Hello misc@, hallo Reyk, first of all, a big thank you to all the developers for your great work on OpenBSD! I'm using it for my router, my workstation, webserver, everything!
While configuring a new router for my home network I think found a problem in iked which might be related to rekeying. I set up IPsec between the router (5.6-stable) and my laptop (current) with iked. For performance testing, I created a 1 GB file and tried to transfer it via HTTP (ftp http://ip/test) After transfering about 430 MB, the connection stalls. After I cancel it I can start the transfer again, until I hit around 430 MB again. If I add lifetime 1h bytes 2G to iked.conf, I can transfer the file successfully, if I then try again, it stalls. With "lifetime 0 bytes 0" it works and I can transfer the file many times. scp has the same problem, it stalls at around 430 MB. While I found the problem between my new router (5.6-stable) and my laptop (current), both amd64, I decided to make a test configuration as simple as possible and found the same problems as above. I set up 2 V240 with the latest snapshot, pf is disabled on both systems. System 1 is running httpd, System 2 is downloading the 1 GB file. The following tests were done without any special lifetime configuration. The logs below contain one rekeying which causes the connection to stall. My uneducated guess is SAs not getting deleted after rekeying, as the SAs on the "passive" side aren't getting deleted while the "active" side SAs are deleted. If I try to transfer the file once, the passive side has 4 SAs (see below), if I try to transfer it twice, the passive side has 6 SAs, etc. I also tried isakmpd/ipsec.conf and rekeying works without a problem there. Configuration and logs are following below. If it is indeed a bug instead of user error and there are any more tests/logs needed, I'll be happy to test more. Sorry if I forgot any important information! Thanks for any answers in advance! Regards, Sigi Rudzio Configuration: System 1: 192.168.0.3 iked.conf ikev2 esp from 192.168.0.3 to 192.168.0.4 psk a System 2: 192.168.0.4 iked.conf ikev2 active esp from 192.168.0.4 to 192.168.0.3 psk a iked -dvv outputs: System 1 (started first): # iked -dvv ca_privkey_serialize: type RSA_KEY length 1190 ca_pubkey_serialize: type RSA_KEY length 270 /etc/iked.conf: loaded 1 configuration rules config_getpolicy: received policy ikev2 "policy1" passive esp inet from 192.168.0.3 to 192.168.0.4 local 192.168.0.3 peer 192.168.0.4 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x61 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 ikev2_recv: IKE_SA_INIT request from initiator 192.168.0.4:500 to 192.168.0.3:500 policy 'policy1' id 0, 520 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0x0000000000000000 ikev2_policy2id: srcid FQDN/ags.local length 13 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0 xforms 14 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x3a8f96d8307a0131 0x0000000000000000 192.168.0.4:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x3a8f96d8307a0131 0x0000000000000000 192.168.0.3:500 sa_state: INIT -> SA_INIT ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x00, require 0x00 sa_stateflags: 0x00 -> 0x10 sa (required 0x00 ) ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_add_proposals: length 44 ikev2_next_payload: length 48 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x3a8f96d8307a0131 0xc6b8da536dd498c7 192.168.0.3:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x3a8f96d8307a0131 0xc6b8da536dd498c7 192.168.0.4:500 ikev2_next_payload: length 28 nextpayload NONE ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_msg_send: IKE_SA_INIT response from 192.168.0.3:500 to 192.168.0.4:500 msgid 0, 432 bytes config_free_proposals: free 0xc0c7b83e80 ikev2_recv: IKE_AUTH request from initiator 192.168.0.4:500 to 192.168.0.3:500 policy 'policy1' id 1, 256 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.4:500 local 192.168.0.3:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 2 ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 17 ikev2_pld_id: id FQDN/agp.local length 13 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xb6dfa36a ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 sa_stateok: SA_INIT flags 0x00, require 0x00 policy_lookup: peerid 'agp.local' ikev2_msg_auth: responder auth data length 496 ikev2_msg_auth: initiator auth data length 584 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x14 -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa) ikev2_sa_negotiate: score 3 sa_stateflags: 0x1c -> 0x1c auth,authvalid,sa (required 0x1c auth,authvalid,sa) sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_getspi: spi 0x9095cd4d pfkey_sa_init: new spi 0x9095cd4d sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa ikev2_next_payload: length 17 nextpayload AUTH ikev2_next_payload: length 40 nextpayload SA ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 149 ikev2_msg_encrypt: padded length 160 ikev2_msg_encrypt: length 150, padding 10, output length 192 ikev2_next_payload: length 196 nextpayload IDr ikev2_msg_integr: message length 224 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 160 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 160/160 padding 10 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 17 ikev2_pld_id: id FQDN/ags.local length 13 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x9095cd4d ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_msg_send: IKE_AUTH response from 192.168.0.3:500 to 192.168.0.4:500 msgid 1, 224 bytes pfkey_sa_add: update spi 0x9095cd4d ikev2_childsa_enable: loaded CHILD SA spi 0x9095cd4d pfkey_sa_add: add spi 0xb6dfa36a ikev2_childsa_enable: loaded CHILD SA spi 0xb6dfa36a ikev2_childsa_enable: loaded flow 0xc0b55ba400 ikev2_childsa_enable: loaded flow 0xc105070000 sa_state: VALID -> ESTABLISHED from 192.168.0.4:500 to 192.168.0.3:500 policy 'policy1' config_free_proposals: free 0xc0d856fe00 pfkey_sa_last_used: last_used 1423004921 ikev2_ike_sa_alive: incoming CHILD SA spi 0x9095cd4d last used 0 second(s) ago pfkey_sa_last_used: last_used 1423004981 ikev2_ike_sa_alive: incoming CHILD SA spi 0x9095cd4d last used 0 second(s) ago ikev2_recv: CREATE_CHILD_SA request from initiator 192.168.0.4:500 to 192.168.0.3:500 policy 'policy1' id 2, 256 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.4:500 local 192.168.0.3:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x08 msgid 2 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 11 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0x4ecc3218 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00 length 36 ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 12 ikev2_pld_notify: protoid ESP spisize 4 type REKEY_SA ikev2_pld_notify: rekey ESP spi 0xb6dfa36a ikev2_resp_create_child_sa: rekey ESP spi 0xb6dfa36a ikev2_sa_negotiate: score 3 sa_stateok: VALID flags 0x1c, require 0x1c auth,authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_getspi: spi 0xfa78579f pfkey_sa_init: new spi 0xfa78579f ikev2_add_proposals: length 40 ikev2_next_payload: length 44 nextpayload NONCE ikev2_next_payload: length 36 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 128 ikev2_msg_encrypt: padded length 144 ikev2_msg_encrypt: length 129, padding 15, output length 176 ikev2_next_payload: length 180 nextpayload SA ikev2_msg_integr: message length 208 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x20 msgid 2 length 208 response 1 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 180 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 144 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 144/144 padding 15 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0xfa78579f ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00 length 36 ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_msg_send: CREATE_CHILD_SA response from 192.168.0.3:500 to 192.168.0.4:500 msgid 2, 208 bytes pfkey_sa_add: update spi 0xfa78579f ikev2_childsa_enable: loaded CHILD SA spi 0xfa78579f pfkey_sa_add: add spi 0x4ecc3218 ikev2_childsa_enable: loaded CHILD SA spi 0x4ecc3218 config_free_proposals: free 0xc0d856e300 config_free_proposals: free 0xc14911cf80 ikev2_recv: INFORMATIONAL request from initiator 192.168.0.4:500 to 192.168.0.3:500 policy 'policy1' id 3, 80 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.4:500 local 192.168.0.3:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 3 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_pld_delete: proto ESP spisize 4 nspi 1 ikev2_pld_delete: spi 0xb6dfa36a ikev2_childsa_delete: deleted CHILD SA spi 0x9095cd4d ikev2_childsa_delete: deleted CHILD SA spi 0xb6dfa36a ikev2_pld_delete: deleted 1 spis ikev2_next_payload: length 12 nextpayload NONE ikev2_msg_encrypt: decrypted length 12 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 13, padding 3, output length 48 ikev2_next_payload: length 52 nextpayload DELETE ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 3 length 80 response 1 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_pld_delete: proto ESP spisize 4 nspi 1 ikev2_pld_delete: spi 0x9095cd4d ikev2_msg_send: INFORMATIONAL response from 192.168.0.3:500 to 192.168.0.4:500 msgid 