 8287eb90 58ca1185
ikev2_prfplus: Tn with 320 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9 1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146
fe0fcfa2 9c50b5a8 e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884
0402ac13 4b991d3f 773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179
e98728b9 c9852673 f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443
8e65d9e2 08b01bc7 5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618
4a4523fd 7eade290 2735addd 2ccd62e5 5951fd9f fb99487b 6368298c 520dd21d
6cb273d5 7e5bb87c 7a990bc7 325d61b8 a22036ff db1ffcf0 8287eb90 58ca1185
ikev2_sa_keys: SK_d with 64 bytes
33d92a86 6082e115 67531ea0 9199cc0a 7164337d baec919e e3aaa8b6 e0437fba
62a1f3fb 3104ed5c 0ddc8ffb 145b2807 7ee82025 15248d19 6168d8e9 05ac937b
ikev2_sa_keys: SK_ei with 36 bytes
cdd2a40b ff798288 1cd16200 ad0b2241 15057edd d59778a4 911f6734 59ca7ae1
329b10d9
ikev2_sa_keys: SK_er with 36 bytes
1677ae17 84e9fc8d 48e79e7c 31ea32f8 e7e20f1f 44aa3ac0 ea3c2146 fe0fcfa2
9c50b5a8
ikev2_sa_keys: SK_pi with 64 bytes
e5d2afba be00ee54 a2cb69dd fdd968b9 f5d5fed4 5bfcc884 0402ac13 4b991d3f
773eef1a d9e36c2e 258ecf7d c909f737 3e9f0ea8 f0c48179 e98728b9 c9852673
ikev2_sa_keys: SK_pr with 64 bytes
f27fcf73 d8d0bc3e 0f030db0 19ed7fff a1ae92e0 403b7443 8e65d9e2 08b01bc7
5e09bc08 0c8e7b67 7b911e5c 74fb6f04 a06cf185 78d94618 4a4523fd 7eade290
ikev2_add_proposals: length 36
ikev2_next_payload: length 40 nextpayload KE
ikev2_next_payload: length 140 nextpayload NONCE
ikev2_next_payload: length 36 nextpayload NOTIFY
ikev2_nat_detection: local source 0x3a561aeb30f190ce 0x852ee1663e8d7237
203.0.113.50:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_nat_detection: local destination 0x3a561aeb30f190ce 0x852ee1663e8d7237
100.64.1.92:500
ikev2_next_payload: length 28 nextpayload NOTIFY
ikev2_next_payload: length 14 nextpayload NONE
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 314
response 1
ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0
xforms 3 spi 0
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_521
ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 140
ikev2_pld_ke: dh group ECP_521 reserved 0
015752d0 accd0619 2f54831e 1abbef93 21ff4021 22fc285c cf132d9f 9efe7e80
75c1101c d30037ee 154bf598 d952e1c5 ba8a7e07 2ad6c5fc 85bb5d51 89617893
cac800fb e981067a a9e65791 58350658 2cf93249 afb4bb4d d3d34b71 cd952160
4bc85294 ade7b1c0 39d85bc0 c3434f62 a8e120db 8c940d54 434f24d7 ed080bf0
b2eba736
ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
12040420 75911c4f 8c44c64a 5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
e60c8e8c b474e69e 518a73c8 78f69e62 1e2c1ac3
ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
09ed9115 7d93e1d4 677aacfd b7785fda c0106fb4
ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
00020003 0004
spi=0x3a561aeb30f190ce: send IKE_SA_INIT res 0 peer 100.64.1.92:500 local
203.0.113.50:500, 314 bytes
config_free_proposals: free 0xfc0b3ff600
spi=0x3a561aeb30f190ce: recv IKE_AUTH req 1 peer 100.64.1.92:500 local
203.0.113.50:500, 276 bytes, policy 'server-east.example.com'
ikev2_recv: ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
ikev2_recv: updated SA to peer 100.64.1.92:500 local 203.0.113.50:500
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 276
response 0
ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 248
