[Swan] klips + ipsec whack --shutdown causes lockup

Brian T btuch at usa.net
Fri Sep 6 14:34:44 UTC 2019


Testing latest master branch 3d5516b1c.  When trying to restart ipsec 
services using klips, I get a device lockup and/or reboot. Syslog seems 
to stop at different places (ssh connection).

Is there other debugging that would help besides whack --debug all?

Thanks!

-Brian


1656 tmp]# ipsec barf
Unable to find KLIPS messages, typically found in /var/log/messages or 
equivalent. You may need to run Libreswan for the first time; 
alternatively, your log files have been emptied (ie, logrotate) or we do 
not understand your logging configuration.
Unable to find Pluto messages, typically found in /var/log/secure or 
equivalent. You may need to run Libreswan for the first time; 
alternatively, your log files have been emptied (ie, logrotate) or we do 
not understand your logging configuration.
DA70N-051656
Fri Sep  6 09:20:15 CDT 2019
+ _________________________ version
+ ipsec --version
Linux Libreswan 3.master-201936.git (netkey) on 4.9.119
+ _________________________ /proc/version
+ cat /proc/version
Linux version 4.9.119 (captain at 784c3b036f31) (gcc version 7.4.0 
(Ubuntu/Linaro 7.4.0-1ubuntu1~18.04) ) #1 PREEMPT Fri Sep 6 14:00:18 UTC 
2019
+ _________________________ /proc/net/ipsec_eroute
+ '[' -r /proc/net/ipsec_eroute ']'
+ _________________________ /proc/net/ipsec_spi
+ '[' -r /proc/net/ipsec_spi ']'
+ _________________________ /proc/net/ipsec_spigrp
+ '[' -r /proc/net/ipsec_spigrp ']'
+ _________________________ /proc/net/ipsec_tncfg
+ '[' -r /proc/net/ipsec_tncfg ']'
+ '[' -r /proc/sys/net/core/xfrm_acq_expires ']'
+ _________________________ ip-xfrm-state
+ ip xfrm state
+ _________________________ ip-xfrm-policy
+ ip xfrm policy
+ _________________________ cat-proc-net-xfrm_stat
+ cat /proc/net/xfrm_stat
XfrmInError                     0
XfrmInBufferError               0
XfrmInHdrError                  0
XfrmInNoStates                  0
XfrmInStateProtoError           0
XfrmInStateModeError            0
XfrmInStateSeqError             0
XfrmInStateExpired              0
XfrmInStateMismatch             0
XfrmInStateInvalid              0
XfrmInTmplMismatch              0
XfrmInNoPols                    0
XfrmInPolBlock                  0
XfrmInPolError                  0
XfrmOutError                    0
XfrmOutBundleGenError           0
XfrmOutBundleCheckError         0
XfrmOutNoStates                 0
XfrmOutStateProtoError          0
XfrmOutStateModeError           0
XfrmOutStateSeqError            0
XfrmOutStateExpired             0
XfrmOutPolBlock                 0
XfrmOutPolDead                  0
XfrmOutPolError                 0
XfrmFwdHdrError                 0
XfrmOutStateInvalid             0
XfrmAcquireError                0
+ _________________________ ip-l2tp-tunnel
+ '[' -d /sys/module/l2tp_core ']'
+ '[' -d /sys/module/ip_vti ']'
+ _________________________ /proc/crypto
+ '[' -r /proc/crypto ']'
+ cat /proc/crypto
name         : hmac(sha512)
driver       : omap-hmac-sha512
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 64

name         : hmac(sha384)
driver       : omap-hmac-sha384
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 48

name         : sha512
driver       : omap-sha512
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 64

name         : sha384
driver       : omap-sha384
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 128
digestsize   : 48

name         : hmac(sha256)
driver       : omap-hmac-sha256
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 32

name         : hmac(sha224)
driver       : omap-hmac-sha224
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 28

name         : sha256
driver       : omap-sha256
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 32

name         : sha224
driver       : omap-sha224
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 28

name         : hmac(md5)
driver       : omap-hmac-md5
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 16

name         : hmac(sha1)
driver       : omap-hmac-sha1
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 20

name         : md5
driver       : omap-md5
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 16

name         : sha1
driver       : omap-sha1
module       : kernel
priority     : 400
refcnt       : 1
selftest     : passed
internal     : no
type         : ahash
async        : yes
blocksize    : 64
digestsize   : 20

name         : cbc(des3_ede)
driver       : cbc-des3-omap
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 8
geniv        : <default>

name         : ecb(des3_ede)
driver       : ecb-des3-omap
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 8
min keysize  : 24
max keysize  : 24
ivsize       : 0
geniv        : <default>

name         : cbc(des)
driver       : cbc-des-omap
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 8
min keysize  : 8
max keysize  : 8
ivsize       : 8
geniv        : <default>

name         : ecb(des)
driver       : ecb-des-omap
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 8
min keysize  : 8
max keysize  : 8
ivsize       : 0
geniv        : <default>

name         : rfc4106(gcm(aes))
driver       : rfc4106-gcm-aes-omap
module       : kernel
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 1
ivsize       : 8
maxauthsize  : 16
geniv        : <none>

name         : gcm(aes)
driver       : gcm-aes-omap
module       : kernel
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : aead
async        : yes
blocksize    : 1
ivsize       : 12
maxauthsize  : 16
geniv        : <none>

name         : ctr(aes)
driver       : ctr-aes-omap
module       : kernel
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
geniv        : eseqiv

name         : cbc(aes)
driver       : cbc-aes-omap
module       : kernel
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 16
geniv        : <default>

name         : ecb(aes)
driver       : ecb-aes-omap
module       : kernel
priority     : 300
refcnt       : 1
selftest     : passed
internal     : no
type         : ablkcipher
async        : yes
blocksize    : 16
min keysize  : 16
max keysize  : 32
ivsize       : 0
geniv        : <default>

name         : jitterentropy_rng
driver       : jitterentropy_rng
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha256
module       : kernel
priority     : 207
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha512
module       : kernel
priority     : 206
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha384
module       : kernel
priority     : 205
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_nopr_hmac_sha1
module       : kernel
priority     : 204
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha256
module       : kernel
priority     : 203
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha512
module       : kernel
priority     : 202
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha384
module       : kernel
priority     : 201
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : stdrng
driver       : drbg_pr_hmac_sha1
module       : kernel
priority     : 200
refcnt       : 1
selftest     : passed
internal     : no
type         : rng
seedsize     : 0

name         : lzo
driver       : lzo-generic
module       : kernel
priority     : 0
refcnt       : 2
selftest     : passed
internal     : no
type         : compression

name         : crct10dif
driver       : crct10dif-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 2

name         : crc32c
driver       : crc32c-generic
module       : kernel
priority     : 100
refcnt       : 2
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 4

name         : michael_mic
driver       : michael_mic-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 8
digestsize   : 8

name         : deflate
driver       : deflate-generic
module       : kernel
priority     : 0
refcnt       : 2
selftest     : passed
internal     : no
type         : compression

name         : ecb(arc4)
driver       : ecb(arc4)-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 1
max keysize  : 256
ivsize       : 0
geniv        : <default>

name         : arc4
driver       : arc4-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 1
min keysize  : 1
max keysize  : 256

name         : aes
driver       : aes-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 16
min keysize  : 16
max keysize  : 32

name         : des3_ede
driver       : des3_ede-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 8
min keysize  : 24
max keysize  : 24

name         : des
driver       : des-generic
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 8
min keysize  : 8
max keysize  : 8

name         : sha384
driver       : sha384-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 128
digestsize   : 48

name         : sha512
driver       : sha512-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 128
digestsize   : 64

name         : sha224
driver       : sha224-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 28

name         : sha256
driver       : sha256-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 32

name         : sha1
driver       : sha1-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 20

name         : md5
driver       : md5-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 64
digestsize   : 16

name         : digest_null
driver       : digest_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : shash
blocksize    : 1
digestsize   : 0

name         : compress_null
driver       : compress_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : compression

name         : ecb(cipher_null)
driver       : ecb-cipher_null
module       : kernel
priority     : 100
refcnt       : 1
selftest     : passed
internal     : no
type         : blkcipher
blocksize    : 1
min keysize  : 0
max keysize  : 0
ivsize       : 0
geniv        : <default>

name         : cipher_null
driver       : cipher_null-generic
module       : kernel
priority     : 0
refcnt       : 1
selftest     : passed
internal     : no
type         : cipher
blocksize    : 1
min keysize  : 0
max keysize  : 0

+ __________________________/proc/sys/net/core/xfrm-star
/usr/libexec/ipsec/barf: line 198: 
__________________________/proc/sys/net/core/xfrm-star: No such file or 
directory
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_acq_expires: '
/proc/sys/net/core/xfrm_acq_expires: + cat 
/proc/sys/net/core/xfrm_acq_expires
30
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_etime: '
/proc/sys/net/core/xfrm_aevent_etime: + cat 
/proc/sys/net/core/xfrm_aevent_etime
10
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_aevent_rseqth: '
/proc/sys/net/core/xfrm_aevent_rseqth: + cat 
/proc/sys/net/core/xfrm_aevent_rseqth
2
+ for i in '/proc/sys/net/core/xfrm_*'
+ echo -n '/proc/sys/net/core/xfrm_larval_drop: '
/proc/sys/net/core/xfrm_larval_drop: + cat 
/proc/sys/net/core/xfrm_larval_drop
1
+ _________________________ /proc/sys/net/ipsec-star
+ '[' -d /proc/sys/net/ipsec ']'
+ _________________________ ipsec/status
+ ipsec whack --status
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ _________________________ ip-addr-list
+ ip addr list
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1
     link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
     inet 127.0.0.1/8 scope host lo
        valid_lft forever preferred_lft forever
     inet6 ::1/128 scope host
        valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP 
group default qlen 1000
     link/ether 00:05:e4:05:16:56 brd ff:ff:ff:ff:ff:ff
     inet 172.16.0.225/16 brd 172.16.255.255 scope global eth0
        valid_lft forever preferred_lft forever
     inet6 fe80::205:e4ff:fe05:1656/64 scope link
        valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state 
DOWN group default qlen 1000
     link/ether 00:05:e4:05:16:55 brd ff:ff:ff:ff:ff:ff
     inet 192.168.1.1/24 brd 192.168.1.255 scope global eth1
        valid_lft forever preferred_lft forever
     inet 10.10.0.1/24 brd 10.10.0.255 scope global eth1:10
        valid_lft forever preferred_lft forever
     inet 172.18.0.1/24 brd 172.18.0.255 scope global eth1:20
        valid_lft forever preferred_lft forever
4: sit0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
     link/sit 0.0.0.0 brd 0.0.0.0
5: ip6tnl0 at NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1
     link/tunnel6 :: brd ::
6: usb0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast 
state DOWN group default qlen 1000
     link/ether 8a:1d:c0:62:84:77 brd ff:ff:ff:ff:ff:ff
     inet 192.168.111.1/24 brd 192.168.111.255 scope global usb0
        valid_lft forever preferred_lft forever
7: wlan0s2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:05:e4:06:d6:b7 brd ff:ff:ff:ff:ff:ff
8: eth1s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:05:e4:06:a0:27 brd ff:ff:ff:ff:ff:ff
9: eth0s3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group 
default qlen 1000
     link/ether 00:05:e4:06:a0:26 brd ff:ff:ff:ff:ff:ff
10: wwan0: <BROADCAST,MULTICAST,NOARP> mtu 1500 qdisc noop state DOWN 
group default qlen 1000
     link/ether 00:00:11:12:13:14 brd ff:ff:ff:ff:ff:ff
+ _________________________ ip-route-list-table-all
+ ip route list table all
prohibit default table usb0
192.168.111.0/24 dev usb0 table usb0 scope link linkdown
default via 172.16.0.1 dev eth0 table eth0
192.168.1.0/24 dev eth1 table eth1 scope link src 192.168.1.1 linkdown
10.10.0.0/24 dev eth1 table eth1:10 scope link src 10.10.0.1 linkdown
172.18.0.0/24 dev eth1 table eth1:20 scope link src 172.18.0.1 linkdown
10.10.0.0/24 dev eth1 proto kernel scope link src 10.10.0.1 linkdown
172.16.0.0/16 dev eth0 proto kernel scope link src 172.16.0.225
172.18.0.0/24 dev eth1 proto kernel scope link src 172.18.0.1 linkdown
192.168.1.0/24 dev eth1 scope link linkdown
192.168.111.0/24 dev usb0 proto kernel scope link src 192.168.111.1 
linkdown
broadcast 10.10.0.0 dev eth1 table local proto kernel scope link src 
10.10.0.1 linkdown
local 10.10.0.1 dev eth1 table local proto kernel scope host src 10.10.0.1
broadcast 10.10.0.255 dev eth1 table local proto kernel scope link src 
10.10.0.1 linkdown
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 
127.0.0.1
broadcast 172.16.0.0 dev eth0 table local proto kernel scope link src 
172.16.0.225
local 172.16.0.225 dev eth0 table local proto kernel scope host src 
172.16.0.225
broadcast 172.16.255.255 dev eth0 table local proto kernel scope link 
src 172.16.0.225
broadcast 172.18.0.0 dev eth1 table local proto kernel scope link src 
172.18.0.1 linkdown
local 172.18.0.1 dev eth1 table local proto kernel scope host src 
172.18.0.1
broadcast 172.18.0.255 dev eth1 table local proto kernel scope link src 
172.18.0.1 linkdown
broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 
192.168.1.1 linkdown
local 192.168.1.1 dev eth1 table local proto kernel scope host src 
192.168.1.1
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 
192.168.1.1 linkdown
broadcast 192.168.111.0 dev usb0 table local proto kernel scope link src 
192.168.111.1 linkdown
local 192.168.111.1 dev usb0 table local proto kernel scope host src 
192.168.111.1
broadcast 192.168.111.255 dev usb0 table local proto kernel scope link 
src 192.168.111.1 linkdown
fe80::/64 dev eth0 proto kernel metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error 
4294967195 pref medium
local ::1 dev lo table local proto unspec metric 0 pref medium
local fe80::205:e4ff:fe05:1656 dev lo table local proto unspec metric 0 
pref medium
ff00::/8 dev eth0 table local metric 256 pref medium
unreachable default dev lo proto kernel metric 4294967295 error 
4294967195 pref medium
+ _________________________ ip-rule-list
+ ip rule list
0:      from all lookup local
4:      from 192.168.111.1 lookup usb0
10:     from all lookup main
11:     from 172.16.0.225 lookup eth0
12:     from 192.168.1.1 lookup eth1
13:     from 10.10.0.1 lookup eth1:10
14:     from 172.18.0.1 lookup eth1:20
32766:  from all lookup main
32767:  from all lookup default
+ _________________________ ipsec_verify
+ ipsec verify --nocolour
Verifying installed system and configuration files