3, 80 bytes pfkey_sa_last_used: last_used 1423005041 ikev2_ike_sa_alive: incoming CHILD SA spi 0xfa78579f last used 0 second(s) ago pfkey_sa_last_used: last_used 1423005090 ikev2_ike_sa_alive: incoming CHILD SA spi 0xfa78579f last used 11 second(s) ago System 2 (started second): # iked -dvv ca_privkey_serialize: type RSA_KEY length 1191 ca_pubkey_serialize: type RSA_KEY length 270 /etc/iked.conf: loaded 1 configuration rules config_getpolicy: received policy ikev2 "policy1" active esp inet from 192.168.0.4 to 192.168.0.3 local 192.168.0.4 peer 192.168.0.3 ikesa enc aes-256,aes-192,aes-128,3des prf hmac-sha2-256,hmac-sha1,hmac-md5 auth hmac-sha2-256,hmac-sha1,hmac-md5 group modp2048-256,modp2048,modp1536,modp1024 childsa enc aes-256,aes-192,aes-128 auth hmac-sha2-256,hmac-sha1 lifetime 10800 bytes 536870912 psk 0x61 config_getpfkey: received pfkey fd 3 config_getcompile: compilation done config_getsocket: received socket fd 4 config_getsocket: received socket fd 5 config_getsocket: received socket fd 7 config_getsocket: received socket fd 8 ca_reload: local cert type RSA_KEY config_getocsp: ocsp_url none ikev2_dispatch_cert: updated local CERTREQ type RSA_KEY length 0 ikev2_init_ike_sa: initiating "policy1" ikev2_policy2id: srcid FQDN/agp.local length 13 ikev2_add_proposals: length 132 ikev2_next_payload: length 136 nextpayload KE ikev2_next_payload: length 264 nextpayload NONCE ikev2_next_payload: length 36 nextpayload NOTIFY ikev2_nat_detection: local source 0x3a8f96d8307a0131 0x0000000000000000 192.168.0.4:500 ikev2_next_payload: length 28 nextpayload NOTIFY ikev2_nat_detection: local destination 0x3a8f96d8307a0131 0x0000000000000000 192.168.0.3:500 ikev2_next_payload: length 28 nextpayload NONE ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0x0000000000000000 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x08 msgid 0 length 520 response 0 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 136 ikev2_pld_sa: more 0 reserved 0 length 132 proposal #1 protoid IKE spisize 0 xforms 14 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type ENCR id 3DES ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA1 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_MD5 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_MD5_96 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_2048 ikev2_pld_xform: more 3 reserved 0 length 8 type DH id MODP_1536 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_1024 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_msg_send: IKE_SA_INIT request from 192.168.0.4:500 to 192.168.0.3:500 msgid 0, 520 bytes sa_state: INIT -> SA_INIT ikev2_recv: IKE_SA_INIT response from responder 192.168.0.3:500 to 192.168.0.4:500 policy 'policy1' id 0, 432 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.3:500 local 192.168.0.4:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SA version 0x20 exchange IKE_SA_INIT flags 0x20 msgid 0 length 432 response 1 ikev2_pld_payloads: payload SA nextpayload KE critical 0x00 length 48 ikev2_pld_sa: more 0 reserved 0 length 44 proposal #1 protoid IKE spisize 0 xforms 4 spi 0 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type PRF id HMAC_SHA2_256 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type DH id MODP_2048_256 ikev2_pld_payloads: payload KE nextpayload NONCE critical 0x00 length 264 ikev2_pld_ke: dh group MODP_2048_256 reserved 0 ikev2_pld_payloads: payload NONCE nextpayload NOTIFY critical 0x00 length 36 ikev2_pld_payloads: payload NOTIFY nextpayload NOTIFY critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_SOURCE_IP ikev2_nat_detection: peer source 0x3a8f96d8307a0131 0xc6b8da536dd498c7 192.168.0.3:500 ikev2_pld_payloads: payload NOTIFY nextpayload NONE critical 0x00 length 28 ikev2_pld_notify: protoid NONE spisize 0 type NAT_DETECTION_DESTINATION_IP ikev2_nat_detection: peer destination 0x3a8f96d8307a0131 0xc6b8da536dd498c7 192.168.0.4:500 ikev2_sa_negotiate: score 4 sa_stateok: SA_INIT flags 0x00, require 0x04 auth ikev2_sa_keys: SKEYSEED with 32 bytes ikev2_sa_keys: S with 80 bytes ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: T5 with 32 bytes ikev2_prfplus: T6 with 32 bytes ikev2_prfplus: T7 with 32 bytes ikev2_prfplus: Tn with 224 bytes ikev2_sa_keys: SK_d with 32 bytes ikev2_sa_keys: SK_ai with 32 bytes ikev2_sa_keys: SK_ar with 32 bytes ikev2_sa_keys: SK_ei with 32 bytes ikev2_sa_keys: SK_er with 32 bytes ikev2_sa_keys: SK_pi with 32 bytes ikev2_sa_keys: SK_pr with 32 bytes ikev2_msg_auth: initiator auth data length 584 sa_stateok: SA_INIT flags 0x04, require 0x04 auth ikev2_next_payload: length 17 nextpayload