ikev2_msg_decrypt: IV length 8
00000000 00000000
ikev2_msg_decrypt: encrypted payload length 224
8990a99f 005888d4 3b0027dd 2a3b35b6 931f2786 a905587a bbd3267f eca9810e
5c6aec21 a1ebf186 84db321c 0f4631fe 26b865ec 3444c523 ddcd0278 ff91e4c6
43397cf0 97ee8b24 c071f7ba 1e7ce982 63eb43b4 d8b22cfd c026a138 00581b68
e36ba1a7 2b542536 ee40e23c e34faa68 468b1b79 d541893b c4a60ccd d4b5f00f
58fa0b8e ca5a0715 2a4b24b8 f7f4a1b7 b312792e dec384f6 7f583ec1 5c332149
25405b9e 49502ec5 5aa163e7 736e371b 944bb33b 1ad44290 822fbff2 895bee3d
642900fc 90bb8d44 68499d79 95fe04a5 65818321 fcc4d76e b1c3d0ae 7d4a33e2
ikev2_msg_decrypt: integrity checksum length 12
ccc7fdc8 63510a1b bd7095e1
ikev2_msg_decrypt: AAD length 32
3a561aeb 30f190ce 852ee166 3e8d7237 2e202308 00000001 00000114 230000f8
ikev2_msg_decrypt: decrypted payload length 224/224 padding 0
2700001b 02000000 6f72642e 63617461 7374726f 7068652e 6e657421 00004802
00000032 b161d135 eb25d30b ff32fe97 a5ba03d1 0a785af9 38f303f6 470ef097
9e500ff0 5907ed6a 9cfd5f8c ec921e45 fea3e78b 37cfef9f cbc46771 81e5ce1a
da9afa2c 00002c00 00002801 0304033d a1b69703 00000c01 00001480 0e010003
00000805 00000100 00000805 0000002d 00002802 00000007 00001000 00ffff0a
feff000a feffff07 00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007
00001000 00ffff0a ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length
27
ikev2_pld_id: id FQDN/server-east.example.com length 23
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
72
ikev2_pld_auth: method SHARED_KEY_MIC length 64
32b161d1 35eb25d3 0bff32fe 97a5ba03 d10a785a f938f303 f6470ef0 979e500f
f05907ed 6a9cfd5f 8cec921e 45fea3e7 8b37cfef 9fcbc467 7181e5ce 1ada9afa
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4
xforms 3 spi 0x3da1b697
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.254.255.0 end 10.254.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 100.64.1.92 end 100.64.1.92
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.255.255.0 end 10.255.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 203.0.113.50 end 203.0.113.50
sa_stateok: SA_INIT flags 0x0000, require 0x0000
spi=0x3a561aeb30f190ce: sa_state: SA_INIT -> AUTH_REQUEST
policy_lookup: peerid 'server-east.example.com'
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_12 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): PRF HMAC_SHA2_512 (keylength 512 <-> 512)
proposals_match: xform 1 <-> 1 (1): DH ECP_521 (keylength 0 <-> 0)
proposals_negotiate: score 3
policy_lookup: setting policy 'server-east.example.com'
ikev2_msg_auth: responder auth data length 410
3a561aeb 30f190ce 852ee166 3e8d7237 21202220 00000000 0000013a 22000028
00000024 01010003 0300000c 01000013 800e0100 03000008 02000007 00000008
04000015 2800008c 00150000 015752d0 accd0619 2f54831e 1abbef93 21ff4021
22fc285c cf132d9f 9efe7e80 75c1101c d30037ee 154bf598 d952e1c5 ba8a7e07
2ad6c5fc 85bb5d51 89617893 cac800fb e981067a a9e65791 58350658 2cf93249
afb4bb4d d3d34b71 cd952160 4bc85294 ade7b1c0 39d85bc0 c3434f62 a8e120db
8c940d54 434f24d7 ed080bf0 b2eba736 29000024 12040420 75911c4f 8c44c64a
5924a403 27bd0651 32ea5ef6 6b462407 9b8bb242 2900001c 00004004 e60c8e8c
b474e69e 518a73c8 78f69e62 1e2c1ac3 2900001c 00004005 09ed9115 7d93e1d4
677aacfd b7785fda c0106fb4 0000000e 0000402f 00020003 00042a97 404b424a
b80c8d94 83233c95 d4864027 13577986 49026076 a139e4f4 4f125083 e5ddf7a5