Version check and ipsec on-path                         [OK]
Libreswan 3.master-201936.git (netkey) on 4.9.119
Checking for IPsec support in kernel                    [OK]
  NETKEY: Testing XFRM related proc values
          ICMP default/send_redirects                    [NOT DISABLED]

   Disable /proc/sys/net/ipv4/conf/*/send_redirects or XFRM/NETKEY will 
act on or cause sending of bogus ICMP redirects!

          ICMP default/accept_redirects                  [NOT DISABLED]

   Disable /proc/sys/net/ipv4/conf/*/accept_redirects or XFRM/NETKEY 
will act on or cause sending of bogus ICMP redirects!

          XFRM larval drop                               [OK]
Pluto ipsec.conf syntax                                 [OK]
Checking rp_filter                                      [ENABLED]
  /proc/sys/net/ipv4/conf/all/rp_filter                  [ENABLED]
  /proc/sys/net/ipv4/conf/default/rp_filter              [ENABLED]
  /proc/sys/net/ipv4/conf/eth0s3/rp_filter               [ENABLED]
  /proc/sys/net/ipv4/conf/wwan0/rp_filter                [ENABLED]
   rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                          [OK]
  Pluto listening for IKE on udp 500                     [FAILED]
  Pluto listening for IKE/NAT-T on udp 4500              [DISABLED]
  Pluto ipsec.secret syntax                              [OK]
Checking 'ip' command                                   [OK]
Checking 'iptables' command                             [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options                [OK]

ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
+ _________________________ ipsec/directory
+ ipsec --directory
/usr/libexec/ipsec
+ _________________________ hostname/fqdn
+ hostname --fqdn
DA70N-051656
+ _________________________ hostname/ipaddress
+ hostname --ip-address
127.0.0.1
+ _________________________ uptime
+ uptime
  09:20:18 up 1 min,  load average: 1.50, 0.44, 0.15
+ _________________________ ps
+ ps alxwf
+ grep -E -i 'ppid|pluto|ipsec|klips'
F   UID   PID  PPID PRI  NI    VSZ   RSS WCHAN  STAT TTY        TIME COMMAND
4     0  5558  5322  20   0   2200  1556 wait   S+   pts/0 
0:00                  \_ /bin/sh /usr/libexec/ipsec/barf
0     0  5622  5558  20   0   1684   900 pipe_w S+   pts/0 
0:00                      \_ grep -E -i ppid|pluto|ipsec|klips
+ _________________________ ipsec/conf
+ ipsec readwriteconf --config /etc/ipsec.conf
config setup
virtual-private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
         protostack=klips

conn Tunnel1
         left=%defaultroute
         leftid="@HALOHALO"
         leftnexthop=%defaultroute
         leftsubnets={192.168.1.0/24, 172.18.0.0/24, 10.10.0.0/24}
         right=166.130.x.x
         rightid="@RAMRAM"
         rightsubnets={10.0.0.0/24, 10.0.1.0/24, 172.20.0.0/24}
         auto=start
         type=tunnel
         pfs=yes
         salifetime=3600
         ikelifetime=28800
         dpddelay=30
         dpdtimeout=60
         dpdaction=restart
         authby=secret
         auto=start
         type=tunnel
         compress=no
         pfs=yes
         ikepad=yes
         authby=secret
         phase2=esp
         ikev2=no
         ppk=no
         esn=no
+ _________________________ ipsec/secrets
+ ipsec _secretcensor
+ cat /etc/ipsec.secrets
# This file holds shared secrets (PSK) and XAUTH user passwords used for
# authentication.  See pluto(8) manpage or the libreswan website.

# Unlike older openswan, this file does NOT contain any X.509 related
# information such as private key :RSA statements as these now reside
# in the NSS database. See:
#
# https://libreswan.org/wiki/Using_NSS_with_libreswan
# https://libreswan.org/wiki/Migrating_from_Openswan
#
# The preferred method for adding secrets is to create a new file in
# the /etc/ipsec.d/ directory, so it will be included via the include
# line below

include /etc/ipsec.d/*.secrets
+ _________________________ ipsec/listall
+ ipsec whack --listall
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
+ _________________________ nss/contents
+ certutil -L -d sql:/etc/ipsec.d

Certificate Nickname                                         Trust 
Attributes
SSL,S/MIME,JAR/XPI

+ _________________________ nss/crls
+ crlutil -L -d sql:/etc/ipsec.d


CRL names                                CRL Type

+ '[' -n /etc/ipsec.d/policies ']'
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/block
+ base=block
+ _________________________ ipsec/policies/block
+ cat /etc/ipsec.d/policies/block
# This file defines the set of network destinations for which
# communication should never be allowed.
#
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
# narrowing of protocol, source port and destination port
#
# examples:
# 10.0.1.0/24
# 2a03:6000:1004:1::/64
#
# block some outgoing ssh to range
#  10.0.1.0/24  tcp  0  22
# block all incoming ssh
#  0.0.0.0/0  tcp  22  0
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/clear
+ base=clear
+ _________________________ ipsec/policies/clear
+ cat /etc/ipsec.d/policies/clear
# This file defines the set of network destinations for which
# communication should always be in the clear.
#
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
# narrowing of protocol, source port and destination port
#
# examples:
# 10.0.1.0/24
# 2a03:6000:1004:1::/64
#
# dont IPsec encrypt ssh to a range
#  10.0.1.0/24  tcp  0  22
# don't IPsec encrypt any incoming ssh
#  0.0.0.0/0  tcp  22  0
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/clear-or-private
+ base=clear-or-private
+ _________________________ ipsec/policies/clear-or-private
+ cat /etc/ipsec.d/policies/clear-or-private
# This file defines the set of CIDRs (network/mask-length) to which
# we will communicate in the clear, or, if the other side initiates IPSEC,
# using encryption.  This behaviour is also called "Opportunistic 
Responder".
# One IPv4 or IPv6 CIDR per line.

