Page MenuHomePhabricator

Strongswan: security association reauthentication failure
Closed, ResolvedPublic

Description

During the normal course of operation, keys for each Security Association are renegotiated periodically.

In this case I have observed a failure to re-key, leaving berkelium and curium in a state where their IPv6 tunnel was established but their IPv4 tunnel was not.

The purpose of this task is to document and investigate this failure.

ipsec.conf:

config setup
	plutostart=no	# IKEv1 daemon
	charonstart=yes	# IKEv2 daemon
	charondebug="cfg 2, dmn 2"

conn %default
	type=transport
	auto=start
	ike=aes128gcm16-prfsha384-ecp384bp!
	esp=aes128gcm16-null-ecp384bp-noesn!

conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
	left=10.64.0.169
	leftcert=berkelium.eqiad.wmnet.pem
	right=10.64.0.170
	rightid="CN=curium.eqiad.wmnet"

conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6
	left=2620::861:101:10:64:0:169
	leftcert=berkelium.eqiad.wmnet.pem
	right=2620::861:101:10:64:0:170
	rightid="CN=curium.eqiad.wmnet"

At first, the connections are stable for 40 hours since the service was started:

gage@curium:~$ sudo grep curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4 /var/log/syslog | grep established | grep charon | tail
Apr 13 22:06:13 curium charon: 07[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{565124} established with SPIs c9e5dc9c_i c6877e2a_o and TS 10.64.0.170/32 === 10.64.0.169/32
Apr 13 22:06:13 curium charon: 13[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[569456] established between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 13 22:06:13 curium charon: 13[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{565126} established with SPIs cca00f80_i ce610bd5_o and TS 10.64.0.170/32 === 10.64.0.169/32
Apr 13 22:06:13 curium charon: 09[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[569458] established between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 13 22:06:13 curium charon: 09[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{565128} established with SPIs c22c0729_i cdd18a8c_o and TS 10.64.0.170/32 === 10.64.0.169/32
Apr 13 22:06:13 curium charon: 07[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[569460] established between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 13 22:06:13 curium charon: 07[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{565130} established with SPIs c8915ef5_i cfa99ba8_o and TS 10.64.0.170/32 === 10.64.0.169/32
Apr 13 22:06:14 curium charon: 14[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[1] established between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 13 22:06:14 curium charon: 14[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{2} established with SPIs c7a23aef_i c9480225_o and TS 10.64.0.170/32 === 10.64.0.169/32
Apr 13 22:08:58 curium charon: 04[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[8] established between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]

Then something bad happens, "reauthenticating IKE_SA failed":

Berkelium:

Apr 14 00:47:26 berkelium charon: 15[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861]
Apr 14 00:47:26 berkelium charon: 15[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
Apr 14 00:47:26 berkelium charon: 15[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861]
Apr 14 00:47:26 berkelium charon: 15[ENC] generating INFORMATIONAL request 2 [ D ]
Apr 14 00:47:26 berkelium charon: 15[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
Apr 14 00:47:26 berkelium charon: 02[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
Apr 14 00:47:26 berkelium charon: 02[ENC] parsed INFORMATIONAL response 2 [ ]
Apr 14 00:47:26 berkelium charon: 02[IKE] IKE_SA deleted
Apr 14 00:47:26 berkelium charon: 02[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
Apr 14 00:47:26 berkelium charon: 02[IKE] reauthenticating IKE_SA failed

Curium:

Apr 14 00:47:26 curium charon: 05[NET] received packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
Apr 14 00:47:26 curium charon: 05[ENC] parsed INFORMATIONAL request 2 [ D ]
Apr 14 00:47:26 curium charon: 05[IKE] received DELETE for IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[8]
Apr 14 00:47:26 curium charon: 05[IKE] deleting IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[8] between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 14 00:47:26 curium charon: 05[IKE] IKE_SA deleted
Apr 14 00:47:26 curium charon: 05[ENC] generating INFORMATIONAL response 2 [ ]
Apr 14 00:47:26 curium charon: 05[NET] sending packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)

43 minutes later, another attempt to reauthenticate both connections was made in the same second. It's not clear whether "detected CHILD_REKEY collision with CHILD_REKEY" is the root problem:

Berkelium:

Apr 14 01:30:21 berkelium charon: 09[KNL] creating rekey job for ESP CHILD_SA with SPI cb232dc6 and reqid {6}
Apr 14 01:30:21 berkelium charon: 09[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6}
Apr 14 01:30:21 berkelium charon: 09[CFG] proposing traffic selectors for us:
Apr 14 01:30:21 berkelium charon: 09[CFG]  2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 berkelium charon: 09[CFG] proposing traffic selectors for other:
Apr 14 01:30:21 berkelium charon: 09[CFG]  2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium charon: 09[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium charon: 09[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 berkelium charon: 09[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (365 bytes)
Apr 14 01:30:21 berkelium charon: 02[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (345 bytes)
Apr 14 01:30:21 berkelium charon: 02[ENC] parsed CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 berkelium charon: 02[CFG] selecting proposal:
Apr 14 01:30:21 berkelium charon: 02[CFG]   proposal matches
Apr 14 01:30:21 berkelium charon: 02[CFG] received proposals: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium charon: 02[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium charon: 02[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium charon: 02[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 berkelium charon: 02[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 berkelium charon: 02[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 berkelium charon: 02[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium charon: 02[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6} established with SPIs ca1b3e92_i c6f2a77f_o and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium charon: 02[IKE] closing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6} with SPIs cb232dc6_i (0 bytes) ccfce600_o (0 bytes) and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium charon: 02[IKE] sending DELETE for ESP CHILD_SA with SPI cb232dc6
Apr 14 01:30:21 berkelium charon: 02[ENC] generating INFORMATIONAL request 1 [ D ]
Apr 14 01:30:21 berkelium charon: 02[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (69 bytes)
Apr 14 01:30:21 berkelium charon: 12[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (365 bytes)
Apr 14 01:30:21 berkelium charon: 12[ENC] parsed CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 5+5
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] found matching child config "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 10
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] selecting proposal:
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]   proposal matches
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] received proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 09[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6} established with SPIs cb232dc6_i ccfce600_o and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Apr 14 01:30:21 berkelium ipsec[3528]: 09[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1806 bytes)

Apr 14 01:30:21 berkelium ipsec[3528]: 15[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861]
Apr 14 01:30:21 berkelium ipsec[3528]: 15[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
Apr 14 01:30:21 berkelium ipsec[3528]: 15[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[861]
Apr 14 01:30:21 berkelium ipsec[3528]: 15[ENC] generating INFORMATIONAL request 2 [ D ]
Apr 14 01:30:21 berkelium ipsec[3528]: 15[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
Apr 14 01:30:21 berkelium ipsec[3528]: 02[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
Apr 14 01:30:21 berkelium ipsec[3528]: 02[ENC] parsed INFORMATIONAL response 2 [ ]
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] IKE_SA deleted
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] reauthenticating IKE_SA failed
Apr 14 01:30:21 berkelium ipsec[3528]: 09[KNL] creating rekey job for ESP CHILD_SA with SPI cb232dc6 and reqid {6}
Apr 14 01:30:21 berkelium charon: 12[IKE] unable to rekey, CHILD_SA not found
Apr 14 01:30:21 berkelium charon: 12[IKE] detected CHILD_REKEY collision with CHILD_REKEY
Apr 14 01:30:21 berkelium charon: 12[ENC] generating CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Apr 14 01:30:21 berkelium charon: 12[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (65 bytes)
Apr 14 01:30:21 berkelium charon: 06[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (69 bytes)
Apr 14 01:30:21 berkelium charon: 06[ENC] parsed INFORMATIONAL response 1 [ D ]
Apr 14 01:30:21 berkelium charon: 06[IKE] received DELETE for ESP CHILD_SA with SPI ccfce600
Apr 14 01:30:21 berkelium charon: 06[IKE] CHILD_SA closed
Apr 14 01:30:21 berkelium ipsec[3528]: 09[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6}
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] proposing traffic selectors for us:
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]  2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] proposing traffic selectors for other:
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG]  2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 09[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 09[ENC] generating CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 berkelium ipsec[3528]: 09[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (365 bytes)
Apr 14 01:30:21 berkelium ipsec[3528]: 02[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (345 bytes)
Apr 14 01:30:21 berkelium ipsec[3528]: 02[ENC] parsed CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] selecting proposal:
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG]   proposal matches
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] received proposals: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 berkelium ipsec[3528]: 02[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6} established with SPIs ca1b3e92_i c6f2a77f_o and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] closing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{6} with SPIs cb232dc6_i (0 bytes) ccfce600_o (0 bytes) and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 berkelium ipsec[3528]: 02[IKE] sending DELETE for ESP CHILD_SA with SPI cb232dc6
Apr 14 01:30:21 berkelium ipsec[3528]: 02[ENC] generating INFORMATIONAL request 1 [ D ]
Apr 14 01:30:21 berkelium ipsec[3528]: 02[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (69 bytes)
Apr 14 01:30:21 berkelium ipsec[3528]: 12[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (365 bytes)

Curium:

Apr 14 01:30:21 curium charon: 07[NET] received packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (365 bytes)
Apr 14 01:30:21 curium charon: 07[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 curium charon: 11[KNL] creating rekey job for ESP CHILD_SA with SPI cb232dc6 and reqid {1}
Apr 14 01:30:21 curium charon: 07[CFG] selecting proposal:
Apr 14 01:30:21 curium charon: 07[CFG]   proposal matches
Apr 14 01:30:21 curium charon: 07[CFG] received proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium charon: 07[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium charon: 07[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium charon: 07[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 curium charon: 07[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 curium charon: 07[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 curium charon: 07[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium charon: 07[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6{1} established with SPIs c6f2a77f_i ca1b3e92_o and TS 2620:0:861:101:10:64:0:170/128 === 2620:0:861:101:10:
64:0:169/128
Apr 14 01:30:21 curium charon: 07[ENC] generating CREATE_CHILD_SA response 0 [ N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 curium charon: 07[NET] sending packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (345 bytes)
Apr 14 01:30:21 curium charon: 11[IKE] establishing CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6{1}
Apr 14 01:30:21 curium charon: 11[CFG] proposing traffic selectors for us:
Apr 14 01:30:21 curium charon: 11[CFG]  2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 curium charon: 11[CFG] proposing traffic selectors for other:
Apr 14 01:30:21 curium charon: 11[CFG]  2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium charon: 11[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium charon: 11[ENC] generating CREATE_CHILD_SA request 2 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 curium charon: 11[NET] sending packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (365 bytes)
Apr 14 01:30:21 curium charon: 12[NET] received packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (69 bytes)
Apr 14 01:30:21 curium charon: 12[ENC] parsed INFORMATIONAL request 1 [ D ]
Apr 14 01:30:21 curium charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI cb232dc6
Apr 14 01:30:21 curium charon: 12[IKE] closing CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6{1} with SPIs ccfce600_i (0 bytes) cb232dc6_o (0 bytes) and TS 2620:0:861:101:10:64:0:170/128 === 26
20:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI ccfce600
Apr 14 01:30:21 curium charon: 12[IKE] CHILD_SA closed
Apr 14 01:30:21 curium charon: 12[IKE] detected CHILD_REKEY collision with CHILD_DELETE
Apr 14 01:30:21 curium charon: 12[ENC] generating INFORMATIONAL response 1 [ D ]
Apr 14 01:30:21 curium charon: 12[NET] sending packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (69 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 08[CFG] proposing traffic selectors for us:
Apr 14 01:30:21 curium ipsec[8211]: 08[CFG]  2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 curium ipsec[8211]: 08[CFG] proposing traffic selectors for other:
Apr 14 01:30:21 curium ipsec[8211]: 08[CFG]  2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium ipsec[8211]: 08[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 08[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_
ONLY) ]
Apr 14 01:30:21 curium ipsec[8211]: 08[NET] sending packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (1887 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 10[NET] received packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1806 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 10[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] received end entity cert "CN=berkelium.eqiad.wmnet"
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   using certificate "CN=berkelium.eqiad.wmnet"
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   certificate "CN=berkelium.eqiad.wmnet" key: 4096 bit RSA
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] checking certificate status of "CN=berkelium.eqiad.wmnet"
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] ocsp check skipped, no ocsp found
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] certificate status is not available
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   reached self-signed root ca with a path length of 0
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] authentication of 'CN=berkelium.eqiad.wmnet' with RSA signature successful
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6[9] established between 2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]...2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] scheduling reauthentication in 10028s
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] maximum IKE_SA lifetime 10568s
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] selecting proposal:
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]   proposal matches
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 curium charon: 15[NET] received packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (65 bytes)
Apr 14 01:30:21 curium charon: 15[ENC] parsed CREATE_CHILD_SA response 2 [ N(NO_PROP) ]
Apr 14 01:30:21 curium charon: 15[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA built
Apr 14 01:30:21 curium charon: 15[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium charon: 15[IKE] failed to establish CHILD_SA, keeping IKE_SA
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 curium ipsec[8211]: 10[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] CHILD_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6{1} established with SPIs ccfce600_i cb232dc6_o and TS 2620:0:861:101:10:64:0:170/128 === 2620:0:861:101:10:64:0:169/128
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] received AUTH_LIFETIME of 9889s, scheduling reauthentication in 9349s
Apr 14 01:30:21 curium ipsec[8211]: 10[IKE] peer supports MOBIKE
Apr 14 01:30:21 curium ipsec[8211]: 05[NET] received packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 05[ENC] parsed INFORMATIONAL request 2 [ D ]
Apr 14 01:30:21 curium ipsec[8211]: 05[IKE] received DELETE for IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[8]
Apr 14 01:30:21 curium ipsec[8211]: 05[IKE] deleting IKE_SA curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[8] between 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
Apr 14 01:30:21 curium ipsec[8211]: 05[IKE] IKE_SA deleted
Apr 14 01:30:21 curium ipsec[8211]: 05[ENC] generating INFORMATIONAL response 2 [ ]
Apr 14 01:30:21 curium ipsec[8211]: 05[NET] sending packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 07[NET] received packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (365 bytes)
Apr 14 01:30:21 curium ipsec[8211]: 07[ENC] parsed CREATE_CHILD_SA request 0 [ N(REKEY_SA) N(USE_TRANSP) SA No KE TSi TSr ]
Apr 14 01:30:21 curium ipsec[8211]: 11[KNL] creating rekey job for ESP CHILD_SA with SPI cb232dc6 and reqid {1}
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] selecting proposal:
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG]   proposal matches
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] received proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] selected proposal: ESP:AES_GCM_16_128/ECP_384_BP/NO_EXT_SEQ
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] selecting traffic selectors for us:
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG] selecting traffic selectors for other:
Apr 14 01:30:21 curium ipsec[8211]: 07[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128

No further attempts to reestablish the IPv4 SA are logged over the next 25 hours.

