OpenIKED and Strongswan

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenIKED and Strongswan

Riccardo Giuntoli
I there I've got a lot of problems putting a IKE2 point to point connection
stable between OpenBSD/OpenIKED and VyOS/Strongswan.

Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE
transport. Gre tunnel is builded above and keepalive work in all the two
sides, because I've changed the beaviour of the tun interface in linux.

This is the error that I've got also in the OpenBSD side:

Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process
Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
ikev2_ike_sa_rekey: busy, delaying rekey
Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
process


Here you are the Strongswan configuration:

conn XXXX
keyexchange=ikev2
type=transport
auto=start
reauth=no
ikelifetime=1h
dpdaction=restart
        dpddelay=15
        dpdtimeout=1
closeaction=restart

left=%defaultroute
leftsourceip=%config4
leftauth=pubkey
leftid=%indra@XXXX
leftprotoport=gre
leftupdown=/config/ipsec/ESJP-updown.sh

right=XXXX
rightsubnet=XXXX
rightauth=pubkey
rightid=%jXXXX
rightcert=/etc/ipsec.d/certs/XXXX.crt
rightprotoport=gre

#!/bin/bash

set -o nounset
set -o errexit

TUN_IFACE="tun2"

case "${PLUTO_VERB}" in
up-host)
echo "Putting interface ${TUN_IFACE} up"
ifconfig $TUN_IFACE up
echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
echo "Accepting gre keepalive"
sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
;;
down-host)
ifconfig $TUN_IFACE down
;;
esac

IKE is checked with DPD
SA is checked with te script

above also a cron script acting in this way:

#!/bin/bash
ROUTER_IP=XXXX
IPSEC="XXXX"
GRE="tun2"

PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
ALIVE="alive"
STATUS=$(ipsec status $IPSEC)
ESTABLISED="INSTALLED"

if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
ipsec stroke down-nb $IPSEC
ipsec up $IPSEC
else
ipsec up $IPSEC
fi
fi

In the OpenBSD side:

set dpd_check_interval 15
ikev2 "XXXX" passive transport \
proto gre \
from XXXX to XXXX\
local jXXXXpeer any \
ikesa uth hmac-sha2-256 enc aes-256 group ecp256  \
        childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
srcid "shiva@XXXX"  \
ikelifetime 86400 lifetime 3600

root@shiva:/etc# cat hostname.gre1



description "XXXX"
keepalive 5 2
mtu 1392
!ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
!ifconfig gre1 tunnel XXXX XXXX
root@shiva:/etc#

And some ifstated to check keepalive status.

Any suggestions?

--
Name: Riccardo Giuntoli
Email: [hidden email]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED and Strongswan

Tobias Heider-2
On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote:

> I there I've got a lot of problems putting a IKE2 point to point connection
> stable between OpenBSD/OpenIKED and VyOS/Strongswan.
>
> Basically OpenBSD is a transport GRE in passive mode. Strongswan active GRE
> transport. Gre tunnel is builded above and keepalive work in all the two
> sides, because I've changed the beaviour of the tun interface in linux.
>
> This is the error that I've got also in the OpenBSD side:
>
> Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
> Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
> ikev2_ike_sa_rekey: busy, delaying rekey
> Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> process
>

I don't see any obvious misconfiguration so this might be a bug,
but without the log i won't be able to help.

- Tobias

>
> Here you are the Strongswan configuration:
>
> conn XXXX
> keyexchange=ikev2
> type=transport
> auto=start
> reauth=no
> ikelifetime=1h
> dpdaction=restart
>         dpddelay=15
>         dpdtimeout=1
> closeaction=restart
>
> left=%defaultroute
> leftsourceip=%config4
> leftauth=pubkey
> leftid=%indra@XXXX
> leftprotoport=gre
> leftupdown=/config/ipsec/ESJP-updown.sh
>
> right=XXXX
> rightsubnet=XXXX
> rightauth=pubkey
> rightid=%jXXXX
> rightcert=/etc/ipsec.d/certs/XXXX.crt
> rightprotoport=gre
>
> #!/bin/bash
>
> set -o nounset
> set -o errexit
>
> TUN_IFACE="tun2"
>
> case "${PLUTO_VERB}" in
> up-host)
> echo "Putting interface ${TUN_IFACE} up"
> ifconfig $TUN_IFACE up
> echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
> sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
> echo "Accepting gre keepalive"
> sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
> ;;
> down-host)
> ifconfig $TUN_IFACE down
> ;;
> esac
>
> IKE is checked with DPD
> SA is checked with te script
>
> above also a cron script acting in this way:
>
> #!/bin/bash
> ROUTER_IP=XXXX
> IPSEC="XXXX"
> GRE="tun2"
>
> PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
> ALIVE="alive"
> STATUS=$(ipsec status $IPSEC)
> ESTABLISED="INSTALLED"
>
> if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
> if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
> ipsec stroke down-nb $IPSEC
> ipsec up $IPSEC
> else
> ipsec up $IPSEC
> fi
> fi
>
> In the OpenBSD side:
>
> set dpd_check_interval 15
> ikev2 "XXXX" passive transport \
> proto gre \
> from XXXX to XXXX\
> local jXXXXpeer any \
> ikesa uth hmac-sha2-256 enc aes-256 group ecp256  \
>         childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
> srcid "shiva@XXXX"  \
> ikelifetime 86400 lifetime 3600
>
> root@shiva:/etc# cat hostname.gre1
>
>
>
> description "XXXX"
> keepalive 5 2
> mtu 1392
> !ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
> !ifconfig gre1 tunnel XXXX XXXX
> root@shiva:/etc#
>
> And some ifstated to check keepalive status.
>
> Any suggestions?
>
> --
> Name: Riccardo Giuntoli
> Email: [hidden email]
> Location: sant Pere de Ribes, BCN, Spain
> PGP Key: 0x67123739
> PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
> Key server: hkp://wwwkeys.eu.pgp.net

Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED and Strongswan

Riccardo Giuntoli
Ok I've got the same error on three different OpenBSD, tell me what error
do you want or if you want an access.

Kind regards

On Mon, Feb 22, 2021 at 11:33 AM Tobias Heider <[hidden email]>
wrote:

> On Mon, Feb 22, 2021 at 09:06:58AM +0100, Riccardo Giuntoli wrote:
> > I there I've got a lot of problems putting a IKE2 point to point
> connection
> > stable between OpenBSD/OpenIKED and VyOS/Strongswan.
> >
> > Basically OpenBSD is a transport GRE in passive mode. Strongswan active
> GRE
> > transport. Gre tunnel is builded above and keepalive work in all the two
> > sides, because I've changed the beaviour of the tun interface in linux.
> >
> > This is the error that I've got also in the OpenBSD side:
> >
> > Feb 22 07:54:34 ganesha iked[26646]: spi=0x53365c1f26b25ca8:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:34 ganesha iked[26646]: spi=0xbbc576f1b7bbeff8:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:35 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:38 ganesha iked[26646]: spi=0xa74b9d54a7346659:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:38 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> > Feb 22 07:54:39 ganesha iked[26646]: spi=0xb1cc5054712c2e6e:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:40 ganesha iked[26646]: spi=0x56465bd460d16d54:
> > ikev2_ike_sa_rekey: busy, delaying rekey
> > Feb 22 07:54:40 ganesha iked[26646]: pfkey_sa_lookup: message: No such
> > process
> >
>
> I don't see any obvious misconfiguration so this might be a bug,
> but without the log i won't be able to help.
>
> - Tobias
>
> >
> > Here you are the Strongswan configuration:
> >
> > conn XXXX
> > keyexchange=ikev2
> > type=transport
> > auto=start
> > reauth=no
> > ikelifetime=1h
> > dpdaction=restart
> >         dpddelay=15
> >         dpdtimeout=1
> > closeaction=restart
> >
> > left=%defaultroute
> > leftsourceip=%config4
> > leftauth=pubkey
> > leftid=%indra@XXXX
> > leftprotoport=gre
> > leftupdown=/config/ipsec/ESJP-updown.sh
> >
> > right=XXXX
> > rightsubnet=XXXX
> > rightauth=pubkey
> > rightid=%jXXXX
> > rightcert=/etc/ipsec.d/certs/XXXX.crt
> > rightprotoport=gre
> >
> > #!/bin/bash
> >
> > set -o nounset
> > set -o errexit
> >
> > TUN_IFACE="tun2"
> >
> > case "${PLUTO_VERB}" in
> > up-host)
> > echo "Putting interface ${TUN_IFACE} up"
> > ifconfig $TUN_IFACE up
> > echo "Disabling IPsec policy (SPD) for ${TUN_IFACE}"
> > sysctl -w "net.ipv4.conf.${TUN_IFACE}.disable_policy=1"
> > echo "Accepting gre keepalive"
> > sysctl -w "net.ipv4.conf.${TUN_IFACE}.accept_local=1"
> > ;;
> > down-host)
> > ifconfig $TUN_IFACE down
> > ;;
> > esac
> >
> > IKE is checked with DPD
> > SA is checked with te script
> >
> > above also a cron script acting in this way:
> >
> > #!/bin/bash
> > ROUTER_IP=XXXX
> > IPSEC="XXXX"
> > GRE="tun2"
> >
> > PING_RESULT=$(fping -I$GRE $ROUTER_IP 2>&1)
> > ALIVE="alive"
> > STATUS=$(ipsec status $IPSEC)
> > ESTABLISED="INSTALLED"
> >
> > if [[ "$PING_RESULT" != *"$ALIVE"* ]]; then
> > if [[ "$STATUS" == *"$ESTABLISHED"* ]]; then
> > ipsec stroke down-nb $IPSEC
> > ipsec up $IPSEC
> > else
> > ipsec up $IPSEC
> > fi
> > fi
> >
> > In the OpenBSD side:
> >
> > set dpd_check_interval 15
> > ikev2 "XXXX" passive transport \
> > proto gre \
> > from XXXX to XXXX\
> > local jXXXXpeer any \
> > ikesa uth hmac-sha2-256 enc aes-256 group ecp256  \
> >         childsa auth hmac-sha2-256 enc aes-256 group ecp256 \
> > srcid "shiva@XXXX"  \
> > ikelifetime 86400 lifetime 3600
> >
> > root@shiva:/etc# cat hostname.gre1
> >
> >
> >
> > description "XXXX"
> > keepalive 5 2
> > mtu 1392
> > !ifconfig gre1 XXXX4 XXXX netmask 0xfffffffc up
> > !ifconfig gre1 tunnel XXXX XXXX
> > root@shiva:/etc#
> >
> > And some ifstated to check keepalive status.
> >
> > Any suggestions?
> >
> > --
> > Name: Riccardo Giuntoli
> > Email: [hidden email]
> > Location: sant Pere de Ribes, BCN, Spain
> > PGP Key: 0x67123739
> > PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
> > Key server: hkp://wwwkeys.eu.pgp.net
>


--
Name: Riccardo Giuntoli
Email: [hidden email]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net
Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED and Strongswan

Stuart Henderson
On 2021-02-22, Riccardo Giuntoli <[hidden email]> wrote:
> Ok I've got the same error on three different OpenBSD, tell me what error
> do you want or if you want an access.

It would be a good start to run iked in the foreground with iked -vvd and
show the log from there.


Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED and Strongswan

Riccardo Giuntoli
Ok. In the log you can appreciate.

UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and
one VyOS. The VyOS is CAT-HOST

Kind regards


On Mon, Feb 22, 2021 at 12:02 PM Stuart Henderson <[hidden email]>
wrote:

> On 2021-02-22, Riccardo Giuntoli <[hidden email]> wrote:
> > Ok I've got the same error on three different OpenBSD, tell me what error
> > do you want or if you want an access.
>
> It would be a good start to run iked in the foreground with iked -vvd and
> show the log from there.
>
>
>

--
Name: Riccardo Giuntoli
Email: [hidden email]
Location: sant Pere de Ribes, BCN, Spain
PGP Key: 0x67123739
PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
Key server: hkp://wwwkeys.eu.pgp.net

ipsec_debug.txt (131K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: OpenIKED and Strongswan

Tobias Heider-2
On Mon, Feb 22, 2021 at 03:59:53PM +0100, Riccardo Giuntoli wrote:
> Ok. In the log you can appreciate.
>
> UK-HOST one OpenBSD machine connected to three openbsd, one mikrotik and
> one VyOS. The VyOS is CAT-HOST
>
> Kind regards

The log looks fine but it doesn't seem to contain the error message you
sent earlier.
Can you try reproducing the bug and then send a log containing the error
message and everything that happened before?

>
>
> On Mon, Feb 22, 2021 at 12:02 PM Stuart Henderson <[hidden email]>
> wrote:
>
> > On 2021-02-22, Riccardo Giuntoli <[hidden email]> wrote:
> > > Ok I've got the same error on three different OpenBSD, tell me what error
> > > do you want or if you want an access.
> >
> > It would be a good start to run iked in the foreground with iked -vvd and
> > show the log from there.
> >
> >
> >
>
> --
> Name: Riccardo Giuntoli
> Email: [hidden email]
> Location: sant Pere de Ribes, BCN, Spain
> PGP Key: 0x67123739
> PGP Fingerprint: CE75 16B5 D855 842FAB54 FB5C DDC6 4640 6712 3739
> Key server: hkp://wwwkeys.eu.pgp.net