# This file defines the set of network destinations for which
# communications will be in the clear, or if the other side initiates IPsec
# to use, will be encrypted on their request. This behaviour is also called
# "Opportunistic Responder".
#
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
# narrowing of protocol, source port and destination port
#
# examples:
# encrypt all traffic to an IPv4 or IPv6 host or subnet if they request it
# 10.0.1.0/24
# 10.1.1.1/32
# 2a03:6000:1004:1::/64
#
# encrypt all smtp traffic to some host if they want to
#  10.0.1.0/24  tcp  0  25
# encrypt all incoming smtp traffic from some host if they request it
#  0.0.0.0/0  tcp  25  0
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/portexcludes.conf
+ base=portexcludes.conf
+ _________________________ ipsec/policies/portexcludes.conf
+ cat /etc/ipsec.d/policies/portexcludes.conf
# Direction     Proto   Source  Dest    Prio
#
# Exclude ssh incoming and outgoing from IPsec encryption for ipv4 and ipv6
#both           tcp     any     22      1023
#
# Exclude outgoing HTTPS from IPsec encryption for ipv4 and ipv6
#out            tcp     any     443     1023
#
# Exclude incoming SMTP for ipv4 for ipv4
#in             tcp     any4    25      1023
# Exclude incoming SMTP for ipv4 from 10.0.0.0/8 only
#in             tcp     10.0.0.0/8      25      1023
#
# All udp port 666 should go in the clear within 10/8
#both   udp     10.0.0.0/8      10.0.0.0/8 at 666  1023
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/private
+ base=private
+ _________________________ ipsec/policies/private
+ cat /etc/ipsec.d/policies/private
# This file defines the set of CIDRs (network/mask-length) to which
# we MUST communicate in the clear. Otherwise traffic is blocked. This
# is enforced (and can be tweaked) by setting the negotiationshunt= and
# failureshunt= to drop.
#
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
# narrowing of protocol, source port and destination port
#
# examples:
# encrypt all traffic to an IPv4 or IPv6 host or subnet
# 10.0.1.0/24
# 10.1.1.1/32
# 2a03:6000:1004:1::/64
#
# encrypt all smtp traffic to some host
#  10.0.1.0/24  tcp  0  25
# encrypt all incoming smtp traffic
#  0.0.0.0/0  tcp  25  0
+ for policy in '${POLICIES}/*'
++ basename /etc/ipsec.d/policies/private-or-clear
+ base=private-or-clear
+ _________________________ ipsec/policies/private-or-clear
+ cat /etc/ipsec.d/policies/private-or-clear
# This file defines the set of CIDRs (network/mask-length) to which
# communication should be encrypted when possible, but will fallback
# to in the clear otherwise.
#
# This is enforced (and can be tweaked) by setting the failureshunt=
# to passthrough.
#
# One IPv4 or IPv6 CIDR per line, optionally specifying a further
# narrowing of protocol, source port and destination port
#
# examples:
# prefer to encrypt all traffic to an IPv4 or IPv6 host or subnet
# 10.0.1.0/24
# 10.1.1.1/32
# 2a03:6000:1004:1::/64
#
# prefer to encrypt all smtp traffic to some host
#  10.0.1.0/24  tcp  0  25
# prefer encrypt all incoming smtp traffic
#  0.0.0.0/0  tcp  25  0
#
# Ideally, enable this for every host on the internet
# 0.0.0.0/0
+ _________________________ ipsec/ls-execdir
+ ls -l /usr/libexec/ipsec
-rwxr-xr-x    1 root     root        148568 Sep  6 09:12 _import_crl
-rwxr-xr-x    1 root     root          3055 Sep  6 09:12 _plutorun
-rwxr-xr-x    1 root     root          1918 Sep  6 09:12 _secretcensor
-rwxr-xr-x    1 root     root         12467 Sep  6 09:12 _stackmanager
-rwxr-xr-x    1 root     root          2126 Sep  6 09:12 _unbound-hook
-rwxr-xr-x    1 root     root          4335 Sep  6 09:12 _updown
-rwxr-xr-x    1 root     root         18680 Sep  6 09:12 _updown.klips
-rwxr-xr-x    1 root     root         23873 Sep  6 09:12 _updown.netkey
-rwxr-xr-x    1 root     root        188640 Sep  6 09:12 addconn
-rwxr-xr-x    1 root     root        358552 Sep  6 09:12 algparse
-rwxr-xr-x    1 root     root          6079 Sep  6 09:12 auto
-rwxr-xr-x    1 root     root         12380 Sep  6 09:12 barf
-rwxr-xr-x    1 root     root        334688 Sep  6 09:12 cavp
-rwxr-xr-x    1 root     root         88412 Sep  6 09:12 enumcheck
-rwxr-xr-x    1 root     root         99428 Sep  6 09:12 eroute
-rwxr-xr-x    1 root     root        145908 Sep  6 09:12 ipcheck
-rwxr-xr-x    1 root     root         26984 Sep  6 09:12 jambufcheck
-rwxr-xr-x    1 root     root         81136 Sep  6 09:12 klipsdebug
-rwxr-xr-x    1 root     root         10411 Sep  6 09:12 letsencrypt
-rwxr-xr-x    1 root     root          4467 Sep  6 09:12 look
-rwxr-xr-x    1 root     root          3321 Sep  6 09:12 newhostkey
-rwxr-xr-x    1 root     root         76080 Sep  6 09:12 pf_key
-rwxr-xr-x    1 root     root       1480628 Sep  6 09:12 pluto
-rwxr-xr-x    1 root     root        163884 Sep  6 09:12 readwriteconf
-rwxr-xr-x    1 root     root        158560 Sep  6 09:12 rsasigkey
-rwxr-xr-x    1 root     root          6232 Sep  6 09:12 setup
-rwxr-xr-x    1 root     root          3597 Sep  6 09:12 show
-rwxr-xr-x    1 root     root        158592 Sep  6 09:12 showhostkey
-rwxr-xr-x    1 root     root         83304 Sep  6 09:12 shunkcheck
-rwxr-xr-x    1 root     root        335652 Sep  6 09:12 spi
-rwxr-xr-x    1 root     root         90328 Sep  6 09:12 spigrp
-rwxr-xr-x    1 root     root         34300 Sep  6 09:12 timecheck
-rwxr-xr-x    1 root     root        118668 Sep  6 09:12 tncfg
-rwxr-xr-x    1 root     root         11222 Sep  6 09:12 verify
-rwxr-xr-x    1 root     root        151492 Sep  6 09:12 whack
+ _________________________ /proc/net/dev
+ cat /proc/net/dev
Inter-|   Receive                                                | Transmit
  face |bytes    packets errs drop fifo frame compressed 
multicast|bytes    packets errs drop fifo colls carrier compressed
   eth0:   26373     335    0    0    0     0          0         0 
117085     560    0    0    0     0       0          0
   eth1:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
eth1s3:       0       0    0    0    0     0          0 0        0       
0    0    0    0     0       0          0
   usb0:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
eth0s3:       0       0    0    0    0     0          0 0        0       
0    0    0    0     0       0          0
   sit0:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
wlan0s2:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
  wwan0:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
ip6tnl0:       0       0    0    0    0     0          0 0        
0       0    0    0    0     0       0          0
     lo:    1791      24    0    0    0     0          0 0     1791      
24    0    0    0     0       0          0
+ _________________________ /proc/net/route
+ cat /proc/net/route
Iface   Destination     Gateway         Flags   RefCnt  Use Metric  
Mask            MTU     Window IRTT
eth1    00000A0A        00000000        0001    0       0 0       
00FFFFFF        0       0 0
eth0    000010AC        00000000        0001    0       0 0       
0000FFFF        0       0 0
eth1    000012AC        00000000        0001    0       0 0       
00FFFFFF        0       0 0
eth1    0001A8C0        00000000        0001    0       0 0       
00FFFFFF        0       0 0
usb0    006FA8C0        00000000        0001    0       0 0       
00FFFFFF        0       0 0
+ _________________________ /proc/sys/net/ipv4/ip_no_pmtu_disc
+ cat /proc/sys/net/ipv4/ip_no_pmtu_disc
0
+ _________________________ /proc/sys/net/ipv4/ip_forward
+ cat /proc/sys/net/ipv4/ip_forward
1
+ _________________________ /proc/sys/net/ipv4/tcp_ecn
+ cat /proc/sys/net/ipv4/tcp_ecn
2
+ _________________________ /proc/sys/net/ipv4/conf/star-rp_filter
+ cd /proc/sys/net/ipv4/conf
+ grep -E '^' all/rp_filter default/rp_filter eth0/rp_filter 
eth0s3/rp_filter eth1/rp_filter eth1s3/rp_filter ip6tnl0/rp_filter 
lo/rp_filter sit0/rp_filter usb0/rp_filter wlan0s2/rp_filter wwan0/rp_filter
all/rp_filter:1
default/rp_filter:1
eth0/rp_filter:0
eth0s3/rp_filter:1
eth1/rp_filter:0
eth1s3/rp_filter:0
ip6tnl0/rp_filter:0
lo/rp_filter:0
sit0/rp_filter:0
usb0/rp_filter:0
wlan0s2/rp_filter:0
wwan0/rp_filter:1
+ _________________________ /proc/sys/net/ipv4/conf/star-star-redirects
+ cd /proc/sys/net/ipv4/conf
+ grep -E '^' all/accept_redirects all/secure_redirects 
all/send_redirects default/accept_redirects default/secure_redirects 
default/send_redirects eth0/accept_redirects eth0/secure_redirects 
eth0/send_redirects eth0s3/accept_redirects eth0s3/secure_redirects 
eth0s3/send_redirects eth1/accept_redirects eth1/secure_redirects 
eth1/send_redirects eth1s3/accept_redirects eth1s3/secure_redirects 
eth1s3/send_redirects ip6tnl0/accept_redirects ip6tnl0/secure_redirects 
ip6tnl0/send_redirects lo/accept_redirects lo/secure_redirects 
lo/send_redirects sit0/accept_redirects sit0/secure_redirects 
sit0/send_redirects usb0/accept_redirects usb0/secure_redirects 
usb0/send_redirects wlan0s2/accept_redirects wlan0s2/secure_redirects 
wlan0s2/send_redirects wwan0/accept_redirects wwan0/secure_redirects 
wwan0/send_redirects
all/accept_redirects:0
all/secure_redirects:1
all/send_redirects:1
default/accept_redirects:1
default/secure_redirects:1
default/send_redirects:1
eth0/accept_redirects:1
eth0/secure_redirects:1
eth0/send_redirects:1
eth0s3/accept_redirects:1
eth0s3/secure_redirects:1
eth0s3/send_redirects:1
eth1/accept_redirects:1
eth1/secure_redirects:1
eth1/send_redirects:1
eth1s3/accept_redirects:1
eth1s3/secure_redirects:1
eth1s3/send_redirects:1
ip6tnl0/accept_redirects:1
ip6tnl0/secure_redirects:1
ip6tnl0/send_redirects:1
lo/accept_redirects:1
lo/secure_redirects:1
lo/send_redirects:1
sit0/accept_redirects:1
sit0/secure_redirects:1
sit0/send_redirects:1
usb0/accept_redirects:1
usb0/secure_redirects:1
usb0/send_redirects:1
wlan0s2/accept_redirects:1
wlan0s2/secure_redirects:1
wlan0s2/send_redirects:1
wwan0/accept_redirects:1
wwan0/secure_redirects:1
wwan0/send_redirects:1
+ _________________________ /proc/sys/net/ipv4/tcp_window_scaling
+ cat /proc/sys/net/ipv4/tcp_window_scaling
1
+ _________________________ /proc/sys/net/ipv4/tcp_adv_win_scale
+ cat /proc/sys/net/ipv4/tcp_adv_win_scale
1
+ _________________________ uname-a
+ uname -a
Linux DA70N-051656 4.9.119 #1 PREEMPT Fri Sep 6 14:00:18 UTC 2019 armv7l 
GNU/Linux
+ _________________________ config-built-with
+ '[' -r /proc/config_built_with ']'
+ _________________________ distro-release
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/redhat-release ']'
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/debian-release ']'
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/SuSE-release ']'
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/mandrake-release ']'
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/mandriva-release ']'
+ for distro in /etc/redhat-release /etc/debian-release 
/etc/SuSE-release /etc/mandrake-release /etc/mandriva-release 
/etc/gentoo-release
+ '[' -f /etc/gentoo-release ']'
+ _________________________ /proc/net/ipsec_version
+ '[' -r /proc/net/ipsec_version ']'
+ '[' -r /proc/sys/net/core/xfrm_acq_expires ']'
++ uname -r
+ echo 'XFRM (4.9.119) support detected '
XFRM (4.9.119) support detected
+ _________________________ iptables
+ '[' -e /proc/net/ip_tables_names ']'
+ '[' -r /sbin/iptables-save -o -r /usr/sbin/iptables-save ']'
+ iptables-save --modprobe=/dev/null
# Generated by iptables-save v1.8.2 on Fri Sep  6 09:20:20 2019
*mangle
:PREROUTING ACCEPT [411:26452]
:INPUT ACCEPT [407:25669]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [674:129118]
:POSTROUTING ACCEPT [709:134436]
-A PREROUTING -i wwan+ -p tcp -m tcp --dport 443 -j MARK --set-xmark 
0x400/0xffffffff
-A PREROUTING -i wwan+ -p tcp -m tcp --dport 2022 -j MARK --set-xmark 
0x400/0xffffffff
COMMIT
# Completed on Fri Sep  6 09:20:20 2019
# Generated by iptables-save v1.8.2 on Fri Sep  6 09:20:20 2019
*nat
:PREROUTING ACCEPT [16:953]
:INPUT ACCEPT [16:953]
:OUTPUT ACCEPT [2:92]
:POSTROUTING ACCEPT [7:670]
-A PREROUTING -i wwan+ -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 
10000
-A PREROUTING -i wwan+ -p tcp -m tcp --dport 2022 -j REDIRECT --to-ports 22
-A PREROUTING -d 172.16.0.225/32 -i eth0 -p tcp -m tcp --dport 80 -j 
REDIRECT --to-ports 10000
-A PREROUTING -d 172.16.0.225/32 -i eth0 -p tcp -m tcp --dport 443 -j 
REDIRECT --to-ports 10001
-A PREROUTING -d 192.168.1.1/32 -i eth1 -p tcp -m tcp --dport 80 -j 
REDIRECT --to-ports 10000
-A PREROUTING -d 192.168.1.1/32 -i eth1 -p tcp -m tcp --dport 443 -j 
REDIRECT --to-ports 10001
-A OUTPUT -o usb0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0s1 -j ACCEPT
-A OUTPUT -o eth1s1 -j ACCEPT
-A OUTPUT -o eth0s2 -j ACCEPT
-A OUTPUT -o eth1s2 -j ACCEPT
-A OUTPUT -o eth0s3 -j ACCEPT
-A OUTPUT -o eth1s3 -j ACCEPT
-A OUTPUT -o wlan+ -j ACCEPT
