>Synopsis: iked: Cannot send requests after rekeying IKE SA >Category: system >Environment: System : OpenBSD 6.0 Details : OpenBSD 6.0-current (LOCAL) #0: Mon Oct 24 10:01:22 CEST 2016 t...@openbsd.my.domain:/usr/src/sys/arch/amd64/compile/LOCAL
Architecture: OpenBSD.amd64 Machine : amd64 >Description: If iked is configured to rekey the IKE SA (ikelifetime option), sending requests ends up broken after the first rekeying. Messages like "ikev2_msg_send: CREATE_CHILD_SA request from any to any msgid 0, 432 bytes" (second rekeying attempt, see log below) indicate that the local and remote addresses of the new IKE SA are not intialized correctly. Despite this, iked can respond to requests from the peer. >How-To-Repeat: 1. Configure iked as a responder with ikelifetime > 0. The very short value in the example iked.conf below (10 seconds) is chosen to make reproduction fast. 2. Start iked with this configuration. The log below was created using "iked -dvv". 3. Initiate an IKE SA from a suitable peer and wait for rekeying to happen. I've used the Strongswan conftest framework with a configuration that closes the IKE SA after 120 seconds, note that the DELETE message is processed correctly. >Fix: Unknown. iked.conf: ikev2 "test" passive ipcomp esp from 172.25.128.5/32 to 172.24.2.42/32 \ peer any \ ikesa enc aes-256 auth hmac-sha2-256 group modp2048 \ childsa enc aes-256 auth hmac-sha1 group modp2048 \ srcid "/CN=ike-test.example.com/C=DE" \ ikelifetime 10 iked log: ca_privkey_serialize: type RSA_KEY length 1192 ca_pubkey_serialize: type RSA_KEY length 270 ikev2 "test" passive esp from 172.25.128.5/32 to 172.24.2.42/32 local any peer any ikesa enc aes-256 prf hmac-sha2-256,hmac-sha1 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha1 group modp2048 srcid /CN=ike-test.example.com/C=DE ikelifetime 10 lifetime 10800 bytes 536870912 rsa iked.conf: loaded 1 configuration rules config_getpolicy: received policy config_getpfkey: received pfkey fd 3 ca_reload: loaded ca file x509.pem config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 6 config_getsocket: received socket fd 7 ca_reload: /CN=Testing Authority ca_reload: loaded 1 ca certificate ca_reload: loaded cert file ike-test.pem ca_validate_cert: /CN=ike-test.example.com/C=DE ok ca_reload: local cert type X509_CERT config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20 ikev2_recv: IKE_SA_INIT request from initiator 172.24.2.42:500 to 172.25.128.5:500 policy 'test' id 0, 544 bytes ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x0000000000000000 ca_x509_name_parse: setting 'CN' to 'ike-test.example.com' ca_x509_name_parse: setting 'C' to 'DE' ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 544 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x0cffe25e7be83b8b 0x0000000000000000 172.24.2.42:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x0cffe25e7be83b8b 0x0000000000000000 172.25.128.5:500 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_pld_notify: signature hash SHA1 (1) ikev2_pld_notify: signature hash SHA2_256 (2) ikev2_pld_notify: signature hash SHA2_384 (3) ikev2_pld_notify: signature hash SHA2_512 (4) ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0000 sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x0cffe25e7be83b8b 0x06b20567dde142a4 172.25.128.5:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x0cffe25e7be83b8b 0x06b20567dde142a4 172.24.2.42:500 ikev2_next_payload: length 28 nextpayload CERTREQ ikev2_add_certreq: type X509_CERT length 21 ikev2_next_payload: length 25 nextpayload NOTIFY ikev2_next_payload: length 14 nextpayload NONE ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 471 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14 ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS ikev2_msg_send: IKE_SA_INIT response from 172.25.128.5:500 to 172.24.2.42:500 msgid 0, 471 bytes config_free_proposals: free 0x5d95d54f480 ikev2_recv: IKE_AUTH request from initiator 172.24.2.42:500 to 172.25.128.5:500 policy 'test' id 1, 1728 bytes ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1728 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1700 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 1664 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1664/1664 padding 1 ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 55 ikev2_pld_id: id ASN1_DN//CN=ike-test2.example.com/C=DE length 51 ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1028 ikev2_pld_cert: type X509_CERT length 1023 ikev2_pld_payloads: decrypted payload CERTREQ nextpayload IDr critical 0x00 length 25 ikev2_pld_certreq: type X509_CERT length 20 ca_x509_name_parse: setting 'CN' to 'ike-test.example.com' ca_x509_name_parse: setting 'C' to 'DE' ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50 sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x0000 ) ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 54 ikev2_pld_id: id ASN1_DN//CN=ike-test.example.com/C=DE length 50 ikev2_pld_id: unexpected id payload ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 280 ikev2_pld_auth: method SIG length 272 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 164 ikev2_pld_sa: more than one proposal specified ikev2_pld_sa: more 2 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xc421d6ee ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 172.24.2.42 end 172.24.2.42 ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 172.25.128.5 end 172.25.128.5 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8 ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION sa_stateok: SA_INIT flags 0x0000, require 0x0000 policy_lookup: peerid '/CN=ike-test2.example.com/C=DE' ikev2_msg_auth: responder auth data length 535 ca_setauth: switching from RSA_SIG to SIG ca_setauth: auth length 535 ikev2_msg_auth: initiator auth data length 608 ikev2_msg_authverify: method SIG keylen 1023 type X509_CERT _dsa_verify_init: signature scheme 0 selected ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x0024 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) ikev2_sa_negotiate: score 4 sa_stateflags: 0x0034 -> 0x0034 certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0030, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID config_free_proposals: free 0x5d995c78880 ca_getreq: found CA /CN=Testing Authority ca_getreq: found local certificate /CN=ike-test.example.com/C=DE ca_setauth: auth length 272 ca_validate_cert: /CN=ike-test2.example.com/C=DE ok ikev2_getimsgdata: imsg 18 rspi 0x06b20567dde142a4 ispi 0x0cffe25e7be83b8b initiator 0 sa valid type 4 data length 1020 ikev2_dispatch_cert: cert type X509_CERT length 1020, ok sa_stateflags: 0x0034 -> 0x0035 cert,certreq,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0031, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID ikev2_getimsgdata: imsg 23 rspi 0x06b20567dde142a4 ispi 0x0cffe25e7be83b8b initiator 0 sa valid type 14 data length 272 ikev2_dispatch_cert: AUTH type 14 len 272 sa_stateflags: 0x0035 -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x0039, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: cannot switch: AUTH_SUCCESS -> VALID ikev2_dispatch_cert: peer certificate is valid sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa) sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 1 ikev2_childsa_negotiate: key material length 104 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_getspi: spi 0xbe43e25b pfkey_sa_init: new spi 0xbe43e25b sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa ikev2_next_payload: length 54 nextpayload CERT ikev2_next_payload: length 1025 nextpayload AUTH ikev2_next_payload: length 280 nextpayload SA ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 1451 ikev2_msg_encrypt: padded length 1456 ikev2_msg_encrypt: length 1452, padding 4, output length 1488 ikev2_next_payload: length 1492 nextpayload IDr ikev2_msg_integr: message length 1520 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1520 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1492 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 1456 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 1456/1456 padding 4 ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 54 ikev2_pld_id: id ASN1_DN//CN=ike-test.example.com/C=DE length 50 ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1025 ikev2_pld_cert: type X509_CERT length 1020 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 280 ikev2_pld_auth: method SIG length 272 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xbe43e25b ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 172.24.2.42 end 172.24.2.42 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 172.25.128.5 end 172.25.128.5 ikev2_msg_send: IKE_AUTH response from 172.25.128.5:500 to 172.24.2.42:500 msgid 1, 1520 bytes pfkey_sa_add: update spi 0xbe43e25b ikev2_childsa_enable: loaded CHILD SA spi 0xbe43e25b pfkey_sa_add: add spi 0xc421d6ee ikev2_childsa_enable: loaded CHILD SA spi 0xc421d6ee ikev2_childsa_enable: loaded flow 0x5d9ba916000 ikev2_childsa_enable: loaded flow 0x5d9ab276800 sa_state: VALID -> ESTABLISHED from 172.24.2.42:500 to 172.25.128.5:500 policy 'test' ikev2_ike_sa_rekey: called for IKE SA 0x5d968e34000 ca_x509_name_parse: setting 'CN' to 'ike-test.example.com' ca_x509_name_parse: setting 'C' to 'DE' ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50 sa_state: INIT -> AUTH_SUCCESS ikev2_add_proposals: length 52 ikev2_next_payload: length 56 nextpayload NONCE ikev2_next_payload: length 36 nextpayload KE ikev2_next_payload: length 264 nextpayload NONE ikev2_msg_encrypt: decrypted length 356 ikev2_msg_encrypt: padded length 368 ikev2_msg_encrypt: length 357, padding 11, output length 400 ikev2_next_payload: length 404 nextpayload SA ikev2_msg_integr: message length 432 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x00 msgid 0 length 432 response 0 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 368 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 368/368 padding 11 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 56 ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8 xforms 4 spi 0xf671af4a99dd1f39 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length 36 ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_msg_send: CREATE_CHILD_SA request from 172.25.128.5:500 to 172.24.2.42:500 msgid 0, 432 bytes ikev2_ike_sa_rekey: create child SA sent ikev2_recv: CREATE_CHILD_SA response from initiator 172.24.2.42:500 to 172.25.128.5:500 policy 'test' id 0, 432 bytes ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x28 msgid 0 length 432 response 1 