Resulting state:

gage@berkelium:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.19.0-trunk-amd64, x86_64):
  uptime: 27 hours, since Apr 13 22:05:39 2015
  malloc: sbrk 2580480, mmap 0, used 429296, free 2151184
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  10.64.0.169
  2620:0:861:101:862b:2bff:fefd:be64
  2620:0:861:101:10:64:0:169
Connections:
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4:  10.64.0.169...10.64.0.170  IKEv1/2
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4:   local:  [CN=berkelium.eqiad.wmnet] uses public key authentication
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4:    cert:  "CN=berkelium.eqiad.wmnet"
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4:   remote: [CN=curium.eqiad.wmnet] uses public key authentication
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4:   child:  dynamic === dynamic TRANSPORT
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6:  2620::861:101:10:64:0:169...2620::861:101:10:64:0:170  IKEv1/2
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6:   local:  [CN=berkelium.eqiad.wmnet] uses public key authentication
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6:    cert:  "CN=berkelium.eqiad.wmnet"
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6:   remote: [CN=curium.eqiad.wmnet] uses public key authentication
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6:   child:  dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[873]: ESTABLISHED 87 minutes ago, 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[873]: IKEv2 SPIs: 17e2969c5a1e329e_i e7b5ad1d84e3bd5f_r*, public key reauthentication in 78 minutes
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[873]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{15}:  INSTALLED, TRANSPORT, ESP SPIs: c5e592be_i cff7c454_o
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{15}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 3 minutes
berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{15}:   2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128

There are no events in dmesg from these times. Connection is across a LAN and there is no indication of network interruption.

To assist with further investigation, I have modified rsyslog.conf on both hosts to use high-resolution timestamps.

Event Timeline

Gage claimed this task.
Gage raised the priority of this task from to Medium.
Gage updated the task description. (Show Details)
Gage subscribed.
Gage set Security to None.

I spoke with Tobias from Strongswan on IRC about this:

<+ecdsa> jgage: The log you posted shows a rekey collision for the IPv6 SA, but that seems to be handled correctly. The reauthentication for the IPv4 SA fails because it apparently has no CHILD_SA anymore. Unfortunately, we don't see why in the log.
< jgage> ecdsa: would increasing the log level for some subsystems help to identify the problem? or is this something you've seen before? perhaps making v4 + v6 connections between a pair of hosts breaks some assumptions?
<+ecdsa> jgage: No log levels look OK. I don't think it's a problem with the config as such. But auto=start on both ends is not optimal (should be better with 5.3.0 now though), auto=route might be a better choice. Also if you don't really need reauthentication (e.g. to regularly verify the certificates are still valid) disabling it (reauth=no) might also be an option (although in this case the CHILD_SA was apparently gone before, so it would not have helped, unless there were some problem during an earlier reauth). With 5.3.0 there is also a new make-before-break reauthentication for IKEv2 that avoids the gap during reauth, when there are no SAs installed because they are first deleted and then recreated.
<+ecdsa> jgage: No it's not the default as it is incompatible with older strongSwan releases. You'd have to enable it with charon.make_before_break in strongswan.conf.

I reduced some timeouts in order to recreate the problem; config changes suggested by ecdsa have not yet been made:

conn %default
        ikelifetime=6m
        lifetime=6m
        rekeyfuzz=0%
        margintime=1m
        keyingtries=%forever

Which quickly triggered the behavior. This time it's the IPv6 connection which is not established:

gage@curium:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.19.0-trunk-amd64, x86_64):
  uptime: 22 minutes, since Apr 15 13:13:53 2015
  malloc: sbrk 2580480, mmap 0, used 381120, free 2199360
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  10.64.0.170
  2620:0:861:101:862b:2bff:fefd:be6d
  2620:0:861:101:10:64:0:170
Connections:
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4:  10.64.0.170...10.64.0.169  IKEv1/2
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4:   local:  [CN=curium.eqiad.wmnet] uses public key authentication
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4:    cert:  "CN=curium.eqiad.wmnet"
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4:   remote: [CN=berkelium.eqiad.wmnet] uses public key authentication
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4:   child:  dynamic === dynamic TRANSPORT
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6:  2620::861:101:10:64:0:170...2620::861:101:10:64:0:169  IKEv1/2
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6:   local:  [CN=curium.eqiad.wmnet] uses public key authentication
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6:    cert:  "CN=curium.eqiad.wmnet"
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6:   remote: [CN=berkelium.eqiad.wmnet] uses public key authentication
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv6:   child:  dynamic === dynamic TRANSPORT
Security Associations (1 up, 0 connecting):
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[9]: ESTABLISHED 2 minutes ago, 10.64.0.170[CN=curium.eqiad.wmnet]...10.64.0.169[CN=berkelium.eqiad.wmnet]
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[9]: IKEv2 SPIs: 46a8b8b8776b91a6_i 18deeb67a2053fe6_r*, public key reauthentication in 2 minutes
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4[9]: IKE proposal: AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{9}:  INSTALLED, TRANSPORT, ESP SPIs: c24cb949_i c533bc7c_o
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{9}:  AES_GCM_16_128, 0 bytes_i, 0 bytes_o, rekeying in 2 minutes
curium.eqiad.wmnet-berkelium.eqiad.wmnet_by_ipv4{9}:   10.64.0.170/32 === 10.64.0.169/32

Logs preceding the failure:

2015-04-15T13:13:50.769157+00:00 berkelium systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
2015-04-15T13:13:50.769739+00:00 berkelium systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
2015-04-15T13:13:50.776728+00:00 berkelium ipsec[10698]: Starting strongSwan 5.2.1 IPsec [starter]...
2015-04-15T13:13:50.776943+00:00 berkelium ipsec[10698]: # deprecated keyword 'charonstart' in config setup
2015-04-15T13:13:50.777153+00:00 berkelium ipsec[10698]: # deprecated keyword 'plutostart' in config setup
2015-04-15T13:13:50.777360+00:00 berkelium ipsec[10698]: ### 2 parsing errors (0 fatal) ###
2015-04-15T13:13:50.787759+00:00 berkelium charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.19.0-trunk-amd64, x86_64)
2015-04-15T13:13:50.793887+00:00 berkelium charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2015-04-15T13:13:50.794150+00:00 berkelium charon: 00[CFG]   loaded ca certificate "CN=sockpuppet.pmtpa.wmnet" from '/etc/ipsec.d/cacerts/ca.pem'
2015-04-15T13:13:50.794377+00:00 berkelium charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2015-04-15T13:13:50.794599+00:00 berkelium charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2015-04-15T13:13:50.794818+00:00 berkelium charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2015-04-15T13:13:50.795043+00:00 berkelium charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
2015-04-15T13:13:50.795265+00:00 berkelium charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
2015-04-15T13:13:50.848647+00:00 berkelium charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:50.848926+00:00 berkelium charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
2015-04-15T13:13:50.849230+00:00 berkelium charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
2015-04-15T13:13:50.849465+00:00 berkelium charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
2015-04-15T13:13:50.849689+00:00 berkelium charon: 00[JOB] spawning 16 worker threads
2015-04-15T13:13:50.865953+00:00 berkelium charon: 05[CFG] received stroke: add connection 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:50.866177+00:00 berkelium charon: 05[CFG] conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:13:50.866404+00:00 berkelium charon: 05[CFG]   left=10.64.0.169
2015-04-15T13:13:50.866643+00:00 berkelium charon: 05[CFG]   leftcert=berkelium.eqiad.wmnet.pem
2015-04-15T13:13:50.866966+00:00 berkelium charon: 05[CFG]   right=10.64.0.170
2015-04-15T13:13:50.867218+00:00 berkelium charon: 05[CFG]   rightid=CN=curium.eqiad.wmnet
2015-04-15T13:13:50.867563+00:00 berkelium charon: 05[CFG]   ike=aes128gcm16-prfsha384-ecp384bp!
2015-04-15T13:13:50.867908+00:00 berkelium charon: 05[CFG]   esp=aes128gcm16-null-ecp384bp-noesn!
2015-04-15T13:13:50.868230+00:00 berkelium charon: 05[CFG]   dpddelay=30
2015-04-15T13:13:50.868550+00:00 berkelium charon: 05[CFG]   dpdtimeout=150
2015-04-15T13:13:50.868869+00:00 berkelium charon: 05[CFG]   mediation=no
2015-04-15T13:13:50.869189+00:00 berkelium charon: 05[CFG]   loaded certificate "CN=berkelium.eqiad.wmnet" from 'berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:50.869509+00:00 berkelium charon: 05[CFG]   id '10.64.0.169' not confirmed by certificate, defaulting to 'CN=berkelium.eqiad.wmnet'
2015-04-15T13:13:50.869834+00:00 berkelium charon: 05[CFG] added configuration 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:50.870157+00:00 berkelium charon: 03[CFG] received stroke: initiate 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:50.870476+00:00 berkelium charon: 03[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] to 10.64.0.170
2015-04-15T13:13:50.871133+00:00 berkelium ipsec[10698]: charon (10712) started after 80 ms
2015-04-15T13:13:50.871470+00:00 berkelium charon: 03[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:50.871808+00:00 berkelium charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:50.872099+00:00 berkelium charon: 03[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:13:50.872315+00:00 berkelium charon: 07[CFG] received stroke: add connection 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:50.872539+00:00 berkelium charon: 07[CFG] conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6
2015-04-15T13:13:50.872762+00:00 berkelium charon: 07[CFG]   left=2620::861:101:10:64:0:169
2015-04-15T13:13:50.872984+00:00 berkelium charon: 07[CFG]   leftcert=berkelium.eqiad.wmnet.pem
2015-04-15T13:13:50.873317+00:00 berkelium charon: 07[CFG]   right=2620::861:101:10:64:0:170
2015-04-15T13:13:50.873566+00:00 berkelium charon: 07[CFG]   rightid=CN=curium.eqiad.wmnet
2015-04-15T13:13:50.873905+00:00 berkelium charon: 07[CFG]   ike=aes128gcm16-prfsha384-ecp384bp!
2015-04-15T13:13:50.874232+00:00 berkelium charon: 07[CFG]   esp=aes128gcm16-null-ecp384bp-noesn!
2015-04-15T13:13:50.874560+00:00 berkelium charon: 07[CFG]   dpddelay=30
2015-04-15T13:13:50.874881+00:00 berkelium charon: 07[CFG]   dpdtimeout=150
2015-04-15T13:13:50.875202+00:00 berkelium charon: 07[CFG]   mediation=no
2015-04-15T13:13:50.875522+00:00 berkelium charon: 07[CFG]   loaded certificate "CN=berkelium.eqiad.wmnet" from 'berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:50.875858+00:00 berkelium charon: 07[CFG]   id '2620:0:861:101:10:64:0:169' not confirmed by certificate, defaulting to 'CN=berkelium.eqiad.wmnet'
2015-04-15T13:13:50.876182+00:00 berkelium charon: 07[CFG] added configuration 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:50.876502+00:00 berkelium charon: 10[CFG] received stroke: initiate 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:50.876826+00:00 berkelium charon: 10[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] to 2620:0:861:101:10:64:0:170
2015-04-15T13:13:50.877594+00:00 berkelium charon: 10[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:50.877940+00:00 berkelium charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:50.878206+00:00 berkelium charon: 10[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (264 bytes)
2015-04-15T13:13:53.387550+00:00 berkelium charon: 13[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (264 bytes)