-A OUTPUT -o wlan0s1 -j ACCEPT
-A OUTPUT -o wlan0s2 -j ACCEPT
-A OUTPUT -o wlan0s3 -j ACCEPT
-A OUTPUT -o vti+ -j ACCEPT
-A OUTPUT -o gre+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A POSTROUTING -o wwan+ -j MASQUERADE
COMMIT
# Completed on Fri Sep  6 09:20:20 2019
# Generated by iptables-save v1.8.2 on Fri Sep  6 09:20:20 2019
*raw
:PREROUTING ACCEPT [427:27092]
:OUTPUT ACCEPT [705:134886]
COMMIT
# Completed on Fri Sep  6 09:20:20 2019
# Generated by iptables-save v1.8.2 on Fri Sep  6 09:20:20 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:FLAGS - [0:0]
:SCAN - [0:0]
:TRAFFIC - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 0:19 -j DROP
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j SCAN
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE 
-j SCAN
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,PSH,URG -j FLAGS
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,PSH,ACK,URG -j FLAGS
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG 
FIN,SYN,RST,ACK,URG -j FLAGS
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE 
-j FLAGS
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j FLAGS
-A INPUT -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j FLAGS
-A INPUT -i wwan+ -f -m limit --limit 2/sec -j LOG --log-prefix 
"**FRAGMENT** " --log-level 7
-A INPUT -i wwan+ -f -j DROP
-A INPUT -i wwan+ -p tcp -m tcp --dport 7785 -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 22 -m limit --limit 3/min 
--limit-burst 3 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j 
DROP
-A INPUT -i wwan+ -p tcp -m tcp --dport 502 -j ACCEPT
-A INPUT -i wwan+ -p udp -m udp --dport 502 -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 20000 -j ACCEPT
-A INPUT -i wwan+ -p udp -m udp --dport 20000 -j ACCEPT
-A INPUT -i wwan+ -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -i wwan+ -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 10000 -j ACCEPT
-A INPUT -i wwan+ -p tcp -m tcp --dport 10001 -j ACCEPT
-A INPUT -i wwan+ -p udp -m udp --dport 161 -j ACCEPT
-A INPUT -i wwan+ -p icmp -f -m limit --limit 2/sec -j LOG --log-prefix 
"**ICMP FRAG** " --log-level 7
-A INPUT -i wwan+ -p icmp -f -j DROP
-A INPUT -i wwan+ -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -i wwan+ -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -i wwan+ -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -i wwan+ -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -i wwan+ -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -i usb0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT
-A INPUT -i eth0s1 -p icmp -j ACCEPT
-A INPUT -i eth1s1 -p icmp -j ACCEPT
-A INPUT -i eth0s2 -p icmp -j ACCEPT
-A INPUT -i eth1s2 -p icmp -j ACCEPT
-A INPUT -i eth0s3 -p icmp -j ACCEPT
-A INPUT -i eth1s3 -p icmp -j ACCEPT
-A INPUT -i wlan+ -p icmp -j ACCEPT
-A INPUT -i wlan0s1 -p icmp -j ACCEPT
-A INPUT -i wlan0s2 -p icmp -j ACCEPT
-A INPUT -i wlan0s3 -p icmp -j ACCEPT
-A INPUT -i vti+ -p icmp -j ACCEPT
-A INPUT -i gre+ -p icmp -j ACCEPT
-A INPUT -i tun+ -p icmp -j ACCEPT
-A INPUT -i ipsec+ -p icmp -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 2/sec -j LOG --log-prefix "**ICMP 
DROP**" --log-level 7
-A INPUT -p icmp -j DROP
-A INPUT -m mark --mark 0x400/0x400 -j ACCEPT
-A INPUT -i wwan+ -p esp -j ACCEPT
-A INPUT -i wwan+ -p vrrp -j ACCEPT
-A INPUT -j TRAFFIC
-A FORWARD -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A FORWARD -o ipsec+ -j ACCEPT
-A FORWARD -i ipsec+ -j ACCEPT
-A FORWARD -i br+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j ACCEPT
-A FORWARD -o br+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
-A FORWARD -p tcp -m multiport --ports 137,138,139 -j DROP
-A FORWARD -p udp -m multiport --ports 137,138,139 -j DROP
-A FORWARD -o wwan+ -m conntrack --ctstate INVALID -j DROP
-A FORWARD -o wwan+ -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m 
conntrack --ctstate NEW -m limit --limit 2/sec -j LOG --log-prefix 
"**TCP FORWARD NON-SYN NEW**" --log-level 7
-A FORWARD -o wwan+ -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m 
conntrack --ctstate NEW -j DROP
-A FORWARD -i wwan+ -o usb0 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i usb0 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i usb0 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth0 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth0 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth1 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth1 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth0s1 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth0s1 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0s1 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth1s1 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth1s1 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1s1 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth0s2 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth0s2 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0s2 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth1s2 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth1s2 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1s2 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth0s3 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth0s3 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0s3 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o eth1s3 -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i eth1s3 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1s3 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o wlan+ -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i wlan+ -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan+ -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o wlan0s1 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s1 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s1 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o wlan0s2 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s2 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s2 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o wlan0s3 -m conntrack --ctstate 
RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s3 -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0s3 -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o vti+ -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i vti+ -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i vti+ -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o gre+ -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i gre+ -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i gre+ -o wwan+ -p tcp -j DROP
-A FORWARD -i wwan+ -o tun+ -m conntrack --ctstate RELATED,ESTABLISHED 
-j ACCEPT
-A FORWARD -i tun+ -o wwan+ -m conntrack --ctstate 
NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -o wwan+ -p tcp -j DROP
-A FORWARD -i usb0 -o usb0 -j ACCEPT
-A FORWARD -i usb0 -o eth0 -j ACCEPT
-A FORWARD -i usb0 -o eth1 -j ACCEPT
-A FORWARD -i usb0 -o eth0s1 -j ACCEPT
-A FORWARD -i usb0 -o eth1s1 -j ACCEPT
-A FORWARD -i usb0 -o eth0s2 -j ACCEPT
-A FORWARD -i usb0 -o eth1s2 -j ACCEPT
-A FORWARD -i usb0 -o eth0s3 -j ACCEPT
-A FORWARD -i usb0 -o eth1s3 -j ACCEPT
-A FORWARD -i usb0 -o wlan+ -j ACCEPT
-A FORWARD -i usb0 -o wlan0s1 -j ACCEPT
-A FORWARD -i usb0 -o wlan0s2 -j ACCEPT
-A FORWARD -i usb0 -o wlan0s3 -j ACCEPT
-A FORWARD -i usb0 -o vti+ -j ACCEPT
-A FORWARD -i usb0 -o gre+ -j ACCEPT
-A FORWARD -i usb0 -o tun+ -j ACCEPT
-A FORWARD -i eth0 -o usb0 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth0s1 -j ACCEPT
-A FORWARD -i eth0 -o eth1s1 -j ACCEPT
-A FORWARD -i eth0 -o eth0s2 -j ACCEPT
-A FORWARD -i eth0 -o eth1s2 -j ACCEPT
-A FORWARD -i eth0 -o eth0s3 -j ACCEPT
-A FORWARD -i eth0 -o eth1s3 -j ACCEPT
-A FORWARD -i eth0 -o wlan+ -j ACCEPT
-A FORWARD -i eth0 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth0 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth0 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth0 -o vti+ -j ACCEPT
-A FORWARD -i eth0 -o gre+ -j ACCEPT
-A FORWARD -i eth0 -o tun+ -j ACCEPT
-A FORWARD -i eth1 -o usb0 -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth1 -o eth1 -j ACCEPT
-A FORWARD -i eth1 -o eth0s1 -j ACCEPT
-A FORWARD -i eth1 -o eth1s1 -j ACCEPT
-A FORWARD -i eth1 -o eth0s2 -j ACCEPT
-A FORWARD -i eth1 -o eth1s2 -j ACCEPT
-A FORWARD -i eth1 -o eth0s3 -j ACCEPT
-A FORWARD -i eth1 -o eth1s3 -j ACCEPT
-A FORWARD -i eth1 -o wlan+ -j ACCEPT
-A FORWARD -i eth1 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth1 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth1 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth1 -o vti+ -j ACCEPT
-A FORWARD -i eth1 -o gre+ -j ACCEPT
-A FORWARD -i eth1 -o tun+ -j ACCEPT
-A FORWARD -i eth0s1 -o usb0 -j ACCEPT
-A FORWARD -i eth0s1 -o eth0 -j ACCEPT
-A FORWARD -i eth0s1 -o eth1 -j ACCEPT
-A FORWARD -i eth0s1 -o eth0s1 -j ACCEPT
-A FORWARD -i eth0s1 -o eth1s1 -j ACCEPT
-A FORWARD -i eth0s1 -o eth0s2 -j ACCEPT
-A FORWARD -i eth0s1 -o eth1s2 -j ACCEPT
-A FORWARD -i eth0s1 -o eth0s3 -j ACCEPT
-A FORWARD -i eth0s1 -o eth1s3 -j ACCEPT
-A FORWARD -i eth0s1 -o wlan+ -j ACCEPT
-A FORWARD -i eth0s1 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth0s1 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth0s1 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth0s1 -o vti+ -j ACCEPT
-A FORWARD -i eth0s1 -o gre+ -j ACCEPT
-A FORWARD -i eth0s1 -o tun+ -j ACCEPT
-A FORWARD -i eth1s1 -o usb0 -j ACCEPT
-A FORWARD -i eth1s1 -o eth0 -j ACCEPT
-A FORWARD -i eth1s1 -o eth1 -j ACCEPT
-A FORWARD -i eth1s1 -o eth0s1 -j ACCEPT
-A FORWARD -i eth1s1 -o eth1s1 -j ACCEPT
-A FORWARD -i eth1s1 -o eth0s2 -j ACCEPT
-A FORWARD -i eth1s1 -o eth1s2 -j ACCEPT
-A FORWARD -i eth1s1 -o eth0s3 -j ACCEPT
-A FORWARD -i eth1s1 -o eth1s3 -j ACCEPT
-A FORWARD -i eth1s1 -o wlan+ -j ACCEPT
-A FORWARD -i eth1s1 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth1s1 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth1s1 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth1s1 -o vti+ -j ACCEPT
-A FORWARD -i eth1s1 -o gre+ -j ACCEPT
-A FORWARD -i eth1s1 -o tun+ -j ACCEPT
-A FORWARD -i eth0s2 -o usb0 -j ACCEPT
-A FORWARD -i eth0s2 -o eth0 -j ACCEPT
-A FORWARD -i eth0s2 -o eth1 -j ACCEPT
-A FORWARD -i eth0s2 -o eth0s1 -j ACCEPT
-A FORWARD -i eth0s2 -o eth1s1 -j ACCEPT
-A FORWARD -i eth0s2 -o eth0s2 -j ACCEPT
-A FORWARD -i eth0s2 -o eth1s2 -j ACCEPT
-A FORWARD -i eth0s2 -o eth0s3 -j ACCEPT
-A FORWARD -i eth0s2 -o eth1s3 -j ACCEPT
-A FORWARD -i eth0s2 -o wlan+ -j ACCEPT
-A FORWARD -i eth0s2 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth0s2 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth0s2 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth0s2 -o vti+ -j ACCEPT
-A FORWARD -i eth0s2 -o gre+ -j ACCEPT
-A FORWARD -i eth0s2 -o tun+ -j ACCEPT
-A FORWARD -i eth1s2 -o usb0 -j ACCEPT
-A FORWARD -i eth1s2 -o eth0 -j ACCEPT
-A FORWARD -i eth1s2 -o eth1 -j ACCEPT
-A FORWARD -i eth1s2 -o eth0s1 -j ACCEPT
-A FORWARD -i eth1s2 -o eth1s1 -j ACCEPT
-A FORWARD -i eth1s2 -o eth0s2 -j ACCEPT
-A FORWARD -i eth1s2 -o eth1s2 -j ACCEPT
-A FORWARD -i eth1s2 -o eth0s3 -j ACCEPT
-A FORWARD -i eth1s2 -o eth1s3 -j ACCEPT
-A FORWARD -i eth1s2 -o wlan+ -j ACCEPT
-A FORWARD -i eth1s2 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth1s2 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth1s2 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth1s2 -o vti+ -j ACCEPT
-A FORWARD -i eth1s2 -o gre+ -j ACCEPT
-A FORWARD -i eth1s2 -o tun+ -j ACCEPT
-A FORWARD -i eth0s3 -o usb0 -j ACCEPT
-A FORWARD -i eth0s3 -o eth0 -j ACCEPT
-A FORWARD -i eth0s3 -o eth1 -j ACCEPT
-A FORWARD -i eth0s3 -o eth0s1 -j ACCEPT
-A FORWARD -i eth0s3 -o eth1s1 -j ACCEPT
-A FORWARD -i eth0s3 -o eth0s2 -j ACCEPT
-A FORWARD -i eth0s3 -o eth1s2 -j ACCEPT
-A FORWARD -i eth0s3 -o eth0s3 -j ACCEPT
-A FORWARD -i eth0s3 -o eth1s3 -j ACCEPT
-A FORWARD -i eth0s3 -o wlan+ -j ACCEPT
-A FORWARD -i eth0s3 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth0s3 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth0s3 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth0s3 -o vti+ -j ACCEPT
-A FORWARD -i eth0s3 -o gre+ -j ACCEPT
-A FORWARD -i eth0s3 -o tun+ -j ACCEPT
-A FORWARD -i eth1s3 -o usb0 -j ACCEPT
-A FORWARD -i eth1s3 -o eth0 -j ACCEPT
-A FORWARD -i eth1s3 -o eth1 -j ACCEPT
-A FORWARD -i eth1s3 -o eth0s1 -j ACCEPT
-A FORWARD -i eth1s3 -o eth1s1 -j ACCEPT
-A FORWARD -i eth1s3 -o eth0s2 -j ACCEPT
-A FORWARD -i eth1s3 -o eth1s2 -j ACCEPT
-A FORWARD -i eth1s3 -o eth0s3 -j ACCEPT
-A FORWARD -i eth1s3 -o eth1s3 -j ACCEPT
-A FORWARD -i eth1s3 -o wlan+ -j ACCEPT
-A FORWARD -i eth1s3 -o wlan0s1 -j ACCEPT
-A FORWARD -i eth1s3 -o wlan0s2 -j ACCEPT
-A FORWARD -i eth1s3 -o wlan0s3 -j ACCEPT
-A FORWARD -i eth1s3 -o vti+ -j ACCEPT
-A FORWARD -i eth1s3 -o gre+ -j ACCEPT