d7d5954a bc10e64e 0b58959b e9e1eb73 a705c598 c5bd5e2f ca3074f4 8af68ebd
f37637bd 5855d3b2 ae62d2f5 e670fc87 e479ef81 a1c7c422 82ed
proposals_match: xform 1 <-> 1 (1): ENCR AES_GCM_16 (keylength 256 <-> 256) 256
proposals_match: xform 1 <-> 1 (1): ESN ESN (keylength 0 <-> 0)
proposals_negotiate: score 2
proposals_negotiate: score 1: ENCR AES_GCM_16 256
proposals_negotiate: score 1: ESN ESN
sa_stateflags: 0x0028 -> 0x0028 auth,sa (required 0x0038 auth,authvalid,sa)
ikev2_msg_auth: initiator auth data length 410
3a561aeb 30f190ce 00000000 00000000 21202208 00000000 0000013a 22000028
00000024 01010003 0300000c 01000013 800e0100 03000008 04000015 00000008
02000007 2800008c 00150000 00a5b67f 475a5950 1921c83e 28908542 df695f04
78c4fa0b 2960def0 9389a54e 21aada3a 785ec166 2e6a4d26 e39077dd 76d8690b
97b99a55 54372161 c204da0c cbf50029 94530e59 65e29088 ed3e2b23 c240a3f7
d00edf68 08438cf3 728cb083 9ab2783e f6202328 6c4431fe 88c0504b c2cdf558
f59fac7b 16626f5b 94c714c4 8fc571e4 29000024 2a97404b 424ab80c 8d948323
3c95d486 40271357 79864902 6076a139 e4f44f12 2900001c 00004004 ffe3f869
54342422 cb6d4d65 84aba7aa 4ac4d04c 2900001c 00004005 5ece1a6e c0a15a60
404e006c d15c7320 a04a7053 0000000e 0000402f 00020003 00041204 04207591
1c4f8c44 c64a5924 a40327bd 065132ea 5ef66b46 24079b8b b242e678 4a361aea
50f16412 ff9ecded dab7870a 721a856f 10688000 038ec051 dcc09d89 261e604c
1d287286 ac91a2bd 8ef15c71 f690097d 7a1e0e46 ee2122e1 b1e1
ikev2_msg_authverify: method SHARED_KEY_MIC keylen 64 type NONE
ikev2_msg_authverify: authentication successful
spi=0x3a561aeb30f190ce: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
sa_stateflags: 0x0028 -> 0x0038 auth,authvalid,sa (required 0x0038
auth,authvalid,sa)
sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
spi=0x3a561aeb30f190ce: sa_state: AUTH_SUCCESS -> VALID
sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
sa_stateok: VALID flags 0x0038, require 0x0038 auth,authvalid,sa
ikev2_sa_tag: VPN.ORD (7)
ikev2_childsa_negotiate: proposal 1
ikev2_childsa_negotiate: key material length 72
ikev2_prfplus: T1 with 64 bytes
1fafce8e bba3d969 8672901e b2ada10f 592f8912 10d398b0 8cd1d283 e0fd7b7c
e2c92882 f38f316e a3ca2846 29f63d8b 76862910 8e013579 d2ba2b09 830292ab
ikev2_prfplus: T2 with 64 bytes
13f3e388 0b300837 40cc40cb 36d1c22f 8146b517 24294cb2 c550e438 88f8b011
3ffa2ffc 8994262b 14ae76df d36c642f a71347ca 7e152ae4 ebc657d4 74346f86
ikev2_prfplus: Tn with 128 bytes
1fafce8e bba3d969 8672901e b2ada10f 592f8912 10d398b0 8cd1d283 e0fd7b7c
e2c92882 f38f316e a3ca2846 29f63d8b 76862910 8e013579 d2ba2b09 830292ab
13f3e388 0b300837 40cc40cb 36d1c22f 8146b517 24294cb2 c550e438 88f8b011
3ffa2ffc 8994262b 14ae76df d36c642f a71347ca 7e152ae4 ebc657d4 74346f86
pfkey_sa_getspi: spi 0x3d86fc1b
pfkey_sa_init: new spi 0x3d86fc1b
ikev2_next_payload: length 27 nextpayload AUTH
ikev2_next_payload: length 72 nextpayload SA
ikev2_add_proposals: length 32
ikev2_next_payload: length 36 nextpayload TSi
ikev2_next_payload: length 40 nextpayload TSr
ikev2_next_payload: length 40 nextpayload NONE
ikev2_next_payload: length 240 nextpayload IDr
ikev2_msg_encrypt: decrypted length 215
2700001b 02000000 6c61782e 63617461 7374726f 7068652e 6e657421 00004802
000000e8 d88d33ab 9fda8a52 3dc334c2 3432c0a9 92bc6eb7 716ece95 9db37594
591f42b1 742f2325 2f40844a b3dd8312 c42ff97e 3f28314d 43a3db3c 67a83743