> create_ike: using signature for peer --FR--
> create_ike: using signature for peer
> ikev2 "--CAT-HOST--" passive transport esp proto gre inet from --UK-- to --CAT-- local --UK-- peer any ikesa enc aes-256 prf hmac-sha2-256,hmac-sha2-384,hmac-sha2-512,hmac-sha1 auth hmac-sha2-256 group ecp256 childsa enc aes-256 auth hmac-sha2-256 group ecp256 esn,noesn srcid --UK-ID-- ikelifetime 86400 lifetime 3600 bytes 536870912 signature
> /etc/iked.conf: loaded 4 configuration rules
> ca_privkey_serialize: type RSA_KEY length 1191
> ca_pubkey_serialize: type RSA_KEY length 270
> ca_privkey_to_method: type RSA_KEY method RSA_SIG
> ca_getkey: received private key type RSA_KEY length 1191
> ca_getkey: received public key type RSA_KEY length 270
> ca_dispatch_parent: config reset
> ca_reload: loaded ca file ca.crt
> ca_reload: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_reload: loaded 1 ca certificate
> ca_reload: loaded cert file --FR-HOST--.crt
> ca_reload: loaded cert file --UK-HOST--.crt
> config_getpolicy: received policy
> config_getpolicy: received policy
> config_getpolicy: received policy
> config_getpolicy: received policy
> config_getpfkey: received pfkey fd 3
> config_getcompile: compilation done
> config_getsocket: received socket fd 4
> config_getsocket: received socket fd 5
> config_getsocket: received socket fd 6
> config_getsocket: received socket fd 7
> config_getstatic: dpd_check_interval 15
> config_getstatic: no enforcesingleikesa
> config_getstatic: no fragmentation
> config_getstatic: mobike
> config_getstatic: nattport 4500
> ca_validate_cert: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--FR-HOST-- ok
> ca_validate_cert: /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST-- ok
> ca_reload: local cert type X509_CERT
> config_getocsp: ocsp_url none tolerate 0 maxage -1
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> ikev2_dispatch_cert: updated local CERTREQ type X509_CERT length 20
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> ikev2_init_ike_sa: initiating "--FR-HOST--"
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_add_proposals: length 68
> ikev2_next_payload: length 72 nextpayload KE
> ikev2_next_payload: length 104 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xf2043da59221143f 0x0000000000000000 --UK--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xf2043da59221143f 0x0000000000000000 --FR--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 310 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 72
> ikev2_pld_sa: more 0 reserved 0 length 68 proposal #1 protoid IKE spisize 0 xforms 7 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104
> ikev2_pld_ke: dh group ECP_384 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0xf2043da59221143f: send IKE_SA_INIT req 0 peer --FR--:500 local --UK--:500, 310 bytes
> spi=0xf2043da59221143f: sa_state: INIT -> SA_INIT
> ikev2_init_ike_sa: initiating "--US-HOST--"
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_add_proposals: length 36
> ikev2_next_payload: length 40 nextpayload KE
> ikev2_next_payload: length 136 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x22cd85777285bb53 0x0000000000000000 --UK--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x22cd85777285bb53 0x0000000000000000 --US-IP--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x22cd85777285bb53 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 310 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group BRAINPOOL_P512R1 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x22cd85777285bb53: send IKE_SA_INIT req 0 peer --US-IP--:500 local --UK--:500, 310 bytes
> spi=0x22cd85777285bb53: sa_state: INIT -> SA_INIT
> ikev2_init_ike_sa: initiating "--JP-HOST--"
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_add_proposals: length 36
> ikev2_next_payload: length 40 nextpayload KE
> ikev2_next_payload: length 136 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x67cb9c572ac8b67e 0x0000000000000000 --UK--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x67cb9c572ac8b67e 0x0000000000000000 --JP-IP--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x67cb9c572ac8b67e rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 310 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 0 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group BRAINPOOL_P512R1 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x67cb9c572ac8b67e: send IKE_SA_INIT req 0 peer --JP-IP--:500 local --UK--:500, 310 bytes
> spi=0x67cb9c572ac8b67e: sa_state: INIT -> SA_INIT
> spi=0xf2043da59221143f: recv IKE_SA_INIT res 0 peer --FR--:500 local --UK--:500, 213 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 213 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 104
> ikev2_pld_ke: dh group ECP_384 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_payloads: payload CERTREQ nextpayload NONE critical 0x00 length 5
> ikev2_pld_certreq: type X509_CERT length 0
> ikev2_pld_certreq: invalid length 0
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
> proposals_negotiate: score 4
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> spi=0xf2043da59221143f: ikev2_sa_keys: DHSECRET with 48 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0xf2043da59221143f: ikev2_sa_keys: S with 72 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_msg_auth: initiator auth data length 366
> ca_setauth: switching SIG to RSA_SIG(*)
> ca_setauth: auth length 366
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> config_free_proposals: free 0x3c27ccfe800
> ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_x509_subjectaltname_do: did not find subjectAltName in certificate
> ca_getreq: found local certificate /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST--
> ca_setauth: auth length 256
> ikev2_getimsgdata: imsg 22 rspi 0x1f43bd64d771a4e5 ispi 0xf2043da59221143f initiator 1 sa valid type 4 data length 1064
> ikev2_dispatch_cert: cert type X509_CERT length 1064, ok
> sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
> ikev2_getimsgdata: imsg 28 rspi 0x1f43bd64d771a4e5 ispi 0xf2043da59221143f initiator 1 sa valid type 1 data length 256
> ikev2_dispatch_cert: AUTH type 1 len 256
> sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
> ikev2_next_payload: length 35 nextpayload CERT
> ikev2_next_payload: length 1069 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload AUTH
> ikev2_next_payload: length 264 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload SA
> pfkey_sa_getspi: spi 0x8f3bad08
> pfkey_sa_init: new spi 0x8f3bad08
> ikev2_add_proposals: length 48
> ikev2_next_payload: length 52 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_next_payload: length 1540 nextpayload IDi
> ikev2_msg_encrypt: decrypted length 1501
> ikev2_msg_encrypt: padded length 1504
> ikev2_msg_encrypt: length 1502, padding 2, output length 1536
> ikev2_msg_integr: message length 1568
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1568 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1540
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1504
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 2
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 35
> ikev2_pld_id: id UFQDN/--UK-ID-- length 31
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 264
> ikev2_pld_auth: method RSA_SIG length 256
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 52
> ikev2_pld_sa: more 0 reserved 0 length 48 proposal #1 protoid ESP spisize 4 xforms 4 spi 0x8f3bad08
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --FR-- end --FR--
> spi=0xf2043da59221143f: send IKE_AUTH req 1 peer --FR--:500 local --UK--:500, 1568 bytes
> spi=0xf2043da59221143f: recv IKE_AUTH res 1 peer --FR--:500 local --UK--:500, 1552 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1552 response 1
> ikev2_pld_payloads: payload SK nextpayload CERT critical 0x00 length 1524
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1488
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1488/1488 padding 8
> ikev2_pld_payloads: decrypted payload CERT nextpayload IDr critical 0x00 length 1084
> ikev2_pld_cert: type X509_CERT length 1079
> ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 31
> ikev2_pld_id: id UFQDN/uma@--CA-HOST-- length 27
> ikev2_pld_payloads: decrypted payload AUTH nextpayload TSi critical 0x00 length 264
> ikev2_pld_auth: method RSA_SIG length 256
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload SA critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --FR-- end --FR--
> ikev2_pld_payloads: decrypted payload SA nextpayload NOTIFY critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x066d9db6
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> spi=0xf2043da59221143f: sa_state: SA_INIT -> AUTH_REQUEST
> proposals_negotiate: score 4
> sa_stateflags: 0x000d -> 0x002d cert,certreq,auth,sa (required 0x0032 certvalid,authvalid,sa)
> config_free_proposals: free 0x3c27ccfe580
> ca_validate_pubkey: could not open public key pubkeys/ufqdn/uma@--CA-HOST--
> ca_validate_cert: /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--FR-HOST-- ok
> ikev2_getimsgdata: imsg 23 rspi 0x1f43bd64d771a4e5 ispi 0xf2043da59221143f initiator 1 sa valid type 4 data length 1079
> ikev2_msg_auth: responder auth data length 277
> ikev2_msg_authverify: method RSA_SIG keylen 1079 type X509_CERT
> ikev2_msg_authverify: authentication successful
> spi=0xf2043da59221143f: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> spi=0xf2043da59221143f: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_add: add spi 0x066d9db6
> ikev2_childsa_enable: loaded CHILD SA spi 0x066d9db6
> pfkey_sa_add: update spi 0x8f3bad08
> ikev2_childsa_enable: loaded CHILD SA spi 0x8f3bad08
> ikev2_childsa_enable: loaded flow 0x3c27dfd9800
> ikev2_childsa_enable: loaded flow 0x3c27dfda000
> ikev2_childsa_enable: remember SA peer --FR--:500
> spi=0xf2043da59221143f: ikev2_childsa_enable: loaded SPIs: 0x066d9db6, 0x8f3bad08
> spi=0xf2043da59221143f: ikev2_childsa_enable: loaded flows: ESP---UK--/32=--FR--/32(47)
> spi=0xf2043da59221143f: sa_state: VALID -> ESTABLISHED from --FR--:500 to --UK--:500 policy '--FR-HOST--'
> spi=0xf2043da59221143f: established peer --FR--:500[UFQDN/uma@--CA-HOST--] local --UK--:500[UFQDN/--UK-ID--] policy '--FR-HOST--' as initiator
> spi=0x22cd85777285bb53: recv IKE_SA_INIT res 0 peer --US-IP--:500 local --UK--:500, 335 bytes, policy '--US-HOST--'
> ikev2_recv: ispi 0x22cd85777285bb53 rspi 0x84c59f1c8f60d03f
> ikev2_recv: updated SA to peer --US-IP--:500 local --UK--:500