-A FORWARD -i eth1s3 -o tun+ -j ACCEPT
-A FORWARD -i wlan+ -o usb0 -j ACCEPT
-A FORWARD -i wlan+ -o eth0 -j ACCEPT
-A FORWARD -i wlan+ -o eth1 -j ACCEPT
-A FORWARD -i wlan+ -o eth0s1 -j ACCEPT
-A FORWARD -i wlan+ -o eth1s1 -j ACCEPT
-A FORWARD -i wlan+ -o eth0s2 -j ACCEPT
-A FORWARD -i wlan+ -o eth1s2 -j ACCEPT
-A FORWARD -i wlan+ -o eth0s3 -j ACCEPT
-A FORWARD -i wlan+ -o eth1s3 -j ACCEPT
-A FORWARD -i wlan+ -o wlan+ -j ACCEPT
-A FORWARD -i wlan+ -o wlan0s1 -j ACCEPT
-A FORWARD -i wlan+ -o wlan0s2 -j ACCEPT
-A FORWARD -i wlan+ -o wlan0s3 -j ACCEPT
-A FORWARD -i wlan+ -o vti+ -j ACCEPT
-A FORWARD -i wlan+ -o gre+ -j ACCEPT
-A FORWARD -i wlan+ -o tun+ -j ACCEPT
-A FORWARD -i wlan0s1 -o usb0 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth0 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth1 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth0s1 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth1s1 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth0s2 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth1s2 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth0s3 -j ACCEPT
-A FORWARD -i wlan0s1 -o eth1s3 -j ACCEPT
-A FORWARD -i wlan0s1 -o wlan+ -j ACCEPT
-A FORWARD -i wlan0s1 -o wlan0s1 -j ACCEPT
-A FORWARD -i wlan0s1 -o wlan0s2 -j ACCEPT
-A FORWARD -i wlan0s1 -o wlan0s3 -j ACCEPT
-A FORWARD -i wlan0s1 -o vti+ -j ACCEPT
-A FORWARD -i wlan0s1 -o gre+ -j ACCEPT
-A FORWARD -i wlan0s1 -o tun+ -j ACCEPT
-A FORWARD -i wlan0s2 -o usb0 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth0 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth1 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth0s1 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth1s1 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth0s2 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth1s2 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth0s3 -j ACCEPT
-A FORWARD -i wlan0s2 -o eth1s3 -j ACCEPT
-A FORWARD -i wlan0s2 -o wlan+ -j ACCEPT
-A FORWARD -i wlan0s2 -o wlan0s1 -j ACCEPT
-A FORWARD -i wlan0s2 -o wlan0s2 -j ACCEPT
-A FORWARD -i wlan0s2 -o wlan0s3 -j ACCEPT
-A FORWARD -i wlan0s2 -o vti+ -j ACCEPT
-A FORWARD -i wlan0s2 -o gre+ -j ACCEPT
-A FORWARD -i wlan0s2 -o tun+ -j ACCEPT
-A FORWARD -i wlan0s3 -o usb0 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth0 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth1 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth0s1 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth1s1 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth0s2 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth1s2 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth0s3 -j ACCEPT
-A FORWARD -i wlan0s3 -o eth1s3 -j ACCEPT
-A FORWARD -i wlan0s3 -o wlan+ -j ACCEPT
-A FORWARD -i wlan0s3 -o wlan0s1 -j ACCEPT
-A FORWARD -i wlan0s3 -o wlan0s2 -j ACCEPT
-A FORWARD -i wlan0s3 -o wlan0s3 -j ACCEPT
-A FORWARD -i wlan0s3 -o vti+ -j ACCEPT
-A FORWARD -i wlan0s3 -o gre+ -j ACCEPT
-A FORWARD -i wlan0s3 -o tun+ -j ACCEPT
-A FORWARD -i vti+ -o usb0 -j ACCEPT
-A FORWARD -i vti+ -o eth0 -j ACCEPT
-A FORWARD -i vti+ -o eth1 -j ACCEPT
-A FORWARD -i vti+ -o eth0s1 -j ACCEPT
-A FORWARD -i vti+ -o eth1s1 -j ACCEPT
-A FORWARD -i vti+ -o eth0s2 -j ACCEPT
-A FORWARD -i vti+ -o eth1s2 -j ACCEPT
-A FORWARD -i vti+ -o eth0s3 -j ACCEPT
-A FORWARD -i vti+ -o eth1s3 -j ACCEPT
-A FORWARD -i vti+ -o wlan+ -j ACCEPT
-A FORWARD -i vti+ -o wlan0s1 -j ACCEPT
-A FORWARD -i vti+ -o wlan0s2 -j ACCEPT
-A FORWARD -i vti+ -o wlan0s3 -j ACCEPT
-A FORWARD -i vti+ -o vti+ -j ACCEPT
-A FORWARD -i vti+ -o gre+ -j ACCEPT
-A FORWARD -i vti+ -o tun+ -j ACCEPT
-A FORWARD -i gre+ -o usb0 -j ACCEPT
-A FORWARD -i gre+ -o eth0 -j ACCEPT
-A FORWARD -i gre+ -o eth1 -j ACCEPT
-A FORWARD -i gre+ -o eth0s1 -j ACCEPT
-A FORWARD -i gre+ -o eth1s1 -j ACCEPT
-A FORWARD -i gre+ -o eth0s2 -j ACCEPT
-A FORWARD -i gre+ -o eth1s2 -j ACCEPT
-A FORWARD -i gre+ -o eth0s3 -j ACCEPT
-A FORWARD -i gre+ -o eth1s3 -j ACCEPT
-A FORWARD -i gre+ -o wlan+ -j ACCEPT
-A FORWARD -i gre+ -o wlan0s1 -j ACCEPT
-A FORWARD -i gre+ -o wlan0s2 -j ACCEPT
-A FORWARD -i gre+ -o wlan0s3 -j ACCEPT
-A FORWARD -i gre+ -o vti+ -j ACCEPT
-A FORWARD -i gre+ -o gre+ -j ACCEPT
-A FORWARD -i gre+ -o tun+ -j ACCEPT
-A FORWARD -i tun+ -o usb0 -j ACCEPT
-A FORWARD -i tun+ -o eth0 -j ACCEPT
-A FORWARD -i tun+ -o eth1 -j ACCEPT
-A FORWARD -i tun+ -o eth0s1 -j ACCEPT
-A FORWARD -i tun+ -o eth1s1 -j ACCEPT
-A FORWARD -i tun+ -o eth0s2 -j ACCEPT
-A FORWARD -i tun+ -o eth1s2 -j ACCEPT
-A FORWARD -i tun+ -o eth0s3 -j ACCEPT
-A FORWARD -i tun+ -o eth1s3 -j ACCEPT
-A FORWARD -i tun+ -o wlan+ -j ACCEPT
-A FORWARD -i tun+ -o wlan0s1 -j ACCEPT
-A FORWARD -i tun+ -o wlan0s2 -j ACCEPT
-A FORWARD -i tun+ -o wlan0s3 -j ACCEPT
-A FORWARD -i tun+ -o vti+ -j ACCEPT
-A FORWARD -i tun+ -o gre+ -j ACCEPT
-A FORWARD -i tun+ -o tun+ -j ACCEPT
-A FORWARD -m limit --limit 2/sec -j LOG --log-prefix "**FORWARD DROP** 
" --log-level 7
-A FORWARD -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o br+ -p tcp -m tcp --tcp-flags SYN,RST SYN -j ACCEPT
-A OUTPUT -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS 
--clamp-mss-to-pmtu
-A OUTPUT -p tcp -m tcp --sport 10000 -m conntrack --ctstate INVALID -j 
ACCEPT
-A OUTPUT -p tcp -m tcp --sport 10001 -m conntrack --ctstate INVALID -j 
ACCEPT
-A OUTPUT -o wwan+ -p icmp -m icmp --icmp-type 3 -j DROP
-A OUTPUT -p icmp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wwan+ -p udp -m udp --dport 500 -j ACCEPT
-A OUTPUT -o wwan+ -p esp -j ACCEPT
-A OUTPUT -o wwan+ -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o usb0 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0s1 -j ACCEPT
-A OUTPUT -o eth1s1 -j ACCEPT
-A OUTPUT -o eth0s2 -j ACCEPT
-A OUTPUT -o eth1s2 -j ACCEPT
-A OUTPUT -o eth0s3 -j ACCEPT
-A OUTPUT -o eth1s3 -j ACCEPT
-A OUTPUT -o wlan+ -j ACCEPT
-A OUTPUT -o wlan0s1 -j ACCEPT
-A OUTPUT -o wlan0s2 -j ACCEPT
-A OUTPUT -o wlan0s3 -j ACCEPT
-A OUTPUT -o vti+ -j ACCEPT
-A OUTPUT -o gre+ -j ACCEPT
-A OUTPUT -o tun+ -j ACCEPT
-A OUTPUT -j TRAFFIC
-A FLAGS -m limit --limit 2/sec -j LOG --log-prefix "**BADFLAGS** " 
--log-level 7
-A FLAGS -j DROP
-A SCAN -m limit --limit 2/sec -j LOG --log-prefix "**PORTSCAN** " 
--log-level 7
-A SCAN -j DROP
-A TRAFFIC -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A TRAFFIC -i wwan+ -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j SCAN
-A TRAFFIC -p tcp -m multiport --ports 137,138,139 -j ACCEPT
-A TRAFFIC -p udp -m multiport --ports 137,138,139 -j ACCEPT
-A TRAFFIC -i ipsec+ -j ACCEPT
-A TRAFFIC -o ipsec+ -j ACCEPT
-A TRAFFIC -i usb0 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth0 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth1 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth0s1 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth1s1 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth0s2 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth1s2 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth0s3 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i eth1s3 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i wlan+ -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i wlan0s1 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i wlan0s2 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i wlan0s3 -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i vti+ -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i gre+ -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -i tun+ -m conntrack --ctstate NEW -j ACCEPT
-A TRAFFIC -p gre -j ACCEPT
-A TRAFFIC -d 255.255.255.255/32 -j DROP
-A TRAFFIC -p udp -m udp --dport 53 -j DROP
-A TRAFFIC -m limit --limit 2/sec -j LOG --log-prefix "**PACKET DROP** " 
--log-level 7
-A TRAFFIC -j DROP
COMMIT
# Completed on Fri Sep  6 09:20:21 2019
+ _________________________ ip6tables
+ '[' -e ip6_tables_names ']'
+ _________________________ /proc/modules
+ '[' -f /proc/modules ']'
+ cat /proc/modules
inet_diag 9171 0 - Live 0xbf30d000
nf_log_ipv6 4241 1 - Live 0xbf308000
nf_conntrack_ipv6 7052 53 - Live 0xbf302000
nf_defrag_ipv6 9577 1 nf_conntrack_ipv6, Live 0xbf2fc000
nf_log_ipv4 3562 8 - Live 0xbf2f8000
nf_log_common 2731 2 nf_log_ipv6,nf_log_ipv4, Live 0xbf2f4000
xt_multiport 1564 4 - Live 0xbf2f0000
xt_TCPMSS 2962 2 - Live 0xbf2ec000
xt_conntrack 2719 112 - Live 0xbf2e8000
xt_LOG 1093 9 - Live 0xbf2e4000
xt_limit 1568 11 - Live 0xbf2e0000
iptable_mangle 1177 1 - Live 0xbf2dc000
ipt_MASQUERADE 955 1 - Live 0xbf2d8000
nf_nat_masquerade_ipv4 1753 1 ipt_MASQUERADE, Live 0xbf2d4000
xt_REDIRECT 1084 6 - Live 0xbf2d0000
nf_nat_redirect 1134 1 xt_REDIRECT, Live 0xbf2cc000
iptable_nat 1323 1 - Live 0xbf2c8000
nf_conntrack_ipv4 6665 60 - Live 0xbf2c2000
nf_defrag_ipv4 1108 1 nf_conntrack_ipv4, Live 0xbf2be000
nf_nat_ipv4 4224 1 iptable_nat, Live 0xbf2b9000
nf_nat 10791 3 nf_nat_masquerade_ipv4,nf_nat_redirect,nf_nat_ipv4, Live 
0xbf2b1000
iptable_raw 1040 0 - Live 0xbf2ad000
iptable_filter 1049 1 - Live 0xbf2a9000
ip_tables 10169 4 iptable_mangle,iptable_nat,iptable_raw,iptable_filter, 
Live 0xbf2a2000
ath9k_htc 53102 0 - Live 0xbf28e000
mac80211 339734 1 ath9k_htc, Live 0xbf224000
ath9k_common 19991 1 ath9k_htc, Live 0xbf21a000
ath9k_hw 345143 2 ath9k_htc,ath9k_common, Live 0xbf1b6000
ath 17993 3 ath9k_htc,ath9k_common,ath9k_hw, Live 0xbf1ad000
cfg80211 200678 4 ath9k_htc,mac80211,ath9k_common,ath, Live 0xbf16b000
GobiNet 51563 0 - Live 0xbf157000 (O)
smsc95xx 16603 0 - Live 0xbf14e000
cdc_ncm 15155 0 - Live 0xbf145000
cdc_ether 4291 0 - Live 0xbf13f000
usbnet 18425 4 GobiNet,smsc95xx,cdc_ncm,cdc_ether, Live 0xbf134000
mii 3782 2 smsc95xx,usbnet, Live 0xbf130000
GobiSerial 6680 0 - Live 0xbf12a000 (O)
ti_am335x_adc 5861 0 - Live 0xbf125000
kfifo_buf 2202 1 ti_am335x_adc, Live 0xbf121000
industrialio 34673 2 ti_am335x_adc,kfifo_buf, Live 0xbf110000
i2c_hid 10037 0 - Live 0xbf109000
usbhid 37931 0 - Live 0xbf0fa000
hid_generic 868 0 - Live 0xbf0f6000
hid 88944 3 i2c_hid,usbhid,hid_generic, Live 0xbf0d9000
xr_usb_serial_common 22029 0 - Live 0xbf0ce000 (O)
option 30974 0 - Live 0xbf0b8000
usb_wwan 6308 1 option, Live 0xbf0b2000
usbserial 20382 3 GobiSerial,option,usb_wwan, Live 0xbf0a7000
ppp_async 7501 0 - Live 0xbf0a2000
ppp_generic 24743 1 ppp_async, Live 0xbf096000
slhc 4596 1 ppp_generic, Live 0xbf091000
gpio_keys 7279 0 - Live 0xbf08b000
evdev 11626 1 - Live 0xbf084000
sd_mod 26469 0 - Live 0xbf078000
sg 20007 0 - Live 0xbf06f000
mtd_spi_sram 3573 0 - Live 0xbf06b000
spi_omap2_mcspi 10318 0 - Live 0xbf065000
lm75 4060 0 - Live 0xbf061000
ads1015 2760 0 - Live 0xbf05d000
hwmon 7269 2 lm75,ads1015, Live 0xbf057000
at25 3836 0 - Live 0xbf053000
at24 6217 0 - Live 0xbf04e000
nvmem_core 8114 2 at25,at24, Live 0xbf048000
usb_f_ecm 5134 1 - Live 0xbf042000
dwc3_omap 3917 0 - Live 0xbf03e000
sxni_iodb 27307 14 - Live 0xbf033000 (O)
g_ether 3177 0 - Live 0xbf02e000
usb_f_rndis 11162 2 g_ether, Live 0xbf026000
libcomposite 34265 3 usb_f_ecm,g_ether,usb_f_rndis, Live 0xbf016000
u_ether 9557 3 usb_f_ecm,g_ether,usb_f_rndis, Live 0xbf00f000
configfs 24170 4 usb_f_ecm,usb_f_rndis,libcomposite, Live 0xbf004000
jbm_feature 2299 0 - Live 0xbf000000
+ _________________________ /proc/meminfo
+ cat /proc/meminfo
MemTotal:         510780 kB
MemFree:          446472 kB
MemAvailable:     465400 kB
Buffers:              40 kB
Cached:            27280 kB
SwapCached:            0 kB
Active:            26972 kB
Inactive:          12340 kB
Active(anon):      13392 kB
Inactive(anon):      424 kB
Active(file):      13580 kB
Inactive(file):    11916 kB
Unevictable:        1396 kB
Mlocked:            1396 kB
HighTotal:             0 kB
HighFree:              0 kB
LowTotal:         510780 kB
LowFree:          446472 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:         13408 kB
Mapped:             8844 kB
Shmem:               740 kB
Slab:              11108 kB
SReclaimable:       3056 kB
SUnreclaim:         8052 kB
KernelStack:        1160 kB
PageTables:         1276 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:      255388 kB
Committed_AS:      70988 kB
VmallocTotal:     507904 kB
VmallocUsed:           0 kB
VmallocChunk:          0 kB
+ _________________________ /proc/net/ipsec-ls
+ '[' -f /proc/net/ipsec_version ']'
+ _________________________ usr/src/linux/.config
+ '[' -f /proc/config.gz ']'
++ uname -r
+ '[' -f /lib/modules/4.9.119/build/.config ']'
+ echo 'no .config file found, cannot list kernel properties'
no .config file found, cannot list kernel properties
+ '[' -f /etc/syslog.conf ']'
+ '[' -f /etc/syslog-ng/syslog-ng.conf ']'
+ '[' -f /etc/rsyslog.conf ']'
+ _________________________ etc/resolv.conf
+ cat /etc/resolv.conf
# DO NOT EDIT THIS FILE.
#
# IT MUST CONTAIN THE SINGLE ENTRY: nameserver 127.0.0.1
#
# USE /etc/dnsmasq/dnsmasq.servers.conf TO EFFECT DNS CHANGES.
#
# DO NOT EDIT THIS FILE.