650d262c 00002400 00002001 0304023d 86fc1b03 00000c01 00001480 0e010000
00000805 0000012d 00002802 00000007 00001000 00ffff0a feff000a feffff07
00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007 00001000 00ffff0a
ffff000a ffffff07 00001000 00ffffae 886932ae 886932
ikev2_msg_encrypt: padded length 216
2700001b 02000000 6c61782e 63617461 7374726f 7068652e 6e657421 00004802
000000e8 d88d33ab 9fda8a52 3dc334c2 3432c0a9 92bc6eb7 716ece95 9db37594
591f42b1 742f2325 2f40844a b3dd8312 c42ff97e 3f28314d 43a3db3c 67a83743
650d262c 00002400 00002001 0304023d 86fc1b03 00000c01 00001480 0e010000
00000805 0000012d 00002802 00000007 00001000 00ffff0a feff000a feffff07
00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007 00001000 00ffff0a
ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_msg_encrypt: length 216, padding 0, output length 236
00000000 00000000 5d906e6a f77049c7 ee2e990a 7eba0f3b b92e7c6c e601a8ce
6d059ced 89ed24ee d5a5a440 6d6e908d 6e02a6a4 ba4ca7d1 a10e5594 408679a6
530eba7c e9679cf6 d66c5ed0 3f430d96 a1e60934 68e87eb3 1b6899e2 52dc1146
d689f9f0 558c9644 0e89fa33 20ea522a 19fe8ba6 95e113e0 b57afaa6 2b212da8
1be08c45 31eb91f2 7024ef1f e00a4721 ea098e69 09a19195 b91a3576 da862d6a
3f33f247 8812e7c5 a1d57237 da4189b8 3423c71f 9bcf9a42 728d8931 5a77ab9c
cb19149c b3dbc4c7 09c4185d c0641acf 202f7906 69980c51 6b60a5e0 ff65f94b
00000000 00000000 00000000
ikev2_msg_integr: message length 268
3a561aeb 30f190ce 852ee166 3e8d7237 2e202320 00000001 0000010c 240000f0
00000000 00000000 5d906e6a f77049c7 ee2e990a 7eba0f3b b92e7c6c e601a8ce
6d059ced 89ed24ee d5a5a440 6d6e908d 6e02a6a4 ba4ca7d1 a10e5594 408679a6
530eba7c e9679cf6 d66c5ed0 3f430d96 a1e60934 68e87eb3 1b6899e2 52dc1146
d689f9f0 558c9644 0e89fa33 20ea522a 19fe8ba6 95e113e0 b57afaa6 2b212da8
1be08c45 31eb91f2 7024ef1f e00a4721 ea098e69 09a19195 b91a3576 da862d6a
3f33f247 8812e7c5 a1d57237 da4189b8 3423c71f 9bcf9a42 728d8931 5a77ab9c
cb19149c b3dbc4c7 09c4185d c0641acf 202f7906 69980c51 6b60a5e0 ff65f94b
00000000 00000000 00000000
ikev2_msg_integr: integrity checksum length 12
fbf3825c d85aac02 8a1e45fd
ikev2_pld_parse: header ispi 0x3a561aeb30f190ce rspi 0x852ee1663e8d7237
nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 268
response 1
ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 240
ikev2_msg_decrypt: IV length 8
00000000 00000000
ikev2_msg_decrypt: encrypted payload length 216
5d906e6a f77049c7 ee2e990a 7eba0f3b b92e7c6c e601a8ce 6d059ced 89ed24ee
d5a5a440 6d6e908d 6e02a6a4 ba4ca7d1 a10e5594 408679a6 530eba7c e9679cf6
d66c5ed0 3f430d96 a1e60934 68e87eb3 1b6899e2 52dc1146 d689f9f0 558c9644
0e89fa33 20ea522a 19fe8ba6 95e113e0 b57afaa6 2b212da8 1be08c45 31eb91f2
7024ef1f e00a4721 ea098e69 09a19195 b91a3576 da862d6a 3f33f247 8812e7c5
a1d57237 da4189b8 3423c71f 9bcf9a42 728d8931 5a77ab9c cb19149c b3dbc4c7
09c4185d c0641acf 202f7906 69980c51 6b60a5e0 ff65f94b
ikev2_msg_decrypt: integrity checksum length 12
fbf3825c d85aac02 8a1e45fd
ikev2_msg_decrypt: AAD length 32
3a561aeb 30f190ce 852ee166 3e8d7237 2e202320 00000001 0000010c 240000f0
ikev2_msg_decrypt: decrypted payload length 216/216 padding 0
2700001b 02000000 6c61782e 63617461 7374726f 7068652e 6e657421 00004802
000000e8 d88d33ab 9fda8a52 3dc334c2 3432c0a9 92bc6eb7 716ece95 9db37594
591f42b1 742f2325 2f40844a b3dd8312 c42ff97e 3f28314d 43a3db3c 67a83743