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_pld_parse: header ispi 0x22cd85777285bb53 rspi 0x84c59f1c8f60d03f nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 335 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group BRAINPOOL_P512R1 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x22cd85777285bb53 0x84c59f1c8f60d03f --US-IP--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x22cd85777285bb53 0x84c59f1c8f60d03f --UK--:500
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
> proposals_negotiate: score 3
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> spi=0x22cd85777285bb53: ikev2_sa_keys: DHSECRET with 64 bytes
> ikev2_sa_keys: SKEYSEED with 64 bytes
> spi=0x22cd85777285bb53: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 64 bytes
> ikev2_prfplus: T2 with 64 bytes
> ikev2_prfplus: T3 with 64 bytes
> ikev2_prfplus: T4 with 64 bytes
> ikev2_prfplus: T5 with 64 bytes
> ikev2_prfplus: Tn with 320 bytes
> ikev2_sa_keys: SK_d with 64 bytes
> ikev2_sa_keys: SK_ei with 36 bytes
> ikev2_sa_keys: SK_er with 36 bytes
> ikev2_sa_keys: SK_pi with 64 bytes
> ikev2_sa_keys: SK_pr with 64 bytes
> ikev2_msg_auth: initiator auth data length 406
> ca_setauth: switching SIG_ANY to SIG
> ca_setauth: auth length 406
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> config_free_proposals: free 0x3c27dfd8300
> ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_x509_subjectaltname_do: did not find subjectAltName in certificate
> ca_getreq: found local certificate /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST--
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> ca_setauth: auth length 272
> ikev2_getimsgdata: imsg 22 rspi 0x84c59f1c8f60d03f ispi 0x22cd85777285bb53 initiator 1 sa valid type 4 data length 1064
> ikev2_dispatch_cert: cert type X509_CERT length 1064, ok
> sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
> ikev2_getimsgdata: imsg 28 rspi 0x84c59f1c8f60d03f ispi 0x22cd85777285bb53 initiator 1 sa valid type 14 data length 272
> ikev2_dispatch_cert: AUTH type 14 len 272
> sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
> ikev2_next_payload: length 35 nextpayload CERT
> ikev2_next_payload: length 1069 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload AUTH
> ikev2_next_payload: length 280 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload SA
> pfkey_sa_getspi: spi 0xfc41aa70
> pfkey_sa_init: new spi 0xfc41aa70
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_next_payload: length 1534 nextpayload IDi
> ikev2_msg_encrypt: decrypted length 1509
> ikev2_msg_encrypt: padded length 1510
> ikev2_msg_encrypt: length 1510, padding 0, output length 1530
> ikev2_msg_integr: message length 1562
> ikev2_msg_integr: integrity checksum length 12
> ikev2_pld_parse: header ispi 0x22cd85777285bb53 rspi 0x84c59f1c8f60d03f nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1562 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1534
> ikev2_msg_decrypt: IV length 8
> ikev2_msg_decrypt: encrypted payload length 1510
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: AAD length 32
> ikev2_msg_decrypt: decrypted payload length 1510/1510 padding 0
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 35
> ikev2_pld_id: id UFQDN/--UK-ID-- length 31
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xfc41aa70
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CHACHA20_POLY1305
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --US-IP-- end --US-IP--
> spi=0x22cd85777285bb53: send IKE_AUTH req 1 peer --US-IP--:500 local --UK--:500, 1562 bytes
> spi=0x22cd85777285bb53: recv IKE_AUTH res 1 peer --US-IP--:500 local --UK--:500, 1532 bytes, policy '--US-HOST--'
> ikev2_recv: ispi 0x22cd85777285bb53 rspi 0x84c59f1c8f60d03f
> ikev2_recv: updated SA to peer --US-IP--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0x22cd85777285bb53 rspi 0x84c59f1c8f60d03f nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1532 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1504
> ikev2_msg_decrypt: IV length 8
> ikev2_msg_decrypt: encrypted payload length 1480
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: AAD length 32
> ikev2_msg_decrypt: decrypted payload length 1480/1480 padding 0
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 37
> ikev2_pld_id: id UFQDN/saraswati@--CA-HOST-- length 33
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1070
> ikev2_pld_cert: type X509_CERT length 1065
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
> ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0xd1bfd520
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CHACHA20_POLY1305
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --US-IP-- end --US-IP--
> spi=0x22cd85777285bb53: sa_state: SA_INIT -> AUTH_REQUEST
> proposals_negotiate: score 2
> sa_stateflags: 0x000d -> 0x002d cert,certreq,auth,sa (required 0x0032 certvalid,authvalid,sa)
> config_free_proposals: free 0x3c27dfd8980
> ca_validate_pubkey: could not open public key pubkeys/ufqdn/saraswati@--CA-HOST--
> ca_validate_cert: /C=US/ST=Texas/L=Dallas/O=Telecom Lobby/OU=VPNC/CN=--US-HOST-- ok
> ikev2_getimsgdata: imsg 23 rspi 0x84c59f1c8f60d03f ispi 0x22cd85777285bb53 initiator 1 sa valid type 4 data length 1065
> ikev2_msg_auth: responder auth data length 431
> ikev2_msg_authverify: method SIG keylen 1065 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> spi=0x22cd85777285bb53: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> spi=0x22cd85777285bb53: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 72
> ikev2_prfplus: T1 with 64 bytes
> ikev2_prfplus: T2 with 64 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_add: add spi 0xd1bfd520
> ikev2_childsa_enable: loaded CHILD SA spi 0xd1bfd520
> pfkey_sa_add: update spi 0xfc41aa70
> ikev2_childsa_enable: loaded CHILD SA spi 0xfc41aa70
> ikev2_childsa_enable: loaded flow 0x3c2c0b8f800
> ikev2_childsa_enable: loaded flow 0x3c27dfda400
> ikev2_childsa_enable: remember SA peer --US-IP--:500
> spi=0x22cd85777285bb53: ikev2_childsa_enable: loaded SPIs: 0xd1bfd520, 0xfc41aa70
> spi=0x22cd85777285bb53: ikev2_childsa_enable: loaded flows: ESP---UK--/32=--US-IP--/32(47)
> spi=0x22cd85777285bb53: sa_state: VALID -> ESTABLISHED from --US-IP--:500 to --UK--:500 policy '--US-HOST--'
> spi=0x22cd85777285bb53: established peer --US-IP--:500[UFQDN/saraswati@--CA-HOST--] local --UK--:500[UFQDN/--UK-ID--] policy '--US-HOST--' as initiator
> spi=0x67cb9c572ac8b67e: recv IKE_SA_INIT res 0 peer --JP-IP--:500 local --UK--:500, 335 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x67cb9c572ac8b67e rspi 0x2c3aab6ceed004e7
> ikev2_recv: updated SA to peer --JP-IP--:500 local --UK--:500
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_pld_parse: header ispi 0x67cb9c572ac8b67e rspi 0x2c3aab6ceed004e7 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 335 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 40
> ikev2_pld_sa: more 0 reserved 0 length 36 proposal #1 protoid IKE spisize 0 xforms 3 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 136
> ikev2_pld_ke: dh group BRAINPOOL_P512R1 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x67cb9c572ac8b67e 0x2c3aab6ceed004e7 --JP-IP--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x67cb9c572ac8b67e 0x2c3aab6ceed004e7 --UK--:500
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> sa_stateflags: 0x0000 -> 0x0004 certreq (required 0x0009 cert,auth)
> proposals_negotiate: score 3
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> spi=0x67cb9c572ac8b67e: ikev2_sa_keys: DHSECRET with 64 bytes
> ikev2_sa_keys: SKEYSEED with 64 bytes
> spi=0x67cb9c572ac8b67e: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 64 bytes
> ikev2_prfplus: T2 with 64 bytes
> ikev2_prfplus: T3 with 64 bytes
> ikev2_prfplus: T4 with 64 bytes
> ikev2_prfplus: T5 with 64 bytes
> ikev2_prfplus: Tn with 320 bytes
> ikev2_sa_keys: SK_d with 64 bytes
> ikev2_sa_keys: SK_ei with 36 bytes
> ikev2_sa_keys: SK_er with 36 bytes
> ikev2_sa_keys: SK_pi with 64 bytes
> ikev2_sa_keys: SK_pr with 64 bytes
> ikev2_msg_auth: initiator auth data length 406
> ca_setauth: switching SIG_ANY to SIG
> ca_setauth: auth length 406
> sa_stateok: SA_INIT flags 0x0000, require 0x0009 cert,auth
> config_free_proposals: free 0x3c2a56dad00
> ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_x509_subjectaltname_do: did not find subjectAltName in certificate
> ca_getreq: found local certificate /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST--
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> ca_setauth: auth length 272
> ikev2_getimsgdata: imsg 22 rspi 0x2c3aab6ceed004e7 ispi 0x67cb9c572ac8b67e initiator 1 sa valid type 4 data length 1064
> ikev2_dispatch_cert: cert type X509_CERT length 1064, ok
> sa_stateflags: 0x0004 -> 0x0005 cert,certreq (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0001, require 0x0009 cert,auth
> ikev2_getimsgdata: imsg 28 rspi 0x2c3aab6ceed004e7 ispi 0x67cb9c572ac8b67e initiator 1 sa valid type 14 data length 272
> ikev2_dispatch_cert: AUTH type 14 len 272
> sa_stateflags: 0x0005 -> 0x000d cert,certreq,auth (required 0x0009 cert,auth)
> sa_stateok: SA_INIT flags 0x0009, require 0x0009 cert,auth
> ikev2_next_payload: length 35 nextpayload CERT
> ikev2_next_payload: length 1069 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload AUTH
> ikev2_next_payload: length 280 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload SA
> pfkey_sa_getspi: spi 0x4701e9b5
> pfkey_sa_init: new spi 0x4701e9b5
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_next_payload: length 1534 nextpayload IDi
> ikev2_msg_encrypt: decrypted length 1509
> ikev2_msg_encrypt: padded length 1510
> ikev2_msg_encrypt: length 1510, padding 0, output length 1530
> ikev2_msg_integr: message length 1562
> ikev2_msg_integr: integrity checksum length 12
> ikev2_pld_parse: header ispi 0x67cb9c572ac8b67e rspi 0x2c3aab6ceed004e7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1562 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1534
> ikev2_msg_decrypt: IV length 8
> ikev2_msg_decrypt: encrypted payload length 1510
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: AAD length 32
> ikev2_msg_decrypt: decrypted payload length 1510/1510 padding 0
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 35
> ikev2_pld_id: id UFQDN/--UK-ID-- length 31
> ikev2_pld_payloads: decrypted payload CERT nextpayload CERTREQ critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x4701e9b5
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CHACHA20_POLY1305
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --JP-IP-- end --JP-IP--
> spi=0x67cb9c572ac8b67e: send IKE_AUTH req 1 peer --JP-IP--:500 local --UK--:500, 1562 bytes