nameserver 127.0.0.1

+ _________________________ lib/modules-ls
+ ls -ltr /lib/modules
drwxr-xr-x    4 root     root          1712 Sep  6 09:18 4.9.119
+ _________________________ fipscheck
+ cat /proc/sys/crypto/fips_enabled
cat: can't open '/proc/sys/crypto/fips_enabled': No such file or directory
+ _________________________ /proc/ksyms-netif_rx
+ '[' -r /proc/ksyms ']'
+ '[' -r /proc/kallsyms ']'
+ grep -E netif_rx /proc/kallsyms
c05a8d70 t netif_rx_internal
c05a8f20 T netif_rx
c05a8f34 T netif_rx_ni
+ _________________________ lib/modules-netif_rx
+ modulegoo kernel/net/ipv4/ipip.o netif_rx
+ set +x
4.9.119:
+ _________________________ kern.debug
+ '[' -f /var/log/kern.debug ']'
+ _________________________ klog
+ dmesg
+ grep -E -i 'klips|ipsec'
+ _________________________ plog
+ '[' -x /usr/bin/journalctl -o -x /bin/journalctl ']'
+ sed -n '1,$p' /dev/null
+ grep -E -i pluto
+ case "${1}" in
+ cat
+ _________________________ date
+ date
Fri Sep  6 09:20:22 CDT 2019
[root at DA70N-051656 tmp]#
[root at DA70N-051656 tmp]#
[root at DA70N-051656 tmp]#
[root at DA70N-051656 tmp]# slog 5 &
[1] 6981
[root at DA70N-051656 tmp]#
slog v1.04

Tailing the logfile /var/log/messages ( 5 lines )
**** Press CTRL-C to exit ****

Sep  6 09:21:20 pluto[6628]: "Tunnel1/3x3" #1: packet rejected: should 
have been encrypted
Sep  6 09:21:20 pluto[6628]: "Tunnel1/3x3" #1: sending notification 
INVALID_FLAGS to 166.130.x.x:4500
Sep  6 09:21:20 pluto[6628]: "Tunnel1/3x3" #1: packet rejected: should 
have been encrypted
Sep  6 09:21:20 pluto[6628]: "Tunnel1/3x3" #1: sending notification 
INVALID_FLAGS to 166.130.x.x:4500