AUTH ikev2_next_payload: length 40 nextpayload SA pfkey_sa_getspi: spi 0xb6dfa36a pfkey_sa_init: new spi 0xb6dfa36a ikev2_add_proposals: length 80 ikev2_next_payload: length 84 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NONE ikev2_msg_encrypt: decrypted length 189 ikev2_msg_encrypt: padded length 192 ikev2_msg_encrypt: length 190, padding 2, output length 224 ikev2_next_payload: length 228 nextpayload IDi ikev2_msg_integr: message length 256 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x08 msgid 1 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload IDi critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 2 ikev2_pld_payloads: decrypted payload IDi nextpayload AUTH critical 0x00 length 17 ikev2_pld_id: id FQDN/agp.local length 13 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0xb6dfa36a ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_msg_send: IKE_AUTH request from 192.168.0.4:500 to 192.168.0.3:500 msgid 1, 256 bytes config_free_proposals: free 0xb90ee2680 ikev2_recv: IKE_AUTH response from responder 192.168.0.3:500 to 192.168.0.4:500 policy 'policy1' id 1, 224 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.3:500 local 192.168.0.4:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange IKE_AUTH flags 0x20 msgid 1 length 224 response 1 ikev2_pld_payloads: payload SK nextpayload IDr critical 0x00 length 196 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 160 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 160/160 padding 10 ikev2_pld_payloads: decrypted payload IDr nextpayload AUTH critical 0x00 length 17 ikev2_pld_id: id FQDN/ags.local length 13 ikev2_pld_payloads: decrypted payload AUTH nextpayload SA critical 0x00 length 40 ikev2_pld_auth: method SHARED_KEY_MIC length 32 sa_state: SA_INIT -> AUTH_REQUEST ikev2_pld_payloads: decrypted payload SA nextpayload TSi critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0x9095cd4d ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_msg_auth: responder auth data length 496 ikev2_msg_authverify: method SHARED_KEY_MIC keylen 32 type NONE ikev2_msg_authverify: authentication successful sa_state: AUTH_REQUEST -> AUTH_SUCCESS sa_stateflags: 0x04 -> 0x0c auth,authvalid (required 0x18 authvalid,sa) ikev2_sa_negotiate: score 3 sa_stateflags: 0x0c -> 0x1c auth,authvalid,sa (required 0x18 authvalid,sa) sa_stateok: VALID flags 0x18, require 0x18 authvalid,sa sa_state: AUTH_SUCCESS -> VALID sa_stateok: VALID flags 0x18, require 0x18 authvalid,sa sa_stateok: VALID flags 0x18, require 0x18 authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes pfkey_sa_add: add spi 0x9095cd4d ikev2_childsa_enable: loaded CHILD SA spi 0x9095cd4d pfkey_sa_add: update spi 0xb6dfa36a ikev2_childsa_enable: loaded CHILD SA spi 0xb6dfa36a ikev2_childsa_enable: loaded flow 0xb536d5000 ikev2_childsa_enable: loaded flow 0xb0b39f400 sa_state: VALID -> ESTABLISHED from 192.168.0.3:500 to 192.168.0.4:500 policy 'policy1' config_free_proposals: free 0xb68fdf400 ikev2_init_ike_sa: "policy1" is already active pfkey_sa_last_used: last_used 1423008468 ikev2_ike_sa_alive: outgoing CHILD SA spi 0x9095cd4d last used 0 second(s) ago pfkey_sa_last_used: last_used 1423008468 ikev2_ike_sa_alive: incoming CHILD SA spi 0xb6dfa36a last used 0 second(s) ago ikev2_init_ike_sa: "policy1" is already active pfkey_sa_last_used: last_used 1423008528 ikev2_ike_sa_alive: outgoing CHILD SA spi 0x9095cd4d last used 0 second(s) ago pfkey_sa_last_used: last_used 1423008528 ikev2_ike_sa_alive: incoming CHILD SA spi 0xb6dfa36a last used 0 second(s) ago pfkey_process: SA 0xb6dfa36a is expired, pending rekeying ikev2_send_create_child_sa: rekeying ESP spi 0x9095cd4d config_free_proposals: free 0xb6b74e680 pfkey_sa_getspi: spi 0x4ecc3218 pfkey_sa_init: new spi 0x4ecc3218 ikev2_add_proposals: length 80 ikev2_next_payload: length 84 nextpayload NONCE ikev2_next_payload: length 36 nextpayload TSi ikev2_next_payload: length 24 nextpayload TSr ikev2_next_payload: length 24 nextpayload NOTIFY ikev2_next_payload: length 12 nextpayload NONE ikev2_msg_encrypt: decrypted length 180 ikev2_msg_encrypt: padded length 192 ikev2_msg_encrypt: length 181, padding 11, output length 224 ikev2_next_payload: length 228 nextpayload SA ikev2_msg_integr: message length 256 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x08 msgid 2 length 256 response 0 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 228 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 192 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 192/192 padding 11 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 84 ikev2_pld_sa: more 