650d262c 00002400 00002001 0304023d 86fc1b03 00000c01 00001480 0e010000
00000805 0000012d 00002802 00000007 00001000 00ffff0a feff000a feffff07
00001000 00ffff2d 4ce35c2d 4ce35c00 00002802 00000007 00001000 00ffff0a
ffff000a ffffff07 00001000 00ffffae 886932ae 88693200
ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length
27
ikev2_pld_id: id FQDN/server-west.example.com length 23
ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length
72
ikev2_pld_auth: method SHARED_KEY_MIC length 64
e8d88d33 ab9fda8a 523dc334 c23432c0 a992bc6e b7716ece 959db375 94591f42
b1742f23 252f4084 4ab3dd83 12c42ff9 7e3f2831 4d43a3db 3c67a837 43650d26
ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4
xforms 2 spi 0x3d86fc1b
ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.254.255.0 end 10.254.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 100.64.1.92 end 100.64.1.92
ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length
40
ikev2_pld_tss: count 2 length 32
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 10.255.255.0 end 10.255.255.255
ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport
65535
ikev2_pld_ts: start 203.0.113.50 end 203.0.113.50
spi=0x3a561aeb30f190ce: send IKE_AUTH res 1 peer 100.64.1.92:500 local
203.0.113.50:500, 268 bytes
pfkey_sa_add: update spi 0x3d86fc1b
ikev2_childsa_enable: loaded CHILD SA spi 0x3d86fc1b
pfkey_sa_add: add spi 0x3da1b697
ikev2_childsa_enable: loaded CHILD SA spi 0x3da1b697
ikev2_childsa_enable: loaded flow 0xfc0b3d5c00
ikev2_childsa_enable: loaded flow 0xfc0b3e2c00
ikev2_childsa_enable: loaded flow 0xfc0b3d5000
ikev2_childsa_enable: loaded flow 0xfc0b3e2000
ikev2_childsa_enable: loaded flow 0xfc0b401c00
ikev2_childsa_enable: loaded flow 0xfc0b401800
ikev2_childsa_enable: remember SA peer 100.64.1.92:500
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded SPIs: 0x3d86fc1b,
0x3da1b697 (enc aes-256-gcm esn)
spi=0x3a561aeb30f190ce: ikev2_childsa_enable: loaded flows:
ESP-10.255.255.0/24=10.254.255.0/24(0), ESP-203.0.113.50/32=10.254.255.0/24(0),
ESP-203.0.113.50/32=100.64.1.92/32(0)
spi=0x3a561aeb30f190ce: sa_state: VALID -> ESTABLISHED from 100.64.1.92:500 to
203.0.113.50:500 policy 'server-east.example.com'
spi=0x3a561aeb30f190ce: established peer
100.64.1.92:500[FQDN/server-east.example.com] local
203.0.113.50:500[FQDN/server-west.example.com] policy 'server-east.example.com'
as responder (enc aes-256-gcm-12 group ecp521 prf hmac-sha2-512)
config_free_proposals: free 0xfc0b3ff380
pfkey_sa_lookup: last_used 1648051540
ikev2_ike_sa_alive: incoming CHILD SA spi 0x3d86fc1b last used 38 second(s) ago
config_doreset: flushing policies
config_doreset: flushing SAs
config_free_proposals: free 0xfc0b3f7780
config_free_proposals: free 0xfc0b3ff400
config_free_childsas: free 0xfc0b407900
config_free_childsas: free 0xfc0b400c00
sa_free_flows: free 0xfc0b3d5c00
sa_free_flows: free 0xfc0b3e2c00
ca exiting, pid 32470
control exiting, pid 55364
sa_free_flows: free 0xfc0b3d5000
sa_free_flows: free 0xfc0b3e2000
sa_free_flows: free 0xfc0b401c00
sa_free_flows: free 0xfc0b401800
config_free_proposals: free 0xfc0b3ff500
config_free_proposals: free 0xfc0b3ff980
config_free_flows: free 0xfc0b401400
config_free_flows: free 0xfc0b3d5800
config_free_flows: free 0xfc0b3f4c00
config_doreset: flushing users
ikev2 exiting, pid 46779
parent terminating