[root at DA70N-051656 tmp]#
[root at DA70N-051656 tmp]# ipsec whack --debug all; ipsec whack --shutdown
002 shutting down
Sep  6 09:21:26 pluto[6628]: | old debugging none + base+cpu-usage
Sep  6 09:21:26 pluto[6628]: | base debugging = base+cpu-usage
Sep  6 09:21:26 pluto[6628]: | old impairing none + none
Sep  6 09:21:26 pluto[6628]: | base impairing = none
Sep  6 09:21:26 pluto[6628]: | close_any(fd at 12) (in whack_process() at 
rcv_whack.c:700)
Sep  6 09:21:26 pluto[6628]: | spent 0.623 milliseconds in whack
Sep  6 09:21:26 pluto[6628]: | accept(whackctlfd, (struct sockaddr 
*)&whackaddr, &whackaddrlen) -> fd at 12 (in whack_handle() at rcv_whack.c:722)
Sep  6 09:21:26 pluto[6628]: shutting down
Sep  6 09:21:26 pluto[6628]: | processing: RESET whack log_fd (was 
fd at 12) (in exit_pluto() at plutomain.c:1825)
Sep  6 09:21:26 pluto[6628]: | certs and keys locked by 
'free_preshared_secrets'
Sep  6 09:21:26 pluto[6628]: forgetting secrets
Sep  6 09:21:26 pluto[6628]: | certs and keys unlocked by 
'free_preshared_secrets'
Sep  6 09:21:26 pluto[6628]: | start processing: connection 
"Tunnel1/3x3" (in delete_connection() at connections.c:189)
Sep  6 09:21:26 pluto[6628]: | Deleting states for connection - 
including all other IPsec SA's of this IKE SA
Sep  6 09:21:26 pluto[6628]: | pass 0
Sep  6 09:21:26 pluto[6628]: | FOR_EACH_STATE_... in 
foreach_state_by_connection_func_delete
Sep  6 09:21:26 pluto[6628]: | state #10
Sep  6 09:21:26 pluto[6628]: | suspend processing: connection 
"Tunnel1/3x3" (in foreach_state_by_connection_func_delete() at state.c:1310)
Sep  6 09:21:26 pluto[6628]: | start processing: state #10 connection 
"Tunnel1/3x3" from 166.130.x.x:4500 (in 
foreach_state_by_connection_func_delete() at state.c:1310)
Sep  6 09:21:26 pluto[6628]: | pstats #10 ikev1.ipsec deleted completed
Sep  6 09:21:26 pluto[6628]: | [RE]START processing: state #10 
connection "Tunnel1/3x3" from 166.130.x.x:4500 (in delete_state() at 
state.c:879)
Sep  6 09:21:26 pluto[6628]: "Tunnel1/3x3" #10: deleting state 
(STATE_QUICK_I2) aged 36.137s and sending notification
Sep  6 09:21:26 pluto[6628]: | child state #10: QUICK_I2(established 
CHILD SA) => delete
Sep  6 09:21:26 pluto[6628]: | get_sa_info esp.78b9242 at 166.130.x.x
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p(nil).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p0xb5f10a30.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_build: spi=078b9242 replay=0 
sa_state=1 auth=0 encrypt=0 flags=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found 
address=166.130.x.x:0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x24da8e8 
allocated 88 bytes, &(extensions[0])=0p0xbecfafac
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=5(get), errno=0, satype=3(ESP), len=11, res=0, seq=77, pid=6628.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 5(get).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=9
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=9.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x24da8f8 with 
parser pfkey_sa_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=078b9242 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x24da910 with parser 
pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0x24da928 with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=166.130.x.x 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:26 pluto[6628]: | finish_pfkey_msg: K_SADB_GET message 77 
for Get SA esp.78b9242 at 166.130.x.x
Sep  6 09:21:26 pluto[6628]: |   02 05 00 03  0b 00 00 00  4d 00 00 00  
e4 19 00 00
Sep  6 09:21:26 pluto[6628]: |   03 00 01 00  07 8b 92 42  00 01 00 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 05 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   02 00 00 00  64 46 d1 22  00 00 00 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   03 00 06 00  00 00 00 00  02 00 00 00  
a6 82 3e 34
Sep  6 09:21:26 pluto[6628]: |   00 00 00 00  00 00 00 00
Sep  6 09:21:26 pluto[6628]: | pfkey_get: K_SADB_GET message 77
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 0 (16)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 1 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 5 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 6 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=5(get), errno=0, satype=3(ESP), len=15, res=0, seq=77, pid=6628.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 5(get).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=13
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=13.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=13 
ext_type=1(security-association) ext_len=3 parsing ext 0p0xbecfb0c4 with 
parser pfkey_sa_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=078b9242 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=2(lifetime-current) remain=10.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=10 
ext_type=2(lifetime-current) ext_len=4 parsing ext 0p0xbecfb0dc with 
parser pfkey_lifetime_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_lifetime_parse:enter
Sep  6 09:21:26 pluto[6628]: | pfkey_lifetime_parse: 
life_type=2(lifetime-current) alloc=1 bytes=0 add=42949500 use=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
2(lifetime-current) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0xbecfb0fc with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0xbecfb114 with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=166.130.x.x 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:26 pluto[6628]: | get_sa_info esp.1c62f788 at 100.70.209.34
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p(nil).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p0xb5f10a30.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_build: spi=1c62f788 replay=0 
sa_state=1 auth=0 encrypt=0 flags=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found 
address=166.130.x.x:0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x24fe670 
allocated 88 bytes, &(extensions[0])=0p0xbecfafac
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=5(get), errno=0, satype=3(ESP), len=11, res=0, seq=78, pid=6628.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 5(get).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=9
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=9.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x24fe680 with 
parser pfkey_sa_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=1c62f788 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x24fe698 with parser 
pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=166.130.x.x proto=0 
port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0x24fe6b0 with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:26 pluto[6628]: | finish_pfkey_msg: K_SADB_GET message 78 
for Get SA esp.1c62f788 at 100.70.209.34
Sep  6 09:21:26 pluto[6628]: |   02 05 00 03  0b 00 00 00  4e 00 00 00  
e4 19 00 00
Sep  6 09:21:26 pluto[6628]: |   03 00 01 00  1c 62 f7 88  00 01 00 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 05 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   02 00 00 00  a6 82 3e 34  00 00 00 00  
00 00 00 00
Sep  6 09:21:26 pluto[6628]: |   03 00 06 00  00 00 00 00  02 00 00 00  
64 46 d1 22
Sep  6 09:21:26 pluto[6628]: |   00 00 00 00  00 00 00 00
Sep  6 09:21:26 pluto[6628]: | pfkey_get: K_SADB_GET message 78
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 0 (16)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 1 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 5 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_extensions_free:Free extension 6 (24)
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=5(get), errno=0, satype=3(ESP), len=15, res=0, seq=78, pid=6628.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 5(get).
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=13
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=13.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=13 
ext_type=1(security-association) ext_len=3 parsing ext 0p0xbecfb0c4 with 
parser pfkey_sa_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=1c62f788 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=2(lifetime-current) remain=10.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=10 
ext_type=2(lifetime-current) ext_len=4 parsing ext 0p0xbecfb0dc with 
parser pfkey_lifetime_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_lifetime_parse:enter
Sep  6 09:21:26 pluto[6628]: | pfkey_lifetime_parse: 
life_type=2(lifetime-current) alloc=1 bytes=0 add=42949500 use=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
2(lifetime-current) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0xbecfb0fc with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=166.130.x.x proto=0 
port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0xbecfb114 with 
parser pfkey_address_parse.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:26 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:26 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:26 pluto[6628]: "Tunnel1/3x3" #10: ESP traffic information: 
in=0B out=0B
Sep  6 09:21:26 pluto[6628]: | state #10 requesting 
EVENT_DPD-pe at 0x24d9390 be deleted
Sep  6 09:21:26 pluto[6628]: | libevent_free: release ptr-libevent at 0x24dfe90
Sep  6 09:21:26 pluto[6628]: | free_event_entry: release 
EVENT_DPD-pe at 0x24d9390
Sep  6 09:21:26 pluto[6628]: | #10 send IKEv1 delete notification for 
STATE_QUICK_I2
Sep  6 09:21:26 pluto[6628]: | FOR_EACH_STATE_... in find_phase1_state
Sep  6 09:21:26 pluto[6628]: | **emit ISAKMP Message:
Sep  6 09:21:26 pluto[6628]: |    initiator cookie:
Sep  6 09:21:26 pluto[6628]: |   28 7e 32 1e  3b 43 24 e1
Sep  6 09:21:26 pluto[6628]: |    responder cookie:
Sep  6 09:21:26 pluto[6628]: |   4f 75 a6 5e  27 6d e6 fc
Sep  6 09:21:26 pluto[6628]: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Sep  6 09:21:26 pluto[6628]: |    ISAKMP version: ISAKMP Version 1.0 
(rfc2407) (0x10)
Sep  6 09:21:26 pluto[6628]: |    exchange type: ISAKMP_XCHG_INFO (0x5)
Sep  6 09:21:26 pluto[6628]: |    flags: ISAKMP_FLAG_v1_ENCRYPTION (0x1)
Sep  6 09:21:26 pluto[6628]: |    Message ID: 3410725066 (0xcb4b88ca)
Sep  6 09:21:26 pluto[6628]: | next payload chain: saving message 
location 'ISAKMP Message'.'next payload type'
Sep  6 09:21:26 pluto[6628]: | ***emit ISAKMP Hash Payload:
Sep  6 09:21:26 pluto[6628]: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Sep  6 09:21:26 pluto[6628]: | next payload chain: setting previous 
'ISAKMP Message'.'next payload type' to current ISAKMP Hash Payload 
(8:ISAKMP_NEXT_HASH)
Sep  6 09:21:26 pluto[6628]: | next payload chain: saving location 
'ISAKMP Hash Payload'.'next payload type' in 'delete msg'
Sep  6 09:21:26 pluto[6628]: | emitting 32 zero bytes of HASH DATA into 
ISAKMP Hash Payload
Sep  6 09:21:26 pluto[6628]: | emitting length of ISAKMP Hash Payload: 36
Sep  6 09:21:26 pluto[6628]: | ***emit ISAKMP Delete Payload:
Sep  6 09:21:26 pluto[6628]: |    next payload type: ISAKMP_NEXT_NONE (0x0)
Sep  6 09:21:26 pluto[6628]: |    DOI: ISAKMP_DOI_IPSEC (0x1)
Sep  6 09:21:26 pluto[6628]: |    protocol ID: 3 (0x3)
Sep  6 09:21:26 pluto[6628]: |    SPI size: 4 (0x4)
Sep  6 09:21:26 pluto[6628]: |    number of SPIs: 1 (0x1)
Sep  6 09:21:26 pluto[6628]: | next payload chain: setting previous 
'ISAKMP Hash Payload'.'next payload type' to current ISAKMP Delete 
Payload (12:ISAKMP_NEXT_D)
Sep  6 09:21:26 pluto[6628]: | next payload chain: saving location 
'ISAKMP Delete Payload'.'next payload type' in 'delete msg'
Sep  6 09:21:26 pluto[6628]: | emitting 4 raw bytes of delete payload 
into ISAKMP Delete Payload
Sep  6 09:21:26 pluto[6628]: | delete payload  1c 62 f7 88
Sep  6 09:21:26 pluto[6628]: | emitting length of ISAKMP Delete Payload: 16
Sep  6 09:21:26 pluto[6628]: | send delete HASH(1):
Sep  6 09:21:26 pluto[6628]: |   08 81 4d d5  a5 0c 07 1d  a8 3f 13 33  
13 6c 8a c6
Sep  6 09:21:26 pluto[6628]: |   14 fb 7e c8  8c b7 6e a3  f8 4a aa d7  
79 7a 78 5e
Sep  6 09:21:26 pluto[6628]: | emitting 12 zero bytes of encryption 
padding into ISAKMP Message
Sep  6 09:21:26 pluto[6628]: | no IKEv1 message padding required
Sep  6 09:21:26 pluto[6628]: | emitting length of ISAKMP Message: 92
Sep  6 09:21:26 pluto[6628]: | sending 96 bytes for delete notify 
through wwan0 from 100.70.209.34:4500 to 166.130.x.x:4500 (using #1)
Sep  6 09:21:26 pluto[6628]: |   00 00 00 00  28 7e 32 1e  3b 43 24 e1  
4f 75 a6 5e
Sep  6 09:21:26 pluto[6628]: |   27 6d e6 fc  08 10 05 01  cb 4b 88 ca  
00 00 00 5c
Sep  6 09:21:26 pluto[6628]: |   42 e9 28 ff  6b f6 5e b9  1a eb 2f 07  
1b e1 f4 68
Sep  6 09:21:26 pluto[6628]: |   62 d2 0c 69  7d f7 af 5d  21 ac 5c 43  
71 ac e4 11
Sep  6 09:21:26 pluto[6628]: |   36 b9 1a 7e  e4 41 76 e4  4d e7 2f ca  
9e 40 93 cc
Sep  6 09:21:26 pluto[6628]: |   df 3e 76 38  5c f0 a2 a4  2a 10 40 ed  
2c 80 bb ba
Sep  6 09:21:26 pluto[6628]: | state #10 requesting EVENT_SA_REPLACE to 
be deleted
Sep  6 09:21:26 pluto[6628]: | libevent_free: release ptr-libevent at 0x24d98c0
Sep  6 09:21:26 pluto[6628]: | free_event_entry: release 
EVENT_SA_REPLACE-pe at 0x24d9138
Sep  6 09:21:26 pluto[6628]: | running updown command "ipsec _updown" 
for verb down
Sep  6 09:21:26 pluto[6628]: | command executing down-client
Sep  6 09:21:26 pluto[6628]: | executing down-client: 2>&1 
PLUTO_VERB='down-client' PLUTO_VERSION='2.0' 
PLUTO_CONNECTION='Tunnel1/3x3' PLUTO_INTERFACE='ipsec0' 
PLUTO_NEXT_HOP='100.70.209.35' PLUTO_ME='100.70.209.34' 
PLUTO_MY_ID='@HALOHALO' PLUTO_MY_CLIENT='10.10.0.0/24' 
PLUTO_MY_CLIENT_NET='10.10.0.0' PLUTO_MY_CLIENT_MASK='255.255.255.0' 
PLUTO_MY_PORT='0' PLUTO_MY_PROTOCOL='0' PLUTO_SA_REQID='16420' 
PLUTO_SA_TYPE='ESP' PLUTO_PEER='166.130.x.x' PLUTO_PEER_ID='@RAMRAM' 
PLUTO_PEER_CLIENT='172.20.0.0/24' PLUTO_PEER_CLIENT_NET='172.20.0.0' 
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' 
PLUTO_PEER_PROTOCOL='0' PLUTO_PEER_CA='' PLUTO_STACK='klips' 
PLUTO_ADDTIME='42949500' 
PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO' 
PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' 
XAUTH_FAILED=0 PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' 
PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_CFG_SERVER='0' 
PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0' VTI_IFACE='' 
VTI_ROUTING='no' VTI
Sep  6 09:21:26 pluto[6628]: | popen cmd is 1056 chars long
Sep  6 09:21:26 pluto[6628]: | cmd(   0):2>&1 PLUTO_VERB='down-client' 
PLUTO_VERSION='2.0' PLUTO_CONNECTION='Tunnel1/3x3':
Sep  6 09:21:26 pluto[6628]: | cmd(  80): PLUTO_INTERFACE='ipsec0' 
PLUTO_NEXT_HOP='100.70.209.35' PLUTO_ME='100.70.209.34:
Sep  6 09:21:26 pluto[6628]: | cmd( 160):' PLUTO_MY_ID='@HALOHALO' 
PLUTO_MY_CLIENT='10.10.0.0/24' PLUTO_MY_CLIENT_NET='10:
Sep  6 09:21:26 pluto[6628]: | cmd( 240):.10.0.0' 
PLUTO_MY_CLIENT_MASK='255.255.255.0' PLUTO_MY_PORT='0' PLUTO_MY_PROTOCO:
Sep  6 09:21:26 pluto[6628]: | cmd( 320):L='0' PLUTO_SA_REQID='16420' 
PLUTO_SA_TYPE='ESP' PLUTO_PEER='166.130.x.x' PLUT:
Sep  6 09:21:26 pluto[6628]: | cmd( 400):O_PEER_ID='@RAMRAM' 
PLUTO_PEER_CLIENT='172.20.0.0/24' PLUTO_PEER_CLIENT_NET='172:
Sep  6 09:21:26 pluto[6628]: | cmd( 480):.20.0.0' 
PLUTO_PEER_CLIENT_MASK='255.255.255.0' PLUTO_PEER_PORT='0' PLUTO_PEER_P:
Sep  6 09:21:26 pluto[6628]: | cmd( 560):ROTOCOL='0' PLUTO_PEER_CA='' 
PLUTO_STACK='klips' PLUTO_ADDTIME='42949500' PLUTO_:
Sep  6 09:21:26 pluto[6628]: | cmd( 
640):CONN_POLICY='PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ES:
Sep  6 09:21:26 pluto[6628]: | cmd( 720):N_NO' 
PLUTO_CONN_KIND='CK_PERMANENT' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0:
Sep  6 09:21:26 pluto[6628]: | cmd( 800): PLUTO_IS_PEER_CISCO='0' 
PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_:
Sep  6 09:21:26 pluto[6628]: | cmd( 880):PEER_BANNER='' 
PLUTO_CFG_SERVER='0' PLUTO_CFG_CLIENT='0' PLUTO_NM_CONFIGURED='0':
Sep  6 09:21:26 pluto[6628]: | cmd( 960): VTI_IFACE='' VTI_ROUTING='no' 
VTI_SHARED='no' SPI_IN=0x78b9242 SPI_OUT=0x1c62f7:
Sep  6 09:21:26 pluto[6628]: | cmd(1040):88 ipsec _updown:
Sep  6 09:21:27 pluto[6628]: | shunt_eroute() called for connection 
'Tunnel1/3x3' to 'replace with shunt' for rt_kind 'prospective erouted' 
using protoports 10.10.0.0/24:0 --0->- 172.20.0.0/24:0
Sep  6 09:21:27 pluto[6628]: | priority calculation of connection 
"Tunnel1/3x3" is 0xfe7e7
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfbdbc pfkey_ext=0p0xbecfbf00 *pfkey_ext=0p(nil).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfbdbc pfkey_ext=0p0xbecfbf00 *pfkey_ext=0p0xb5f10a30.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_build: spi=00000104 replay=0 
sa_state=0 auth=0 encrypt=0 flags=2
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=0.0.0.0:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=21 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=10.10.0.0:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=22 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=172.20.0.0:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=23 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=255.255.255.0:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=24 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=255.255.255.0:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[21] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[22] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[23] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[24] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x2447628 
allocated 184 bytes, &(extensions[0])=0p0xbecfbf00
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[21] (type=21)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[22] (type=22)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[23] (type=23)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[24] (type=24)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=14(x-addflow(eroute)), errno=0, satype=11(INT), len=23, res=0, 
seq=79, pid=6628.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: satype 11(INT) 
conversion to proto gives 61 for msg_type 14(x-addflow(eroute)).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=21
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=21.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=21 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x2447638 with 
parser pfkey_sa_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=00000104 replay=0 state=0 auth=0 
encrypt=0 flags=2 ref=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=18.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=18 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x2447650 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=15.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=15 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0x2447668 with 
parser pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=0.0.0.0 proto=0 
port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=21(X-source-flow-address) remain=12.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=12 
ext_type=21(X-source-flow-address) ext_len=3 parsing ext 0p0x2447680 
with parser pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=21(X-source-flow-address) family=2(AF_INET) address=10.10.0.0 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
21(X-source-flow-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=22(X-dest-flow-address) remain=9.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=22(X-dest-flow-address) ext_len=3 parsing ext 0p0x2447698 with 
parser pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=22(X-dest-flow-address) family=2(AF_INET) address=172.20.0.0 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
22(X-dest-flow-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=23(X-source-mask) remain=6.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=23(X-source-mask) ext_len=3 parsing ext 0p0x24476b0 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=23(X-source-mask) family=2(AF_INET) address=255.255.255.0 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
23(X-source-mask) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=24(X-dest-mask) remain=3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=24(X-dest-mask) ext_len=3 parsing ext 0p0x24476c8 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=24(X-dest-mask) family=2(AF_INET) address=255.255.255.0 proto=0 
port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
24(X-dest-mask) parsed.
Sep  6 09:21:27 pluto[6628]: | finish_pfkey_msg: K_SADB_X_ADDFLOW 
message 79 for flow eroute_connection replace with shunt
Sep  6 09:21:27 pluto[6628]: |   02 0e 00 0b  17 00 00 00  4f 00 00 00  
e4 19 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 01 00  00 00 01 04  00 00 00 00  
02 00 00 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 05 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   02 00 00 00  64 46 d1 22  00 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 06 00  00 00 00 00  02 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 15 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   02 00 00 00  0a 0a 00 00  00 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 16 00  00 00 00 00  02 00 00 00  
ac 14 00 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 17 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   02 00 00 00  ff ff ff 00  00 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 18 00  00 00 00 00  02 00 00 00  
ff ff ff 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00
Sep  6 09:21:27 pluto[6628]: | pfkey_get: K_SADB_X_ADDFLOW message 79
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 0 (16)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 1 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 5 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 6 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 21 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 22 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 23 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 24 (24)
Sep  6 09:21:27 pluto[6628]: | delete esp.78b9242 at 166.130.x.x
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfbf2c pfkey_ext=0p0xbecfbfa0 *pfkey_ext=0p(nil).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfbf2c pfkey_ext=0p0xbecfbfa0 *pfkey_ext=0p0xb5f10a30.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_build: spi=078b9242 replay=0 
sa_state=1 auth=0 encrypt=0 flags=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=166.130.x.x:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x24fed28 
allocated 88 bytes, &(extensions[0])=0p0xbecfbfa0
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=4(delete), errno=0, satype=3(ESP), len=11, res=0, seq=80, pid=6628.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 4(delete).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=9.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x24fed38 with 
parser pfkey_sa_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=078b9242 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x24fed50 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0x24fed68 with 
parser pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=166.130.x.x 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:27 pluto[6628]: | finish_pfkey_msg: K_SADB_DELETE message 
80 for Delete SA esp.78b9242 at 166.130.x.x
Sep  6 09:21:27 pluto[6628]: |   02 04 00 03  0b 00 00 00  50 00 00 00  
e4 19 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 01 00  07 8b 92 42  00 01 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 05 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   02 00 00 00  64 46 d1 22  00 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 06 00  00 00 00 00  02 00 00 00  
a6 82 3e 34
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00
Sep  6 09:21:27 pluto[6628]: | pfkey_get: K_SADB_DELETE message 80
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 0 (16)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 1 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 5 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 6 (24)
Sep  6 09:21:27 pluto[6628]: | delete esp.1c62f788 at 100.70.209.34
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfbf7c pfkey_ext=0p0xbecfbff0 *pfkey_ext=0p(nil).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfbf7c pfkey_ext=0p0xbecfbff0 *pfkey_ext=0p0xb5f10a30.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_build: spi=1c62f788 replay=0 
sa_state=1 auth=0 encrypt=0 flags=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=166.130.x.x:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x24fefb8 
allocated 88 bytes, &(extensions[0])=0p0xbecfbff0
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=4(delete), errno=0, satype=3(ESP), len=11, res=0, seq=81, pid=6628.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 4(delete).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=9.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x24fefc8 with 
parser pfkey_sa_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=1c62f788 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x24fefe0 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=166.130.x.x proto=0 
port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) ext_len=3 parsing ext 0p0x24feff8 with 
parser pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=6(destination-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
6(destination-address) parsed.
Sep  6 09:21:27 pluto[6628]: | finish_pfkey_msg: K_SADB_DELETE message 
81 for Delete SA esp.1c62f788 at 100.70.209.34
Sep  6 09:21:27 pluto[6628]: |   02 04 00 03  0b 00 00 00  51 00 00 00  
e4 19 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 01 00  1c 62 f7 88  00 01 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00  03 00 05 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   02 00 00 00  a6 82 3e 34  00 00 00 00  
00 00 00 00
Sep  6 09:21:27 pluto[6628]: |   03 00 06 00  00 00 00 00  02 00 00 00  
64 46 d1 22
Sep  6 09:21:27 pluto[6628]: |   00 00 00 00  00 00 00 00
Sep  6 09:21:27 pluto[6628]: | pfkey_get: K_SADB_DELETE message 81
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 0 (16)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 1 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 5 (24)
Sep  6 09:21:27 pluto[6628]: | pfkey_extensions_free:Free extension 6 (24)
Sep  6 09:21:27 pluto[6628]: | stop processing: connection "Tunnel1/3x3" 
(BACKGROUND) (in update_state_connection() at connections.c:4038)
Sep  6 09:21:27 pluto[6628]: | start processing: connection NULL (in 
update_state_connection() at connections.c:4039)
Sep  6 09:21:27 pluto[6628]: | in connection_discard for connection 
Tunnel1/3x3
Sep  6 09:21:27 pluto[6628]: | State DB: deleting IKEv1 state #10 in 
QUICK_I2
Sep  6 09:21:27 pluto[6628]: | child state #10: QUICK_I2(established 
CHILD SA) => UNDEFINED(ignore)
Sep  6 09:21:27 pluto[6628]: | stop processing: state #10 from 
166.130.x.x:4500 (in delete_state() at state.c:1143)
Sep  6 09:21:27 pluto[6628]: | processing: STOP state #0 (in 
foreach_state_by_connection_func_delete() at state.c:1312)
Sep  6 09:21:27 pluto[6628]: | state #9
Sep  6 09:21:27 pluto[6628]: | start processing: state #9 connection 
"Tunnel1/3x2" from 166.130.x.x:4500 (in 
foreach_state_by_connection_func_delete() at state.c:1310)
Sep  6 09:21:27 pluto[6628]: | pstats #9 ikev1.ipsec deleted completed
Sep  6 09:21:27 pluto[6628]: | [RE]START processing: state #9 connection 
"Tunnel1/3x2" from 166.130.x.x:4500 (in delete_state() at state.c:879)
Sep  6 09:21:27 pluto[6628]: "Tunnel1/3x2" #9: deleting state 
(STATE_QUICK_I2) aged 36.419s and sending notification
Sep  6 09:21:27 pluto[6628]: | child state #9: QUICK_I2(established 
CHILD SA) => delete
Sep  6 09:21:27 pluto[6628]: | get_sa_info esp.78b9241 at 166.130.x.x
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build:
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_entry 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p(nil).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_hdr_build: on_exit 
&pfkey_ext=0p0xbecfaf34 pfkey_ext=0p0xbecfafac *pfkey_ext=0p0x24d9270.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_build: spi=078b9241 replay=0 
sa_state=1 auth=0 encrypt=0 flags=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=5 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=100.70.209.34:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: exttype=6 proto=0 
prefixlen=0
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found address family 
AF_INET.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: found 
address=166.130.x.x:0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_build: successful created 
len: 3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[0] needs 16 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[1] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[5] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: extensions[6] needs 24 
bytes
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: pfkey_msg=0p0x24ff018 
allocated 88 bytes, &(extensions[0])=0p0xbecfafac
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[1] (type=1)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[5] (type=5)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_build: copying 24 bytes from 
extensions[6] (type=6)
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing message ver=2, 
type=5(get), errno=0, satype=3(ESP), len=11, res=0, seq=82, pid=6628.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: satype 3(ESP) conversion 
to proto gives 50 for msg_type 5(get).
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=1(security-association) remain=9.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=9 
ext_type=1(security-association) ext_len=3 parsing ext 0p0x24ff028 with 
parser pfkey_sa_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_sa_parse: successfully found len=3 
exttype=1(security-association) spi=078b9241 replay=0 state=1 auth=0 
encrypt=0 flags=0 ref=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
1(security-association) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=5(source-address) remain=6.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=6 
ext_type=5(source-address) ext_len=3 parsing ext 0p0x24ff040 with parser 
pfkey_address_parse.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: found 
exttype=5(source-address) family=2(AF_INET) address=100.70.209.34 
proto=0 port=0.
Sep  6 09:21:27 pluto[6628]: | pfkey_address_parse: successful.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: Extension 
5(source-address) parsed.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: parsing ext 
type=6(destination-address) remain=3.
Sep  6 09:21:27 pluto[6628]: | pfkey_msg_parse: remain=3 
ext_type=6(destination-address) e



More information about the Swan mailing list