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 368 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 368/368 padding 11 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 56 ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8 xforms 4 spi 0x6e3418a480ae0204 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length 36 ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_sa_negotiate: score 4 config_free_proposals: free 0x5d995c76900 ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_ikesa_enable: IKE SA 0x5d968e34000 ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 replaced by SA 0x5d928e41000 ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 ikev2_ikesa_enable: activating new IKE SA sa_state: AUTH_SUCCESS -> ESTABLISHED from any to any policy 'test' ikev2_next_payload: length 8 nextpayload NONE ikev2_msg_encrypt: decrypted length 8 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 9, padding 7, output length 48 ikev2_next_payload: length 52 nextpayload DELETE ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 8 ikev2_pld_delete: proto IKE spisize 0 nspi 0 ikev2_msg_send: INFORMATIONAL request from 172.25.128.5:500 to 172.24.2.42:500 msgid 1, 80 bytes ikev2_ikesa_delete: sent delete, closing SA sa_state: ESTABLISHED -> CLOSED from 172.24.2.42:500 to 172.25.128.5:500 policy 'test' ikev2_recv: closing SA sa_free: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 config_free_proposals: free 0x5d95d54f400 config_free_proposals: free 0x5d95d54fc00 ikev2_recv: INFORMATIONAL response from initiator 172.24.2.42:500 to 172.25.128.5:500 policy 'test' id 1, 80 bytes ikev2_recv: ispi 0x0cffe25e7be83b8b rspi 0x06b20567dde142a4 ikev2_ike_sa_rekey: called for IKE SA 0x5d928e41000 ca_x509_name_parse: setting 'CN' to 'ike-test.example.com' ca_x509_name_parse: setting 'C' to 'DE' ikev2_policy2id: srcid ASN1_DN//CN=ike-test.example.com/C=DE length 50 sa_state: INIT -> AUTH_SUCCESS ikev2_add_proposals: length 52 ikev2_next_payload: length 56 nextpayload NONCE ikev2_next_payload: length 36 nextpayload KE ikev2_next_payload: length 264 nextpayload NONE ikev2_msg_encrypt: decrypted length 356 ikev2_msg_encrypt: padded length 368 ikev2_msg_encrypt: length 357, padding 11, output length 400 ikev2_next_payload: length 404 nextpayload SA ikev2_msg_integr: message length 432 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x08 msgid 0 length 432 response 0 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 404 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 368 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 368/368 padding 11 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 56 ikev2_pld_sa: more 0 reserved 0 length 52 proposal #1 protoid IKE spisize 8 xforms 4 spi 0xa480072ae05fbed6 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_payloads: decrypted payload NONCE nextpayload KE critical 0x00 length 36 ikev2_pld_payloads: decrypted payload KE nextpayload NONE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048 reserved 0 ikev2_msg_send: CREATE_CHILD_SA request from any to any msgid 0, 432 bytes ikev2_msg_send: sendtofrom: Invalid argument sa_free: ispi 0xa480072ae05fbed6 rspi 0x0000000000000000 ikev2_ike_sa_rekey: could not send create child SA pfkey_sa_last_used: invalid address: Protocol family not supported pfkey_sa_last_used: invalid address: Protocol family not supported ikev2_ike_sa_alive: sending alive check ikev2_msg_encrypt: decrypted length 4 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 5, padding 11, output length 48 ikev2_next_payload: length 52 nextpayload NONE ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 1 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 11 ikev2_msg_send: INFORMATIONAL request from any to any msgid 1, 80 bytes ikev2_msg_send: sendtofrom: Invalid argument ikev2_recv: INFORMATIONAL request from responder 172.24.2.42:500 to 172.25.128.5:500 policy 'test' id 0, 80 bytes ikev2_recv: ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 ikev2_recv: updated SA to peer 172.24.2.42:500 local 172.25.128.5:500 ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 0 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 7 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 8 ikev2_pld_delete: proto IKE spisize 0 nspi 0 ikev2_next_payload: length 4 nextpayload NONE ikev2_msg_encrypt: decrypted length 4 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 5, padding 11, output length 48 ikev2_next_payload: length 52 nextpayload NONE ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 0 length 80 response 1 ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 11 ikev2_msg_send: INFORMATIONAL response from 172.25.128.5:500 to 172.24.2.42:500 msgid 0, 80 bytes sa_state: ESTABLISHED -> CLOSED from 172.24.2.42:500 to 172.25.128.5:500 policy 'test' ikev2_recv: closing SA sa_free: ispi 0xf671af4a99dd1f39 rspi 0x6e3418a480ae0204 config_free_proposals: free 0x5d995c76880 config_free_proposals: free 0x5d995c76a00 config_free_childsas: free 0x5d928e44000 config_free_childsas: free 0x5d9b8d4d500 sa_free_flows: free 0x5d9ba916000 sa_free_flows: free 0x5d9ab276800 -- Dipl.-Ing. Thomas Klute achelos GmbH Vattmannstraße 1 33100 Paderborn / Germany Geschäftsführung: Kathrin Asmuth, Frank Stehling Registergericht: Paderborn, HRB 8817, USt-IdNr.: DE260414872