I am testing an extremely simple lab environment with iked(8) and failing to establish flows and SAs on one of two platforms.
I'm sure its somthing extremely simple, but I'm at a loss to figure it out on my own. A cluestick would be appreciated. -------- The entire network only has two systems: a.lab, 10.0.0.1/24 b.lab, 10.0.0.2/24 These names are in /etc/myname and /etc/hosts. /etc/resolv.conf contains: lookup file iked.conf for a.lab: ikev2 a2b from a.lab to b.lab psk test iked.conf for b.lab: ikev2 b2a active from b.lab to a.lab psk test -------- Flows and SAs are established on a.lab, which is passive: # ipsecctl -sa FLOWS: flow esp in from 10.0.0.2 to 10.0.0.1 peer 10.0.0.2 srcid FQDN/a.lab dstid FQDN/b.lab type use flow esp out from 10.0.0.1 to 10.0.0.2 peer 10.0.0.2 srcid FQDN/a.lab dstid FQDN/b.lab type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 10.0.0.2 to 10.0.0.1 spi 0x4e79e0b2 auth hmac-sha2-256 enc aes-256 esp tunnel from 10.0.0.1 to 10.0.0.2 spi 0xf2f84086 auth hmac-sha2-256 enc aes-256 # Flows and SAs are not established on b.lab, which is active: # ipsecctl -sa FLOWS: flow esp out from ::/0 to ::/0 type deny SAD: No entries # -------- The only thing I see in iked -vvd output that catches my eye is: sa_state: cannot switch: AUTH_SUCCESS -> VALID The two iked -vvd logs follow, and then a dmesg. I'm testing in QEMU virtual machines, -------- a.lab iked log: ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 /etc/iked.conf: loaded 1 configuration rules ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none config_getpolicy: received policy ikev2 "a2b" passive esp inet from 10.0.0.1 to 10.0.0.2 local 10.0.0.1 peer 10.0.0.2 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657374 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b' id 0, 520 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/a.lab length 9 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0 xforms 14 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xf071110c5e30f9dd 0x0000000000000000 10.0.0.2:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xf071110c5e30f9dd 0x0000000000000000 10.0.0.1:500 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 -> 0x10 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac 10.0.0.1:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac 10.0.0.2:500 ikev2_next_payload: length 28 nextpayload NONE ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_msg_send: IKE_SA_INIT response from 10.0.0.1:500 to 10.0.0.2:500 msgid 0, 432 bytes config_free_proposals: free 0x7f5dfd40 ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b' id 0, 520 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000 ikev2_recv: updated SA to peer 10.0.0.2:500 local 10.0.0.1:500 ikev2_resp_recv: SA already exists ikev2_recv: IKE_SA_INIT request from initiator 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b' id 0, 520 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x0000000000000000 ikev2_recv: IKE_AUTH request from initiator 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b' id 1, 256 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac ikev2_recv: updated SA to peer 10.0.0.2:500 local 10.0.0.1:500 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 6 ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 13 ikev2_pld_id: id FQDN/b.lab length 9 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xf2f84086 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1 sa_stateok: SA_INIT flags 0x00, require 0x00 policy_lookup: peerid 'b.lab' ikev2_msg_auth: responder auth data length 496 ikev2_msg_auth: initiator auth data length 584 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x14 -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa) sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa sa_state: AUTH_SUCCESS -> VALID ikev2_sa_negotiate: score 3 sa_stateflags: 0x1c -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa) sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_getspi: spi 0x4e79e0b2 pfkey_sa_init: new spi 0x4e79e0b2 sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa ikev2_next_payload: length 13 nextpayload AUTH ikev2_next_payload: length 40 nextpayload SA ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 145 ikev2_msg_encrypt: padded length 160 ikev2_msg_encrypt: length 146, padding 14, output length 192 ikev2_next_payload: length 196 nextpayload IDr ikev2_msg_integr: message length 224 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 160 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 160/160 padding 14 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 13 ikev2_pld_id: id FQDN/a.lab length 9 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x4e79e0b2 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1 ikev2_msg_send: IKE_AUTH response from 10.0.0.1:500 to 10.0.0.2:500 msgid 1, 224 bytes pfkey_sa_add: update spi 0x4e79e0b2 ikev2_childsa_enable: loaded CHILD SA spi 0x4e79e0b2 pfkey_sa_add: add spi 0xf2f84086 ikev2_childsa_enable: loaded CHILD SA spi 0xf2f84086 ikev2_childsa_enable: loaded flow 0x7c408800 ikev2_childsa_enable: loaded flow 0x7c408000 sa_state: VALID -> ESTABLISHED from 10.0.0.2:500 to 10.0.0.1:500 policy 'a2b' config_free_proposals: free 0x82e19a40 b.lab iked log: ca_privkey_serialize: type RSA_KEY length 1193 ca_pubkey_serialize: type RSA_KEY length 270 ca_reload: local cert type RSA_KEY /etc/iked.conf: loaded 1 configuration rules config_getocsp: ocsp_url none config_getpolicy: received policy ikev2 "b2a" active esp inet from 10.0.0.2 to 10.0.0.1 local 10.0.0.2 peer 10.0.0.1 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x74657374 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 ikev2_init_ike_sa: initiating "b2a" ikev2_policy2id: srcid FQDN/b.lab length 9 ikev2_add_proposals: length 132 ikev2_next_payload: length 136 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0xf071110c5e30f9dd 0x0000000000000000 10.0.0.2:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0xf071110c5e30f9dd 0x0000000000000000 10.0.0.1:500 ikev2_next_payload: length 28 nextpayload NONE ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0 xforms 14 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_msg_send: IKE_SA_INIT request from 10.0.0.2:500 to 10.0.0.1:500 msgid 0, 520 bytes sa_state: INIT -> SA_INIT ikev2_recv: IKE_SA_INIT response from responder 10.0.0.1:500 to 10.0.0.2:500 policy 'b2a' id 0, 432 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac ikev2_recv: updated SA to peer 10.0.0.1:500 local 10.0.0.2:500 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac 10.0.0.1:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0xf071110c5e30f9dd 0x5c597cfa1e7be8ac 10.0.0.2:500 ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x00, require 0x04 auth ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_msg_auth: initiator auth data length 584 sa_stateok: SA_INIT flags 0x04, require 0x04 auth ikev2_next_payload: length 13 nextpayload AUTH ikev2_next_payload: length 40 nextpayload SA pfkey_sa_getspi: spi 0xf2f84086 pfkey_sa_init: new spi 0xf2f84086 ikev2_add_proposals: length 80 ikev2_next_payload: length 84 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 185 ikev2_msg_encrypt: padded length 192 ikev2_msg_encrypt: length 186, padding 6, output length 224 ikev2_next_payload: length 228 nextpayload IDi ikev2_msg_integr: message length 256 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 6 ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 13 ikev2_pld_id: id FQDN/b.lab length 9 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xf2f84086 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1 ikev2_msg_send: IKE_AUTH request from 10.0.0.2:500 to 10.0.0.1:500 msgid 1, 256 bytes config_free_proposals: free 0x87d2a100 ikev2_recv: IKE_AUTH response from responder 10.0.0.1:500 to 10.0.0.2:500 policy 'b2a' id 1, 224 bytes ikev2_recv: ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac ikev2_recv: updated SA to peer 10.0.0.1:500 local 10.0.0.2:500 ikev2_pld_parse: header ispi 0xf071110c5e30f9dd rspi 0x5c597cfa1e7be8ac nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 160 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 160/160 padding 14 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 13 ikev2_pld_id: id FQDN/a.lab length 9 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x4e79e0b2 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.2 end 10.0.0.2 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 10.0.0.1 end 10.0.0.1 ikev2_msg_auth: responder auth data length 496 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x04 -> 0x0c auth,authvalid (required 0x18 authvalid,sa) sa_stateok: VALID flags 0x08, require 0x18 authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID ikev2_sa_negotiate: score 3 sa_stateflags: 0x0c -> 0x1c auth,authvalid,sa (required 0x18 authvalid,sa) config_free_proposals: free 0x878e6f40 ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active ikev2_init_ike_sa: "b2a" is already active dmesg: OpenBSD 5.6-current (GENERIC) #411: Tue Oct 21 16:03:23 MDT 2014 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC cpu0: QEMU Virtual CPU version 2.1.2 ("GenuineIntel" 686-class) 1.61 GHz cpu0: FPU,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,PGE,CMOV,MMX,FXSR,SSE,SSE2,SSE3,POPCNT,PERF real mem = 66482176 (63MB) avail mem = 53157888 (50MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: AT/286+ BIOS, date 06/23/99, BIOS32 rev. 0 @ 0xfd4be, SMBIOS rev. 2.8 @ 0xf0cf0 (9 entries) bios0: vendor SeaBIOS version "rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org" date 04/01/2014 bios0: QEMU Standard PC (i440FX + PIIX, 1996) acpi0 at bios0: rev 0 acpi0: sleep states S3 S4 S5 acpi0: tables DSDT FACP SSDT APIC HPET acpi0: wakeup devices acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: apic clock running at 999MHz ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins acpihpet0 at acpi0: 100000000 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpicpu0 at acpi0 bios0: ROM list: 0xc0000/0x9200 0xc9800/0xa00 0xca800/0x2400! 0xeb800/0x4800! pci0 at mainbus0 bus 0: configuration mode 1 (bios) pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02 pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00 pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility pciide0: channel 0 disabled (no drives) atapiscsi0 at pciide0 channel 1 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.1.> ATAPI 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, DMA mode 2 piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9 iic0 at piixpm0 vga1 at pci0 dev 2 function 0 "Cirrus Logic CL-GD5446" rev 0x00 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) em0 at pci0 dev 3 function 0 "Intel 82540EM" rev 0x03: apic 0 int 11, address 52:54:00:12:34:56 virtio0 at pci0 dev 4 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio Block Device vioblk0 at virtio0 scsibus2 at vioblk0: 2 targets sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed sd0: 1024MB, 512 bytes/sector, 2097152 sectors virtio0: apic 0 int 11 virtio1 at pci0 dev 5 function 0 "Qumranet Virtio Storage" rev 0x00: Virtio Block Device vioblk1 at virtio1 scsibus3 at vioblk1: 2 targets sd1 at scsibus3 targ 0 lun 0: <VirtIO, Block Device, > SCSI3 0/direct fixed sd1: 20MB, 512 bytes/sector, 40960 sectors virtio1: apic 0 int 10 isa0 at pcib0 isadma0 at isa0 com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo com0: console pckbc0 at isa0 port 0x60/5 pckbd0 at pckbc0 (kbd slot) pckbc0: using irq 1 for kbd slot wskbd0 at pckbd0: console keyboard, using wsdisplay0 pms0 at pckbc0 (aux slot) pckbc0: using irq 12 for aux slot wsmouse0 at pms0 mux 0 pcppi0 at isa0 port 0x61 spkr0 at pcppi0 lpt0 at isa0 port 0x378/4 irq 7 npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16 fdc0 at isa0 port 0x3f0/6 irq 6 drq 2 fd0 at fdc0 drive 1: density unknown nvram: invalid checksum vscsi0 at root scsibus4 at vscsi0: 256 targets softraid0 at root scsibus5 at softraid0: 256 targets root on sd0a (050623a115c4fafe.a) swap on sd0b dump on sd0b clock: unknown CMOS layout