0 reserved 0 length 80 proposal #2 protoid ESP spisize 4 xforms 7 spi 0x4ecc3218 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 192 total 4 ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 128 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA1_96 ikev2_pld_xform: more 3 reserved 0 length 8 type ESN id ESN ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id NONE ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00 length 36 ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NOTIFY critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_pld_payloads: decrypted payload NOTIFY nextpayload NONE critical 0x00 length 12 ikev2_pld_notify: protoid ESP spisize 4 type REKEY_SA ikev2_msg_send: CREATE_CHILD_SA request from 192.168.0.4:500 to 192.168.0.3:500 msgid 2, 256 bytes ikev2_recv: CREATE_CHILD_SA response from responder 192.168.0.3:500 to 192.168.0.4:500 policy 'policy1' id 2, 208 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.3:500 local 192.168.0.4:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange CREATE_CHILD_SA flags 0x20 msgid 2 length 208 response 1 ikev2_pld_payloads: payload SK nextpayload SA critical 0x00 length 180 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 144 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 144/144 padding 15 ikev2_pld_payloads: decrypted payload SA nextpayload NONCE critical 0x00 length 44 ikev2_pld_sa: more 0 reserved 0 length 40 proposal #2 protoid ESP spisize 4 xforms 3 spi 0xfa78579f ikev2_pld_xform: more 3 reserved 0 length 12 type ENCR id AES_CBC ikev2_pld_attr: attribute type KEY_LENGTH length 256 total 4 ikev2_pld_xform: more 3 reserved 0 length 8 type INTEGR id HMAC_SHA2_256_128 ikev2_pld_xform: more 0 reserved 0 length 8 type ESN id ESN ikev2_pld_payloads: decrypted payload NONCE nextpayload TSi critical 0x00 length 36 ikev2_pld_payloads: decrypted payload TSi nextpayload TSr critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.4 end 192.168.0.4 ikev2_pld_payloads: decrypted payload TSr nextpayload NONE critical 0x00 length 24 ikev2_pld_ts: count 1 length 16 ikev2_pld_ts: type IPV4_ADDR_RANGE protoid 0 length 16 startport 0 endport 65535 ikev2_pld_ts: start 192.168.0.3 end 192.168.0.3 ikev2_sa_negotiate: score 3 config_free_proposals: free 0xb6b74f300 ikev2_init_create_child_sa: rekeying CHILD SA old 0xb6dfa36a spi 0xfa78579f sa_stateok: VALID flags 0x18, require 0x18 authvalid,sa ikev2_sa_tag: (0) ikev2_childsa_negotiate: proposal 2 ikev2_childsa_negotiate: key material length 128 ikev2_prfplus: T1 with 32 bytes ikev2_prfplus: T2 with 32 bytes ikev2_prfplus: T3 with 32 bytes ikev2_prfplus: T4 with 32 bytes ikev2_prfplus: Tn with 128 bytes ikev2_next_payload: length 12 nextpayload NONE ikev2_msg_encrypt: decrypted length 12 ikev2_msg_encrypt: padded length 16 ikev2_msg_encrypt: length 13, padding 3, output length 48 ikev2_next_payload: length 52 nextpayload DELETE ikev2_msg_integr: message length 80 ikev2_msg_integr: integrity checksum length 16 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x08 msgid 3 length 80 response 0 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_pld_delete: proto ESP spisize 4 nspi 1 ikev2_pld_delete: spi 0xb6dfa36a ikev2_msg_send: INFORMATIONAL request from 192.168.0.4:500 to 192.168.0.3:500 msgid 3, 80 bytes pfkey_sa_add: add spi 0xfa78579f ikev2_childsa_enable: loaded CHILD SA spi 0xfa78579f pfkey_sa_add: update spi 0x4ecc3218 ikev2_childsa_enable: loaded CHILD SA spi 0x4ecc3218 config_free_proposals: free 0xb6b74fc00 ikev2_recv: INFORMATIONAL response from responder 192.168.0.3:500 to 192.168.0.4:500 policy 'policy1' id 3, 80 bytes ikev2_recv: ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 ikev2_recv: updated SA to peer 192.168.0.3:500 local 192.168.0.4:500 ikev2_pld_parse: header ispi 0x3a8f96d8307a0131 rspi 0xc6b8da536dd498c7 nextpayload SK version 0x20 exchange INFORMATIONAL flags 0x20 msgid 3 length 80 response 1 ikev2_pld_payloads: payload SK nextpayload DELETE critical 0x00 length 52 ikev2_msg_decrypt: IV length 16 ikev2_msg_decrypt: encrypted payload length 16 ikev2_msg_decrypt: integrity checksum length 16 ikev2_msg_decrypt: integrity check succeeded ikev2_msg_decrypt: decrypted payload length 16/16 padding 3 ikev2_pld_payloads: decrypted payload DELETE nextpayload NONE critical 0x00 length 12 ikev2_init_ike_sa: "policy1" is already active pfkey_sa_last_used: last_used 1423008588 ikev2_ike_sa_alive: outgoing CHILD SA spi 0x9095cd4d last used 0 second(s) ago pfkey_sa_last_used: last_used 1423008574 ikev2_ike_sa_alive: incoming CHILD SA spi 0xb6dfa36a last used 14 second(s) ago