> spi=0x67cb9c572ac8b67e: recv IKE_AUTH res 1 peer --JP-IP--:500 local --UK--:500, 1527 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x67cb9c572ac8b67e rspi 0x2c3aab6ceed004e7
> ikev2_recv: updated SA to peer --JP-IP--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0x67cb9c572ac8b67e rspi 0x2c3aab6ceed004e7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1527 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1499
> ikev2_msg_decrypt: IV length 8
> ikev2_msg_decrypt: encrypted payload length 1475
> ikev2_msg_decrypt: integrity checksum length 12
> ikev2_msg_decrypt: AAD length 32
> ikev2_msg_decrypt: decrypted payload length 1475/1475 padding 0
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 33
> ikev2_pld_id: id UFQDN/shiva@--CA-HOST-- length 29
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload AUTH nextpayload NOTIFY critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 36
> ikev2_pld_sa: more 0 reserved 0 length 32 proposal #1 protoid ESP spisize 4 xforms 2 spi 0xb1bffe2d
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CHACHA20_POLY1305
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --JP-IP-- end --JP-IP--
> spi=0x67cb9c572ac8b67e: sa_state: SA_INIT -> AUTH_REQUEST
> proposals_negotiate: score 2
> sa_stateflags: 0x000d -> 0x002d cert,certreq,auth,sa (required 0x0032 certvalid,authvalid,sa)
> config_free_proposals: free 0x3c31292ac00
> ca_validate_pubkey: could not open public key pubkeys/ufqdn/shiva@--CA-HOST--
> ca_validate_cert: /C=JP/ST=Tokyo/L=Heiwajima/O=Telecom Lobby/OU=VPNC/CN=--JP-HOST-- ok
> ikev2_getimsgdata: imsg 23 rspi 0x2c3aab6ceed004e7 ispi 0x67cb9c572ac8b67e initiator 1 sa valid type 4 data length 1064
> ikev2_msg_auth: responder auth data length 431
> ikev2_msg_authverify: method SIG keylen 1064 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> spi=0x67cb9c572ac8b67e: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x0032 certvalid,authvalid,sa)
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> spi=0x67cb9c572ac8b67e: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> sa_stateok: VALID flags 0x0032, require 0x0032 certvalid,authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 72
> ikev2_prfplus: T1 with 64 bytes
> ikev2_prfplus: T2 with 64 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_add: add spi 0xb1bffe2d
> ikev2_childsa_enable: loaded CHILD SA spi 0xb1bffe2d
> pfkey_sa_add: update spi 0x4701e9b5
> ikev2_childsa_enable: loaded CHILD SA spi 0x4701e9b5
> ikev2_childsa_enable: loaded flow 0x3c2eec20c00
> ikev2_childsa_enable: loaded flow 0x3c324182000
> ikev2_childsa_enable: remember SA peer --JP-IP--:500
> spi=0x67cb9c572ac8b67e: ikev2_childsa_enable: loaded SPIs: 0xb1bffe2d, 0x4701e9b5
> spi=0x67cb9c572ac8b67e: ikev2_childsa_enable: loaded flows: ESP---UK--/32=--JP-IP--/32(47)
> spi=0x67cb9c572ac8b67e: sa_state: VALID -> ESTABLISHED from --JP-IP--:500 to --UK--:500 policy '--JP-HOST--'
> spi=0x67cb9c572ac8b67e: established peer --JP-IP--:500[UFQDN/shiva@--CA-HOST--] local --UK--:500[UFQDN/--UK-ID--] policy '--JP-HOST--' as initiator
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> spi=0xf2043da59221143f: recv INFORMATIONAL req 0 peer --FR--:500 local --UK--:500, 112 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 0 length 112 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 84
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 48
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 48/48 padding 47
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 0 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 0 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003184
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003184
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003183
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 3 second(s) ago
> pfkey_sa_lookup: last_used 1614003183
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 3 second(s) ago
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xf94ce3fc2e48f7f2: recv IKE_SA_INIT req 0 peer --CAT--:500 local --UK--:500, 1056 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xf94ce3fc2e48f7f2 rspi 0x0000000000000000
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 1056 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 832
> ikev2_pld_sa: more 2 reserved 0 length 352 proposal #1 protoid IKE spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_sa: more 0 reserved 0 length 476 proposal #2 protoid IKE spisize 0 xforms 45 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0xf94ce3fc2e48f7f2 0x0000000000000000 --CAT--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0xf94ce3fc2e48f7f2 0x0000000000000000 --UK--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> proposals_negotiate: score 4
> proposals_negotiate: score 0
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xf94ce3fc2e48f7f2: sa_state: INIT -> SA_INIT
> proposals_negotiate: score 4
> proposals_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0xf94ce3fc2e48f7f2: ikev2_sa_keys: DHSECRET with 32 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0xf94ce3fc2e48f7f2: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 72 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0xf94ce3fc2e48f7f2 0x1d51ac7d723a726d --UK--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0xf94ce3fc2e48f7f2 0x1d51ac7d723a726d --CAT--:500
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 279 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0xf94ce3fc2e48f7f2: send IKE_SA_INIT res 0 peer --CAT--:500 local --UK--:500, 279 bytes
> config_free_proposals: free 0x3c31292ae80
> config_free_proposals: free 0x3c31292a880
> spi=0xf94ce3fc2e48f7f2: recv IKE_AUTH req 1 peer --CAT--:4500 local --UK--:4500, 1792 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d
> ikev2_recv: updated SA to peer --CAT--:4500 local --UK--:4500
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1792 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1764
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1728
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1728/1728 padding 11
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 33
> ikev2_pld_id: id UFQDN/indra@--CA-HOST-- length 29
> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY critical 0x00 length 1090
> ikev2_pld_cert: type X509_CERT length 1085
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 85
> ikev2_pld_certreq: type X509_CERT length 80
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_cp: type REQUEST length 8
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 100
> ikev2_pld_sa: more 0 reserved 0 length 96 proposal #1 protoid ESP spisize 4 xforms 9 spi 0xc9f9084d
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 24
> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP6_ADDRESS
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type IKEV2_MESSAGE_ID_SYNC_SUPPORTED
> ikev2_handle_notifies: mobike enabled
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> spi=0xf94ce3fc2e48f7f2: sa_state: SA_INIT -> AUTH_REQUEST
> policy_lookup: peerid 'indra@--CA-HOST--'
> proposals_negotiate: score 4
> policy_lookup: setting policy '--CAT-HOST--'
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_msg_auth: responder auth data length 343
> ca_setauth: switching SIG_ANY to SIG
> ca_setauth: auth length 343
> proposals_negotiate: score 4
> sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> config_free_proposals: free 0x3c31292a480
> ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_x509_subjectaltname_do: did not find subjectAltName in certificate
> ca_getreq: found local certificate /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST--
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> ca_setauth: auth length 272
> ca_validate_pubkey: could not open public key pubkeys/ufqdn/indra@--CA-HOST--
> ca_validate_cert: /C=ES/ST=Catalunya/L=sant Pere de Ribes/O=Telecom Lobby/OU=VPNC/CN=--CAT-HOST-- ok
> ikev2_getimsgdata: imsg 22 rspi 0x1d51ac7d723a726d ispi 0xf94ce3fc2e48f7f2 initiator 0 sa valid type 4 data length 1064
> ikev2_dispatch_cert: cert type X509_CERT length 1064, ok
> sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_getimsgdata: imsg 28 rspi 0x1d51ac7d723a726d ispi 0xf94ce3fc2e48f7f2 initiator 0 sa valid type 14 data length 272
> ikev2_dispatch_cert: AUTH type 14 len 272
> sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_getimsgdata: imsg 23 rspi 0x1d51ac7d723a726d ispi 0xf94ce3fc2e48f7f2 initiator 0 sa valid type 4 data length 1085
> ikev2_msg_auth: initiator auth data length 1120
> ikev2_msg_authverify: method SIG keylen 1085 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> spi=0xf94ce3fc2e48f7f2: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> spi=0xf94ce3fc2e48f7f2: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0xba75d84f
> pfkey_sa_init: new spi 0xba75d84f
> ikev2_next_payload: length 35 nextpayload CERT
> ikev2_next_payload: length 1069 nextpayload AUTH
> ikev2_next_payload: length 280 nextpayload CP
> ikev2_next_payload: length 8 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload SA
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_next_payload: length 1540 nextpayload IDr
> ikev2_msg_encrypt: decrypted length 1500
> ikev2_msg_encrypt: padded length 1504
> ikev2_msg_encrypt: length 1501, padding 3, output length 1536
> ikev2_msg_integr: message length 1568
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1504
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 3
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 35
> ikev2_pld_id: id UFQDN/--UK-ID-- length 31
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_cp: type REPLY length 0
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0xba75d84f
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --CAT-- end --CAT--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> spi=0xf94ce3fc2e48f7f2: send IKE_AUTH res 1 peer --CAT--:4500 local --UK--:4500, 1568 bytes, NAT-T
> pfkey_sa_add: update spi 0xba75d84f
> ikev2_childsa_enable: loaded CHILD SA spi 0xba75d84f
> pfkey_sa_add: add spi 0xc9f9084d
> ikev2_childsa_enable: loaded CHILD SA spi 0xc9f9084d
> ikev2_childsa_enable: loaded flow 0x3c324182800
> ikev2_childsa_enable: loaded flow 0x3c2eec20400
> ikev2_childsa_enable: remember SA peer --CAT--:4500
> spi=0xf94ce3fc2e48f7f2: ikev2_childsa_enable: loaded SPIs: 0xba75d84f, 0xc9f9084d
> spi=0xf94ce3fc2e48f7f2: ikev2_childsa_enable: loaded flows: ESP---UK--/32=--CAT--/32(47)