2015-04-15T13:13:53.387843+00:00 berkelium charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.388067+00:00 berkelium charon: 13[CFG] looking for an ike config for 10.64.0.169...10.64.0.170
2015-04-15T13:13:53.388292+00:00 berkelium charon: 13[CFG]   candidate: 10.64.0.169...10.64.0.170, prio 3096
2015-04-15T13:13:53.388515+00:00 berkelium charon: 13[CFG] found matching ike config: 10.64.0.169...10.64.0.170 with prio 3096
2015-04-15T13:13:53.388737+00:00 berkelium charon: 13[IKE] 10.64.0.170 is initiating an IKE_SA
2015-04-15T13:13:53.389183+00:00 berkelium charon: 13[CFG] selecting proposal:
2015-04-15T13:13:53.389406+00:00 berkelium charon: 13[CFG]   proposal matches
2015-04-15T13:13:53.389629+00:00 berkelium charon: 13[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.389852+00:00 berkelium charon: 13[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.390074+00:00 berkelium charon: 13[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.393196+00:00 berkelium charon: 13[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.393497+00:00 berkelium charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:53.393726+00:00 berkelium charon: 13[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (297 bytes)
2015-04-15T13:13:53.393951+00:00 berkelium charon: 14[NET] received packet: from 2620:0:861:101:10:64:0:170[500] to 2620:0:861:101:10:64:0:169[500] (264 bytes)
2015-04-15T13:13:53.394171+00:00 berkelium charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.394393+00:00 berkelium charon: 14[CFG] looking for an ike config for 2620:0:861:101:10:64:0:169...2620:0:861:101:10:64:0:170
2015-04-15T13:13:53.394618+00:00 berkelium charon: 14[CFG]   candidate: 2620::861:101:10:64:0:169...2620::861:101:10:64:0:170, prio 3096
2015-04-15T13:13:53.394841+00:00 berkelium charon: 14[CFG] found matching ike config: 2620::861:101:10:64:0:169...2620::861:101:10:64:0:170 with prio 3096
2015-04-15T13:13:53.395064+00:00 berkelium charon: 14[IKE] 2620:0:861:101:10:64:0:170 is initiating an IKE_SA
2015-04-15T13:13:53.395503+00:00 berkelium charon: 14[CFG] selecting proposal:
2015-04-15T13:13:53.395736+00:00 berkelium charon: 14[CFG]   proposal matches
2015-04-15T13:13:53.395959+00:00 berkelium charon: 14[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.396183+00:00 berkelium charon: 14[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.396405+00:00 berkelium charon: 14[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.396640+00:00 berkelium ipsec[10698]: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.19.0-trunk-amd64, x86_64)
2015-04-15T13:13:53.396865+00:00 berkelium ipsec[10698]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
2015-04-15T13:13:53.397084+00:00 berkelium ipsec[10698]: 00[CFG]   loaded ca certificate "CN=sockpuppet.pmtpa.wmnet" from '/etc/ipsec.d/cacerts/ca.pem'
2015-04-15T13:13:53.397301+00:00 berkelium ipsec[10698]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
2015-04-15T13:13:53.397520+00:00 berkelium ipsec[10698]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
2015-04-15T13:13:53.397739+00:00 berkelium ipsec[10698]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
2015-04-15T13:13:53.397960+00:00 berkelium ipsec[10698]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
2015-04-15T13:13:53.398178+00:00 berkelium ipsec[10698]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
2015-04-15T13:13:53.398395+00:00 berkelium ipsec[10698]: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:53.398612+00:00 berkelium ipsec[10698]: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
2015-04-15T13:13:53.398830+00:00 berkelium ipsec[10698]: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
2015-04-15T13:13:53.399048+00:00 berkelium ipsec[10698]: 00[LIB] dropped capabilities, running as uid 0, gid 0
2015-04-15T13:13:53.399266+00:00 berkelium ipsec[10698]: 00[JOB] spawning 16 worker threads
2015-04-15T13:13:53.399483+00:00 berkelium ipsec[10698]: 05[CFG] received stroke: add connection 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:53.399715+00:00 berkelium ipsec[10698]: 05[CFG] conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:13:53.399935+00:00 berkelium ipsec[10698]: 05[CFG]   left=10.64.0.169
2015-04-15T13:13:53.400154+00:00 berkelium ipsec[10698]: 05[CFG]   leftcert=berkelium.eqiad.wmnet.pem
2015-04-15T13:13:53.400372+00:00 berkelium ipsec[10698]: 05[CFG]   right=10.64.0.170
2015-04-15T13:13:53.400589+00:00 berkelium ipsec[10698]: 05[CFG]   rightid=CN=curium.eqiad.wmnet
2015-04-15T13:13:53.400805+00:00 berkelium ipsec[10698]: 05[CFG]   ike=aes128gcm16-prfsha384-ecp384bp!
2015-04-15T13:13:53.401022+00:00 berkelium ipsec[10698]: 05[CFG]   esp=aes128gcm16-null-ecp384bp-noesn!
2015-04-15T13:13:53.401239+00:00 berkelium ipsec[10698]: 05[CFG]   dpddelay=30
2015-04-15T13:13:53.401456+00:00 berkelium ipsec[10698]: 05[CFG]   dpdtimeout=150
2015-04-15T13:13:53.401673+00:00 berkelium ipsec[10698]: 05[CFG]   mediation=no
2015-04-15T13:13:53.401890+00:00 berkelium ipsec[10698]: 05[CFG]   loaded certificate "CN=berkelium.eqiad.wmnet" from 'berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:53.402108+00:00 berkelium ipsec[10698]: 05[CFG]   id '10.64.0.169' not confirmed by certificate, defaulting to 'CN=berkelium.eqiad.wmnet'
2015-04-15T13:13:53.402329+00:00 berkelium ipsec[10698]: 05[CFG] added configuration 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:53.402548+00:00 berkelium ipsec[10698]: 03[CFG] received stroke: initiate 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:53.402766+00:00 berkelium ipsec[10698]: 03[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] to 10.64.0.170
2015-04-15T13:13:53.402984+00:00 berkelium ipsec[10698]: 03[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.403205+00:00 berkelium charon: 14[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.403430+00:00 berkelium charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:53.403659+00:00 berkelium charon: 14[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (297 bytes)
2015-04-15T13:13:53.403898+00:00 berkelium ipsec[10698]: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.404121+00:00 berkelium ipsec[10698]: 03[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:13:53.404340+00:00 berkelium ipsec[10698]: 07[CFG] received stroke: add connection 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:53.404559+00:00 berkelium ipsec[10698]: 07[CFG] conn berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6