ikev2_init_ike_sa: "policy1" is already active pfkey_sa_last_used: last_used 1423008637 ikev2_ike_sa_alive: outgoing CHILD SA spi 0x9095cd4d last used 11 second(s) ago pfkey_sa_last_used: last_used 1423008574 ikev2_ike_sa_alive: incoming CHILD SA spi 0xb6dfa36a last used 74 second(s) ago pfkey_sa_last_used: last_used 1423008637 ikev2_ike_sa_alive: outgoing CHILD SA spi 0xfa78579f last used 11 second(s) ago pfkey_sa_last_used: last_used 1423008637 ikev2_ike_sa_alive: incoming CHILD SA spi 0x4ecc3218 last used 11 second(s) ago ipsecctl -sa outputs after first rekeying: System 1: # ipsecctl -sa FLOWS: flow esp in from 192.168.0.4 to 192.168.0.3 peer 192.168.0.4 srcid FQDN/ags.local dstid FQDN/agp.local type use flow esp out from 192.168.0.3 to 192.168.0.4 peer 192.168.0.4 srcid FQDN/ags.local dstid FQDN/agp.local type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.0.3 to 192.168.0.4 spi 0x4ecc3218 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.0.4 to 192.168.0.3 spi 0xfa78579f auth hmac-sha2-256 enc aes-256 System 2: # ipsecctl -sa FLOWS: flow esp in from 192.168.0.3 to 192.168.0.4 peer 192.168.0.3 srcid FQDN/agp.local dstid FQDN/ags.local type use flow esp out from 192.168.0.4 to 192.168.0.3 peer 192.168.0.3 srcid FQDN/agp.local dstid FQDN/ags.local type require flow esp out from ::/0 to ::/0 type deny SAD: esp tunnel from 192.168.0.3 to 192.168.0.4 spi 0x4ecc3218 auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.0.4 to 192.168.0.3 spi 0x9095cd4d auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.0.3 to 192.168.0.4 spi 0xb6dfa36a auth hmac-sha2-256 enc aes-256 esp tunnel from 192.168.0.4 to 192.168.0.3 spi 0xfa78579f auth hmac-sha2-256 enc aes-256 tcpdump on system 1 of another rekeying, command: tcpdump -n -e -i vlan100 not esp and not port ssh 01:32:41.761572 00:03:ba:90:4e:cd 00:03:ba:ea:21:7d 0800 298: 192.168.0.4.500 > 192.168.0.3.500: isakmp v2.0 exchange CREATE_CHILD_SA cookie: 9a55407f1e60895e->bc46c63a0069d925 msgid: 00000004 len: 256 01:32:41.764220 00:03:ba:ea:21:7d 00:03:ba:90:4e:cd 0800 250: 192.168.0.3.500 > 192.168.0.4.500: isakmp v2.0 exchange CREATE_CHILD_SA cookie: 9a55407f1e60895e->bc46c63a0069d925 msgid: 00000004 len: 208 01:32:41.765939 00:03:ba:90:4e:cd 00:03:ba:ea:21:7d 0800 122: 192.168.0.4.500 > 192.168.0.3.500: isakmp v2.0 exchange INFORMATIONAL cookie: 9a55407f1e60895e->bc46c63a0069d925 msgid: 00000005 len: 80 01:32:41.766586 00:03:ba:ea:21:7d 00:03:ba:90:4e:cd 0800 122: 192.168.0.3.500 > 192.168.0.4.500: isakmp v2.0 exchange INFORMATIONAL cookie: 9a55407f1e60895e->bc46c63a0069d925 msgid: 00000005 len: 80 dmesg: System 1: console is /pci@1e,600000/isa@7/serial@0,3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2015 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.7-beta (GENERIC.MP) #459: Tue Feb 3 03:31:57 MST 2015 [email protected]:/usr/src/sys/arch/sparc64/compile/GENERIC.MP real mem = 4294967296 (4096MB) avail mem = 4213178368 (4018MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root: Sun Fire V240 cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1503 MHz cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) cpu1 at mainbus0: SUNW,UltraSPARC-IIIi (rev 3.4) @ 1503 MHz cpu1: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) "memory-controller" at mainbus0 not configured "memory-controller" at mainbus0 not configured schizo0 at mainbus0: "Tomatillo", version 4, ign 7c0, bus B 0 to 0 schizo0: dvma map c0000000-dfffffff pci0 at schizo0 bge0 at pci0 dev 2 function 0 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c8, address 00:03:ba:ea:21:7d brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci0 dev 2 function 1 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c9, address 00:03:ba:ea:21:7e brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 schizo1 at mainbus0: "Tomatillo", version 4, ign 780, bus A 0 to 0 schizo1: dvma map c0000000-dfffffff pci1 at schizo1 ebus0 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 "flashprom" at ebus0 addr 0-fffff, 290-290 not configured rtc0 at ebus0 addr 70-71: m5819p pcfiic0 at ebus0 addr 320-321 ivec 0x2e iic0 at pcfiic0 "SUNW,i2c-imax" at iic0 addr 0xb not configured "SUNW,i2c-imax" at iic0 addr 0xc not configured spdmem0 at iic0 addr 0x5b: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem1 at iic0 addr 0x5c: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem2 at iic0 addr 0x5d: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem3 at iic0 addr 0x5e: 512MB DDR SDRAM registered ECC PC2300CL2.5 spdmem4 at iic0 addr 0x63: 1GB DDR SDRAM registered ECC PC2300CL2.5 spdmem5 at iic0 addr 0x64: 1GB DDR SDRAM