> spi=0xf94ce3fc2e48f7f2: sa_state: VALID -> ESTABLISHED from --CAT--:4500 to --UK--:4500 policy '--CAT-HOST--'
> spi=0xf94ce3fc2e48f7f2: established peer --CAT--:4500[UFQDN/indra@--CA-HOST--] local --UK--:4500[UFQDN/--UK-ID--] policy '--CAT-HOST--' as responder
> pfkey_sa_lookup: last_used 1614003186
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003186
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4428 peer --FR--:500 local --UK--:500, 96 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xc5881d3ed32f5801: recv INFORMATIONAL req 4429 peer --FR--:500 local --UK--:500, 240 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xc5881d3ed32f5801 rspi 0xfcad33aa65954d8e
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> spi=0xf2043da59221143f: recv INFORMATIONAL req 1 peer --FR--:500 local --UK--:500, 128 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 1 length 128 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 100
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 64
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 64/64 padding 63
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 1 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 1 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003199
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003199
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003198
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 3 second(s) ago
> pfkey_sa_lookup: last_used 1614003198
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 3 second(s) ago
> pfkey_sa_lookup: last_used 1614003201
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003201
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003201
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> spi=0xf2043da59221143f: recv INFORMATIONAL req 2 peer --FR--:500 local --UK--:500, 144 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 2 length 144 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 116
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 80
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 80/80 padding 79
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 2 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 2 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003214
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003214
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003216
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003216
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003216
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003216
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003216
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> ikev2_init_ike_sa: "--FR-HOST--" is already active
> ikev2_init_ike_sa: "--US-HOST--" is already active
> ikev2_init_ike_sa: "--JP-HOST--" is already active
> spi=0xf2043da59221143f: recv INFORMATIONAL req 3 peer --FR--:500 local --UK--:500, 112 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 3 length 112 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 84
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 48
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 48/48 padding 47
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 3 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 3 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003229
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003229
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003231
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003231
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003231
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003231
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003231
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> spi=0xf2043da59221143f: recv INFORMATIONAL req 4 peer --FR--:500 local --UK--:500, 128 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 4 length 128 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 100
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 64
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 64/64 padding 63
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 4 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 4 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003244
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003245
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003246
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003246
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003246
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003246
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003246
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 5 peer --FR--:500 local --UK--:500, 96 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 5 length 96 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 68
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 32
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 32/32 padding 31
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 5 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 5 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003259
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003259
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003261
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003261
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003261
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003261
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003261
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 0 second(s) ago
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0xb3a689d63d247dd3: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xb3a689d63d247dd3 rspi 0x3ec4e46becafef14
> spi=0xf2043da59221143f: recv INFORMATIONAL req 6 peer --FR--:500 local --UK--:500, 96 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 6 length 96 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 68
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 32
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 32/32 padding 31
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 6 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 6 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003275
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003275
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003276
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003276
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003276
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003276
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003275
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> ikev2_init_ike_sa: "--FR-HOST--" is already active
> ikev2_init_ike_sa: "--US-HOST--" is already active
> ikev2_init_ike_sa: "--JP-HOST--" is already active
> spi=0xf2043da59221143f: recv INFORMATIONAL req 7 peer --FR--:500 local --UK--:500, 112 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 7 length 112 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 84
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 48
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 48/48 padding 47
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 7 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 7 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003290
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003290
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003291
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003291
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003291
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003291
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003290
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 8 peer --FR--:500 local --UK--:500, 144 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 8 length 144 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 116
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 80
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 80/80 padding 79
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 8 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 8 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003305
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003305
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003306
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003306
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003306
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003306
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003305
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 9 peer --FR--:500 local --UK--:500, 160 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 9 length 160 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 132
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 96
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 96/96 padding 95
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 9 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 9 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003319
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003320
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003321
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003321
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003321
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003321
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003320
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 10 peer --FR--:500 local --UK--:500, 96 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 10 length 96 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 68
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 32
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 32/32 padding 31
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 10 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 10 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003334
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003335
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003336
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003336
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003336
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003336
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003335
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> ikev2_init_ike_sa: "--FR-HOST--" is already active
> ikev2_init_ike_sa: "--US-HOST--" is already active
> ikev2_init_ike_sa: "--JP-HOST--" is already active
> spi=0xf2043da59221143f: recv INFORMATIONAL req 11 peer --FR--:500 local --UK--:500, 96 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 11 length 96 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 68
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 32
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 32/32 padding 31
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 11 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 11 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003349
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003350
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003351
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003351
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003350
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xba75d84f last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003351
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003350
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> spi=0xf94ce3fc2e48f7f2: recv INFORMATIONAL req 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d
> ikev2_recv: updated SA to peer --CAT--:4500 local --UK--:4500
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 2 length 80 response 0
> ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 7
> ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 8
> ikev2_pld_delete: proto IKE spisize 0 nspi 0
> ikev2_next_payload: length 4 nextpayload NONE
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 4
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 5, padding 11, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf94ce3fc2e48f7f2 rspi 0x1d51ac7d723a726d nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 2 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 11
> spi=0xf94ce3fc2e48f7f2: send INFORMATIONAL res 2 peer --CAT--:4500 local --UK--:4500, 80 bytes, NAT-T
> spi=0xf94ce3fc2e48f7f2: ikev2_ikesa_recv_delete: received delete
> spi=0xf94ce3fc2e48f7f2: sa_state: ESTABLISHED -> CLOSED from --CAT--:4500 to --UK--:4500 policy '--CAT-HOST--'
> ikev2_recv: closing SA
> spi=0xf94ce3fc2e48f7f2: sa_free: received delete
> config_free_proposals: free 0x3c27ccfe800
> config_free_proposals: free 0x3c31292a600
> config_free_childsas: free 0x3c2db888f00
> config_free_childsas: free 0x3c300bf3e00
> sa_free_flows: free 0x3c324182800
> sa_free_flows: free 0x3c2eec20400
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0x87993e0d839b617f: recv IKE_SA_INIT req 0 peer --CAT--:500 local --UK--:500, 1056 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0x87993e0d839b617f rspi 0x0000000000000000
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> ikev2_pld_parse: header ispi 0x87993e0d839b617f rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 1056 response 0
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 832
> ikev2_pld_sa: more 2 reserved 0 length 352 proposal #1 protoid IKE spisize 0 xforms 37 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CTR
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_CMAC_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_sa: more 0 reserved 0 length 476 proposal #2 protoid IKE spisize 0 xforms 45 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_16
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_GCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_8
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id CAMELLIA_CCM_12
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_512
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_XCBC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id AES128_CMAC
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_384
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id ECP_521
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P256R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P384R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id BRAINPOOL_P512R1
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id CURVE25519
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_3072
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_4096
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_6144
> ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_8192
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_nat_detection: peer source 0x87993e0d839b617f 0x0000000000000000 --CAT--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_nat_detection: peer destination 0x87993e0d839b617f 0x0000000000000000 --UK--:500
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type FRAGMENTATION_SUPPORTED
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> ikev2_pld_notify: signature hash SHA2_256 (2)
> ikev2_pld_notify: signature hash SHA2_384 (3)
> ikev2_pld_notify: signature hash SHA2_512 (4)
> ikev2_pld_notify: signature hash <UNKNOWN:5> (5)
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type REDIRECT_SUPPORTED
> proposals_negotiate: score 4
> proposals_negotiate: score 0
> policy_lookup: setting policy '--CAT-HOST--'
> spi=0x87993e0d839b617f: sa_state: INIT -> SA_INIT
> proposals_negotiate: score 4
> proposals_negotiate: score 0
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> sa_stateflags: 0x0000 -> 0x0020 sa (required 0x0000 )
> spi=0x87993e0d839b617f: ikev2_sa_keys: DHSECRET with 32 bytes
> ikev2_sa_keys: SKEYSEED with 32 bytes
> spi=0x87993e0d839b617f: ikev2_sa_keys: S with 80 bytes
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: T5 with 32 bytes
> ikev2_prfplus: T6 with 32 bytes
> ikev2_prfplus: T7 with 32 bytes
> ikev2_prfplus: Tn with 224 bytes
> ikev2_sa_keys: SK_d with 32 bytes
> ikev2_sa_keys: SK_ai with 32 bytes
> ikev2_sa_keys: SK_ar with 32 bytes
> ikev2_sa_keys: SK_ei with 32 bytes
> ikev2_sa_keys: SK_er with 32 bytes
> ikev2_sa_keys: SK_pi with 32 bytes
> ikev2_sa_keys: SK_pr with 32 bytes
> ikev2_add_proposals: length 44
> ikev2_next_payload: length 48 nextpayload KE
> ikev2_next_payload: length 72 nextpayload NONCE
> ikev2_next_payload: length 36 nextpayload NOTIFY
> ikev2_nat_detection: local source 0x87993e0d839b617f 0xbd5bf5ce26784624 --UK--:500
> ikev2_next_payload: length 28 nextpayload NOTIFY
> ikev2_nat_detection: local destination 0x87993e0d839b617f 0xbd5bf5ce26784624 --CAT--:500
> ikev2_next_payload: length 28 nextpayload CERTREQ
> ikev2_add_certreq: type X509_CERT length 21
> ikev2_next_payload: length 25 nextpayload NOTIFY
> ikev2_next_payload: length 14 nextpayload NONE
> ikev2_pld_parse: header ispi 0x87993e0d839b617f rspi 0xbd5bf5ce26784624 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 279 response 1
> ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48
> ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type DH id ECP_256
> ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 72
> ikev2_pld_ke: dh group ECP_256 reserved 0
> ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36
> ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP
> ikev2_pld_payloads: payload NOTIFY nextpayload CERTREQ critical 0x00 length 28
> ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP
> ikev2_pld_payloads: payload CERTREQ nextpayload NOTIFY critical 0x00 length 25
> ikev2_pld_certreq: type X509_CERT length 20
> ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 14
> ikev2_pld_notify: protoid NONE spisize 0 type SIGNATURE_HASH_ALGORITHMS
> spi=0x87993e0d839b617f: send IKE_SA_INIT res 0 peer --CAT--:500 local --UK--:500, 279 bytes
> config_free_proposals: free 0x3c2ef864700
> config_free_proposals: free 0x3c2a56da100
> spi=0x87993e0d839b617f: recv IKE_AUTH req 1 peer --CAT--:4500 local --UK--:4500, 1792 bytes, policy '--CAT-HOST--'
> ikev2_recv: ispi 0x87993e0d839b617f rspi 0xbd5bf5ce26784624
> ikev2_recv: updated SA to peer --CAT--:4500 local --UK--:4500
> ikev2_pld_parse: header ispi 0x87993e0d839b617f rspi 0xbd5bf5ce26784624 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 1792 response 0
> ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 1764
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1728
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1728/1728 padding 11
> ikev2_pld_payloads: decrypted payload IDi nextpayload CERT critical 0x00 length 33
> ikev2_pld_id: id UFQDN/indra@--CA-HOST-- length 29
> ikev2_pld_payloads: decrypted payload CERT nextpayload NOTIFY critical 0x00 length 1090
> ikev2_pld_cert: type X509_CERT length 1085
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload CERTREQ critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type INITIAL_CONTACT
> ikev2_pld_payloads: decrypted payload CERTREQ nextpayload AUTH critical 0x00 length 85
> ikev2_pld_certreq: type X509_CERT length 80
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 16
> ikev2_pld_cp: type REQUEST length 8
> ikev2_pld_cp: INTERNAL_IP4_ADDRESS 0x0001 length 0
> ikev2_pld_cp: INTERNAL_IP4_DNS 0x0003 length 0
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 100
> ikev2_pld_sa: more 0 reserved 0 length 96 proposal #1 protoid ESP spisize 4 xforms 9 spi 0xc0567d8f
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_384_192
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_512_256
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id AES_XCBC_96
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start 0.0.0.0 end 255.255.255.255
> ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 24
> ikev2_pld_notify: protoid NONE spisize 0 type ADDITIONAL_IP6_ADDRESS
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type EAP_ONLY_AUTHENTICATION
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type IKEV2_MESSAGE_ID_SYNC_SUPPORTED
> ikev2_handle_notifies: mobike enabled
> sa_stateok: SA_INIT flags 0x0000, require 0x0000
> spi=0x87993e0d839b617f: sa_state: SA_INIT -> AUTH_REQUEST
> policy_lookup: peerid 'indra@--CA-HOST--'
> proposals_negotiate: score 4
> policy_lookup: setting policy '--CAT-HOST--'
> ikev2_policy2id: srcid UFQDN/--UK-ID-- length 31
> sa_stateflags: 0x0020 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_msg_auth: responder auth data length 343
> ca_setauth: switching SIG_ANY to SIG
> ca_setauth: auth length 343
> proposals_negotiate: score 4
> sa_stateflags: 0x0024 -> 0x0024 certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> config_free_proposals: free 0x3c2ef864180
> ca_getreq: found CA /C=FR/ST=Seine-Saint-Denis/L=Aubervilliers/O=Telecom Lobby/OU=VPNC/CN=--CA-HOST--
> ca_x509_subjectaltname_do: did not find subjectAltName in certificate
> ca_getreq: found local certificate /C=UK/ST=England/L=London/O=Telecom Lobby/OU=VPNC/CN=--UK-HOST--
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> _dsa_sign_encode: signature scheme 0 selected
> ca_setauth: auth length 272
> ca_validate_pubkey: could not open public key pubkeys/ufqdn/indra@--CA-HOST--