registered ECC PC2300CL2.5 "ds1307" at iic0 addr 0x68 not configured "pca9555" at iic0 addr 0x22 not configured "pca9555" at iic0 addr 0x23 not configured "pca9555" at iic0 addr 0x25 not configured "pca9555" at iic0 addr 0x34 not configured "pca9555" at iic0 addr 0x44 not configured "pca9556" at iic0 addr 0x38 not configured power0 at ebus0 addr 800-82f ivec 0x20 com0 at ebus0 addr 3f8-3ff ivec 0x2c: ns16550a, 16 byte fifo com0: console com1 at ebus0 addr 2e8-2ef ivec 0x2c: ns16550a, 16 byte fifo "rmc-comm" at ebus0 addr 3e8-3ef ivec 0x2c not configured alipm0 at pci1 dev 6 function 0 "Acer Labs M7101 Power" rev 0x00: 223KHz clock iic1 at alipm0 ohci0 at pci1 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 0x7a7, version 1.0, legacy support pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc4: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x798 for native-PCI interrupt atapiscsi0 at pciide0 channel 0 drive 0 scsibus1 at atapiscsi0: 2 targets cd0 at scsibus1 targ 0 lun 0: <TEAC, DV-28E-C, 1.4B> ATAPI 5/cdrom removable cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2 pciide0: channel 1 disabled (no drives) siop0 at pci1 dev 3 function 0 "Symbios Logic 53c875" rev 0x14: ivec 0x78c, using 4K of on-board RAM scsibus2 at siop0: 16 targets, initiator 7 siop1 at pci1 dev 3 function 1 "Symbios Logic 53c875" rev 0x14: ivec 0x78d, using 4K of on-board RAM scsibus3 at siop1: 16 targets, initiator 7 usb0 at ohci0: USB revision 1.0 uhub0 at usb0 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1 schizo2 at mainbus0: "Tomatillo", version 4, ign 700, bus A 0 to 0 schizo2: dvma map c0000000-dfffffff pci2 at schizo2 siop2 at pci2 dev 2 function 0 "Symbios Logic 53c1010-66" rev 0x01: ivec 0x729, using 8K of on-board RAM scsibus4 at siop2: 16 targets, initiator 7 sym0 at scsibus4 targ 0 lun 0: <FUJITSU, MAT3073N SUN72G, 0602> SCSI2 0/direct fixed serial.FUJITSU_MAT3073N_SUN72G_000528B08UT9_AAN0P5708UT9 sd0 at scsibus0 targ 0 lun 0: <FUJITSU, MAT3073N SUN72G, 0602> SCSI2 0/direct fixed serial.FUJITSU_MAT3073N_SUN72G_000528B08UT9_AAN0P5708UT9 sd0: 70007MB, 512 bytes/sector, 143374738 sectors siop3 at pci2 dev 2 function 1 "Symbios Logic 53c1010-66" rev 0x01: ivec 0x728, using 8K of on-board RAM scsibus5 at siop3: 16 targets, initiator 7 schizo3 at mainbus0: "Tomatillo", version 4, ign 740, bus B 0 to 0 schizo3: dvma map c0000000-dfffffff pci3 at schizo3 bge2 at pci3 dev 2 function 0 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x75c, address 00:03:ba:ea:21:7f brgphy2 at bge2 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge3 at pci3 dev 2 function 1 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x75d, address 00:03:ba:ea:21:80 brgphy3 at bge3 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 mpi0 at pci3 dev 1 function 0 "Symbios Logic FC919X" rev 0x00: ivec 0x744 mpi0: LSI7102XP-LC, firmware 1.2.0.0 scsibus6 at mpi0: 128 targets, initiator 15, WWPN 100000062b0a9b98, WWNN 200000062b0a9b98 siop2: target 0 now using tagged DT 16 bit 80.0 MHz 62 REQ/ACK offset xfers vscsi0 at root scsibus7 at vscsi0: 256 targets softraid0 at root scsibus8 at softraid0: 256 targets bootpath: /pci@1c,600000/scsi@2,0/disk@0,0 root on sd0a (e7e26cd2175487cc.a) swap on sd0b dump on sd0b System 2: console is /pci@1e,600000/isa@7/serial@0,3f8 Copyright (c) 1982, 1986, 1989, 1991, 1993 The Regents of the University of California. All rights reserved. Copyright (c) 1995-2015 OpenBSD. All rights reserved. http://www.OpenBSD.org OpenBSD 5.7-beta (GENERIC.MP) #459: Tue Feb 3 03:31:57 MST 2015 [email protected]:/usr/src/sys/arch/sparc64/compile/GENERIC.MP real mem = 2684354560 (2560MB) avail mem = 2627264512 (2505MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root: Sun Fire V240 cpu0 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1280 MHz cpu0: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) cpu1 at mainbus0: SUNW,UltraSPARC-IIIi (rev 2.4) @ 1280 MHz cpu1: physical 32K instruction (32 b/l), 64K data (32 b/l), 1024K external (64 b/l) "memory-controller" at mainbus0 not configured "memory-controller" at mainbus0 not configured schizo0 at mainbus0: "Tomatillo", version 4, ign 7c0, bus B 0 to 0 schizo0: dvma map c0000000-dfffffff pci0 at schizo0 bge0 at pci0 dev 2 function 0 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c8, address 00:03:ba:90:4e:cd brgphy0 at bge0 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge1 at pci0 dev 2 function 1 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x7c9, address 00:03:ba:90:4e:ce brgphy1 at bge1 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 schizo1 at mainbus0: "Tomatillo", version 4, ign 780, bus A 0 to 0 schizo1: dvma map c0000000-dfffffff pci1 at schizo1 ebus0 at pci1 dev 7 function 0 "Acer Labs M1533 ISA" rev 0x00 "flashprom" at ebus0 addr 0-fffff, 290-290 not configured rtc0 at ebus0 addr 70-71: m5819p pcfiic0 at ebus0 addr 320-321 ivec 0x2e iic0 at pcfiic0 "SUNW,i2c-imax" at iic0 addr 0xb not configured "SUNW,i2c-imax" at iic0 addr 0xc not configured spdmem0 at iic0 addr 0x5b: 256MB DDR SDRAM registered ECC PC2300CL2.5 spdmem1 at iic0 addr 0x5c: 256MB DDR SDRAM registered ECC PC2300CL2.5 spdmem2 at iic0 addr 0x63: 1GB DDR SDRAM registered ECC PC2300CL2.5 spdmem3 at iic0 addr 0x64: 1GB DDR SDRAM registered ECC PC2300CL2.5 "ds1307" at iic0 addr 0x68 not configured "pca9555" at iic0 addr 0x22 not configured "pca9555" at iic0 addr 0x23 not configured "pca9555" at iic0 addr 0x25 not configured "pca9555" at iic0 addr 0x34 not configured "pca9555" at iic0 addr 0x44 not configured "pca9556" at iic0 addr 0x38 not configured power0 at ebus0 addr 800-82f ivec 0x20 com0 at ebus0 addr 3f8-3ff ivec 0x2c: ns16550a, 16 byte fifo com0: console com1 at ebus0 addr 2e8-2ef ivec 0x2c: ns16550a, 16 byte fifo "rmc-comm" at ebus0 addr 3e8-3ef ivec 0x2c not configured alipm0 at pci1 dev 6 function 0 "Acer Labs M7101 Power" rev 0x00: 223KHz clock iic1 at alipm0 ohci0 at pci1 dev 10 function 0 "Acer Labs M5237 USB" rev 0x03: ivec 0x7a7, version 1.0, legacy support pciide0 at pci1 dev 13 function 0 "Acer Labs M5229 UDMA IDE" rev 0xc4: DMA, channel 0 configured to native-PCI, channel 1 configured to native-PCI pciide0: using ivec 0x798 for native-PCI interrupt pciide0: channel 0 disabled (no drives) pciide0: channel 1 disabled (no drives) usb0 at ohci0: USB revision 1.0 uhub0 at usb0 "Acer Labs OHCI root hub" rev 1.00/1.00 addr 1 schizo2 at mainbus0: "Tomatillo", version 4, ign 700, bus A 0 to 0 schizo2: dvma map c0000000-dfffffff pci2 at schizo2 siop0 at pci2 dev 2 function 0 "Symbios Logic 53c1010-66" rev 0x01: ivec 0x729, using 8K of on-board RAM scsibus1 at siop0: 16 targets, initiator 7 sym0 at scsibus1 targ 0 lun 0: <SEAGATE, ST336607LSUN36G, 0207> SCSI3 0/direct fixed serial.SEAGATE_ST336607LSUN36G_3JA1WR1H00007347US0S sd0 at scsibus0 targ 0 lun 0: <SEAGATE, ST336607LSUN36G, 0207> SCSI3 0/direct fixed serial.SEAGATE_ST336607LSUN36G_3JA1WR1H00007347US0S sd0: 34732MB, 512 bytes/sector, 71132959 sectors sym1 at scsibus1 targ 1 lun 0: <SEAGATE, ST336607LSUN36G, 0507> SCSI3 0/direct fixed serial.SEAGATE_ST336607LSUN36G_3JA7JQYE00007440P23A sd1 at scsibus0 targ 1 lun 0: <SEAGATE, ST336607LSUN36G, 0507> SCSI3 0/direct fixed serial.SEAGATE_ST336607LSUN36G_3JA7JQYE00007440P23A sd1: 34732MB, 512 bytes/sector, 71132959 sectors sym2 at scsibus1 targ 2 lun 0: <FUJITSU, MAP3367N SUN36G, 0401> SCSI2 0/direct fixed serial.FUJITSU_MAP3367N_SUN36G_00N035W6_ sd2 at scsibus0 targ 2 lun 0: <FUJITSU, MAP3367N SUN36G, 0401> SCSI2 0/direct fixed serial.FUJITSU_MAP3367N_SUN36G_00N035W6_ sd2: 34732MB, 512 bytes/sector, 71132959 sectors siop1 at pci2 dev 2 function 1 "Symbios Logic 53c1010-66" rev 0x01: ivec 0x728, using 8K of on-board RAM scsibus2 at siop1: 16 targets, initiator 7 schizo3 at mainbus0: "Tomatillo", version 4, ign 740, bus B 0 to 0 schizo3: dvma map c0000000-dfffffff pci3 at schizo3 bge2 at pci3 dev 2 function 0 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x75c, address 00:03:ba:90:4e:cf brgphy2 at bge2 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 bge3 at pci3 dev 2 function 1 "Broadcom BCM5704C" rev 0x00, BCM5704 A3 (0x2003): ivec 0x75d, address 00:03:ba:90:4e:d0 brgphy3 at bge3 phy 1: BCM5704 10/100/1000baseT PHY, rev. 0 qla0 at pci3 dev 1 function 0 "QLogic ISP2312" rev 0x02: ivec 0x744 qla0: firmware rev 3.3.19, attrs 0x107 qla0: loop still down, giving up scsibus3 at qla0: 2048 targets, WWPN 210000e08b10a5ea, WWNN 200000e08b10a5ea qla1 at pci3 dev 1 function 1 "QLogic ISP2312" rev 0x02: ivec 0x745 qla1: firmware rev 3.3.19, attrs 0x107 qla1: loop still down, giving up scsibus4 at qla1: 2048 targets, WWPN 210100e08b30a5ea, WWNN 200000e08b30a5ea siop0: target 0 now using tagged DT 16 bit 80.0 MHz 62 REQ/ACK offset xfers vscsi0 at root scsibus5 at vscsi0: 256 targets softraid0 at root scsibus6 at softraid0: 256 targets siop0: target 1 now using tagged DT 16 bit 80.0 MHz 62 REQ/ACK offset xfers siop0: target 2 now using tagged DT 16 bit 80.0 MHz 62 REQ/ACK offset xfers sd3 at scsibus6 targ 1 lun 0: <OPENBSD, SR RAID 0, 005> SCSI2 0/direct fixed sd3: 69465MB, 512 bytes/sector, 142264832 sectors bootpath: /pci@1c,600000/scsi@2,0/disk@0,0 root on sd0a (0cb351aef3e2eee8.a) swap on sd0b dump on sd0b