> ca_validate_cert: /C=ES/ST=Catalunya/L=sant Pere de Ribes/O=Telecom Lobby/OU=VPNC/CN=--CAT-HOST-- ok
> ikev2_getimsgdata: imsg 22 rspi 0xbd5bf5ce26784624 ispi 0x87993e0d839b617f initiator 0 sa valid type 4 data length 1064
> ikev2_dispatch_cert: cert type X509_CERT length 1064, ok
> sa_stateflags: 0x0024 -> 0x0025 cert,certreq,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_getimsgdata: imsg 28 rspi 0xbd5bf5ce26784624 ispi 0x87993e0d839b617f initiator 0 sa valid type 14 data length 272
> ikev2_dispatch_cert: AUTH type 14 len 272
> sa_stateflags: 0x0025 -> 0x002d cert,certreq,auth,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_getimsgdata: imsg 23 rspi 0xbd5bf5ce26784624 ispi 0x87993e0d839b617f initiator 0 sa valid type 4 data length 1085
> ikev2_msg_auth: initiator auth data length 1120
> ikev2_msg_authverify: method SIG keylen 1085 type X509_CERT
> _dsa_verify_init: signature scheme 0 selected
> ikev2_msg_authverify: authentication successful
> spi=0x87993e0d839b617f: sa_state: AUTH_REQUEST -> AUTH_SUCCESS
> sa_stateflags: 0x002d -> 0x003d cert,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> ikev2_dispatch_cert: peer certificate is valid
> sa_stateflags: 0x003d -> 0x003f cert,certvalid,certreq,auth,authvalid,sa (required 0x003b cert,certvalid,auth,authvalid,sa)
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> spi=0x87993e0d839b617f: sa_state: AUTH_SUCCESS -> VALID
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> sa_stateok: VALID flags 0x003b, require 0x003b cert,certvalid,auth,authvalid,sa
> ikev2_sa_tag:  (0)
> ikev2_childsa_negotiate: proposal 1
> ikev2_childsa_negotiate: key material length 128
> ikev2_prfplus: T1 with 32 bytes
> ikev2_prfplus: T2 with 32 bytes
> ikev2_prfplus: T3 with 32 bytes
> ikev2_prfplus: T4 with 32 bytes
> ikev2_prfplus: Tn with 128 bytes
> pfkey_sa_getspi: spi 0x41a9644f
> pfkey_sa_init: new spi 0x41a9644f
> ikev2_next_payload: length 35 nextpayload CERT
> ikev2_next_payload: length 1069 nextpayload AUTH
> ikev2_next_payload: length 280 nextpayload CP
> ikev2_next_payload: length 8 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload NOTIFY
> ikev2_add_notify: done
> ikev2_next_payload: length 8 nextpayload SA
> ikev2_add_proposals: length 40
> ikev2_next_payload: length 44 nextpayload TSi
> ikev2_next_payload: length 24 nextpayload TSr
> ikev2_next_payload: length 24 nextpayload NONE
> ikev2_next_payload: length 1540 nextpayload IDr
> ikev2_msg_encrypt: decrypted length 1500
> ikev2_msg_encrypt: padded length 1504
> ikev2_msg_encrypt: length 1501, padding 3, output length 1536
> ikev2_msg_integr: message length 1568
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0x87993e0d839b617f rspi 0xbd5bf5ce26784624 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 1568 response 1
> ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 1540
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 1504
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 1504/1504 padding 3
> ikev2_pld_payloads: decrypted payload IDr nextpayload CERT critical 0x00 length 35
> ikev2_pld_id: id UFQDN/--UK-ID-- length 31
> ikev2_pld_payloads: decrypted payload CERT nextpayload AUTH critical 0x00 length 1069
> ikev2_pld_cert: type X509_CERT length 1064
> ikev2_pld_payloads: decrypted payload AUTH nextpayload CP critical 0x00 length 280
> ikev2_pld_auth: method SIG length 272
> ikev2_pld_payloads: decrypted payload CP nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_cp: type REPLY length 0
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NOTIFY critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type USE_TRANSPORT_MODE
> ikev2_pld_payloads: decrypted payload NOTIFY nextpayload SA critical 0x00 length 8
> ikev2_pld_notify: protoid NONE spisize 0 type MOBIKE_SUPPORTED
> ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44
> ikev2_pld_sa: more 0 reserved 0 length 40 proposal #1 protoid ESP spisize 4 xforms 3 spi 0x41a9644f
> ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC
> ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4
> ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128
> ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE
> ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --CAT-- end --CAT--
> ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24
> ikev2_pld_tss: count 1 length 16
> ikev2_pld_tss: type IPV4_ADDR_RANGE protoid 47 length 16 startport 0 endport 65535
> ikev2_pld_ts: start --UK-- end --UK--
> spi=0x87993e0d839b617f: send IKE_AUTH res 1 peer --CAT--:4500 local --UK--:4500, 1568 bytes, NAT-T
> pfkey_sa_add: update spi 0x41a9644f
> ikev2_childsa_enable: loaded CHILD SA spi 0x41a9644f
> pfkey_sa_add: add spi 0xc0567d8f
> ikev2_childsa_enable: loaded CHILD SA spi 0xc0567d8f
> ikev2_childsa_enable: loaded flow 0x3c324182400
> ikev2_childsa_enable: loaded flow 0x3c2eec20000
> ikev2_childsa_enable: remember SA peer --CAT--:4500
> spi=0x87993e0d839b617f: ikev2_childsa_enable: loaded SPIs: 0x41a9644f, 0xc0567d8f
> spi=0x87993e0d839b617f: ikev2_childsa_enable: loaded flows: ESP---UK--/32=--CAT--/32(47)
> spi=0x87993e0d839b617f: sa_state: VALID -> ESTABLISHED from --CAT--:4500 to --UK--:4500 policy '--CAT-HOST--'
> spi=0x87993e0d839b617f: established peer --CAT--:4500[UFQDN/indra@--CA-HOST--] local --UK--:4500[UFQDN/--UK-ID--] policy '--CAT-HOST--' as responder
> spi=0xf2043da59221143f: recv INFORMATIONAL req 12 peer --FR--:500 local --UK--:500, 112 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 12 length 112 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 84
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 48
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 48/48 padding 47
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 12 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 12 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003365
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003365
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003366
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003366
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003366
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003365
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> pfkey_sa_lookup: last_used 1614003379
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x41a9644f last used 1 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 13 peer --FR--:500 local --UK--:500, 128 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 13 length 128 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 100
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 64
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 64/64 padding 63
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 13 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 13 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003380
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003380
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003381
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003381
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003381
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003380
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> policy_lookup: setting policy '--US-HOST--'
> spi=0xe6cf431822ad3dc9: recv INFORMATIONAL req 53 peer --US-IP--:500 local --UK--:500, 57 bytes, policy '--US-HOST--'
> ikev2_recv: ispi 0xe6cf431822ad3dc9 rspi 0x338f3945413a685a
> ikev2_init_recv: unknown SA
> pfkey_sa_lookup: last_used 1614003392
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x41a9644f last used 3 second(s) ago
> spi=0xf2043da59221143f: recv INFORMATIONAL req 14 peer --FR--:500 local --UK--:500, 160 bytes, policy '--FR-HOST--'
> ikev2_recv: ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5
> ikev2_recv: updated SA to peer --FR--:500 local --UK--:500
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x00 msgid 14 length 160 response 0
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 132
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 96
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 96/96 padding 95
> ikev2_next_payload: length 52 nextpayload NONE
> ikev2_msg_encrypt: decrypted length 0
> ikev2_msg_encrypt: padded length 16
> ikev2_msg_encrypt: length 1, padding 15, output length 48
> ikev2_msg_integr: message length 80
> ikev2_msg_integr: integrity checksum length 16
> ikev2_pld_parse: header ispi 0xf2043da59221143f rspi 0x1f43bd64d771a4e5 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x28 msgid 14 length 80 response 1
> ikev2_pld_payloads: payload SK nextpayload NONE critical 0x00 length 52
> ikev2_msg_decrypt: IV length 16
> ikev2_msg_decrypt: encrypted payload length 16
> ikev2_msg_decrypt: integrity checksum length 16
> ikev2_msg_decrypt: integrity check succeeded
> ikev2_msg_decrypt: decrypted payload length 16/16 padding 15
> spi=0xf2043da59221143f: send INFORMATIONAL res 14 peer --FR--:500 local --UK--:500, 80 bytes
> pfkey_sa_lookup: last_used 1614003394
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0x066d9db6 last used 1 second(s) ago
> pfkey_sa_lookup: last_used 1614003394
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x8f3bad08 last used 1 second(s) ago
> policy_lookup: setting policy '--US-HOST--'
> spi=0xe6cf431822ad3dc9: recv INFORMATIONAL req 53 peer --US-IP--:500 local --UK--:500, 57 bytes, policy '--US-HOST--'
> ikev2_recv: ispi 0xe6cf431822ad3dc9 rspi 0x338f3945413a685a
> ikev2_init_recv: unknown SA
> pfkey_sa_lookup: last_used 1614003396
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xd1bfd520 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003396
> ikev2_ike_sa_alive: incoming CHILD SA spi 0xfc41aa70 last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003396
> ikev2_ike_sa_alive: outgoing CHILD SA spi 0xb1bffe2d last used 0 second(s) ago
> pfkey_sa_lookup: last_used 1614003395
> ikev2_ike_sa_alive: incoming CHILD SA spi 0x4701e9b5 last used 1 second(s) ago
> policy_lookup: setting policy '--US-HOST--'
> spi=0xe6cf431822ad3dc9: recv INFORMATIONAL req 53 peer --US-IP--:500 local --UK--:500, 57 bytes, policy '--US-HOST--'
> ikev2_recv: ispi 0xe6cf431822ad3dc9 rspi 0x338f3945413a685a
> ikev2_init_recv: unknown SA
> policy_lookup: setting policy '--JP-HOST--'
> spi=0x52b68ffd0ebb1984: recv INFORMATIONAL req 93 peer --JP-IP--:500 local --UK--:500, 57 bytes, policy '--JP-HOST--'
> ikev2_recv: ispi 0x52b68ffd0ebb1984 rspi 0xebcdfe906b83921a
> ikev2_init_recv: unknown SA
> ca exiting, pid 842
> control exiting, pid 64161
> ikev2 exiting, pid 15623
> parent terminating