2015-04-15T13:13:53.404776+00:00 berkelium ipsec[10698]: 07[CFG]   left=2620::861:101:10:64:0:169
2015-04-15T13:13:53.404994+00:00 berkelium ipsec[10698]: 07[CFG]   leftcert=berkelium.eqiad.wmnet.pem
2015-04-15T13:13:53.405215+00:00 berkelium ipsec[10698]: 07[CFG]   right=2620::861:101:10:64:0:170
2015-04-15T13:13:53.405433+00:00 berkelium ipsec[10698]: 07[CFG]   rightid=CN=curium.eqiad.wmnet
2015-04-15T13:13:53.405651+00:00 berkelium ipsec[10698]: 07[CFG]   ike=aes128gcm16-prfsha384-ecp384bp!
2015-04-15T13:13:53.405869+00:00 berkelium ipsec[10698]: 07[CFG]   esp=aes128gcm16-null-ecp384bp-noesn!
2015-04-15T13:13:53.406088+00:00 berkelium ipsec[10698]: 07[CFG]   dpddelay=30
2015-04-15T13:13:53.406311+00:00 berkelium ipsec[10698]: 07[CFG]   dpdtimeout=150
2015-04-15T13:13:53.406529+00:00 berkelium ipsec[10698]: 07[CFG]   mediation=no
2015-04-15T13:13:53.406747+00:00 berkelium ipsec[10698]: 07[CFG]   loaded certificate "CN=berkelium.eqiad.wmnet" from 'berkelium.eqiad.wmnet.pem'
2015-04-15T13:13:53.406966+00:00 berkelium ipsec[10698]: 07[CFG]   id '2620:0:861:101:10:64:0:169' not confirmed by certificate, defaulting to 'CN=berkelium.eqiad.wmnet'
2015-04-15T13:13:53.407185+00:00 berkelium ipsec[10698]: 07[CFG] added configuration 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:53.407406+00:00 berkelium ipsec[10698]: 10[CFG] received stroke: initiate 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:53.407624+00:00 berkelium ipsec[10698]: 10[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] to 2620:0:861:101:10:64:0:170
2015-04-15T13:13:53.407852+00:00 berkelium ipsec[10698]: 10[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.408070+00:00 berkelium ipsec[10698]: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.408291+00:00 berkelium ipsec[10698]: 10[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (264 bytes)
2015-04-15T13:13:53.408508+00:00 berkelium ipsec[10698]: 13[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (264 bytes)
2015-04-15T13:13:53.408727+00:00 berkelium ipsec[10698]: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.408945+00:00 berkelium ipsec[10698]: 13[CFG] looking for an ike config for 10.64.0.169...10.64.0.170
2015-04-15T13:13:53.409163+00:00 berkelium ipsec[10698]: 13[CFG]   candidate: 10.64.0.169...10.64.0.170, prio 3096
2015-04-15T13:13:53.409381+00:00 berkelium ipsec[10698]: 13[CFG] found matching ike config: 10.64.0.169...10.64.0.170 with prio 3096
2015-04-15T13:13:53.409601+00:00 berkelium ipsec[10698]: 13[IKE] 10.64.0.170 is initiating an IKE_SA
2015-04-15T13:13:53.409820+00:00 berkelium ipsec[10698]: 13[CFG] selecting proposal:
2015-04-15T13:13:53.410037+00:00 berkelium ipsec[10698]: 13[CFG]   proposal matches
2015-04-15T13:13:53.410254+00:00 berkelium ipsec[10698]: 13[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.410474+00:00 berkelium ipsec[10698]: 13[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.410700+00:00 berkelium ipsec[10698]: 13[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.430657+00:00 berkelium charon: 04[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1851 bytes)
2015-04-15T13:13:53.430929+00:00 berkelium charon: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:53.431159+00:00 berkelium charon: 04[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.431388+00:00 berkelium charon: 04[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.431614+00:00 berkelium charon: 04[CFG] looking for peer configs matching 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.431855+00:00 berkelium charon: 04[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4", match: 20/20/3096 (me/other/ike)
2015-04-15T13:13:53.432078+00:00 berkelium charon: 04[CFG] selected peer config 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:53.432301+00:00 berkelium charon: 04[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.432523+00:00 berkelium charon: 04[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:53.432746+00:00 berkelium charon: 04[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.432971+00:00 berkelium charon: 04[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.433195+00:00 berkelium charon: 04[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:53.433418+00:00 berkelium charon: 04[CFG] certificate status is not available
2015-04-15T13:13:53.433641+00:00 berkelium charon: 04[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:53.433866+00:00 berkelium charon: 04[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:53.434090+00:00 berkelium charon: 04[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:53.434312+00:00 berkelium charon: 04[IKE] peer supports MOBIKE
2015-04-15T13:13:53.448413+00:00 berkelium charon: 05[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (1887 bytes)
2015-04-15T13:13:53.448680+00:00 berkelium charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:53.448911+00:00 berkelium charon: 05[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.449141+00:00 berkelium charon: 05[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.449365+00:00 berkelium charon: 05[CFG] looking for peer configs matching 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.449589+00:00 berkelium charon: 05[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6", match: 20/20/3096 (me/other/ike)
2015-04-15T13:13:53.449812+00:00 berkelium charon: 05[CFG] selected peer config 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:53.450035+00:00 berkelium charon: 05[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.450258+00:00 berkelium charon: 05[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:53.450480+00:00 berkelium charon: 05[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.450706+00:00 berkelium charon: 05[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.450931+00:00 berkelium charon: 05[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:53.451154+00:00 berkelium charon: 05[CFG] certificate status is not available
2015-04-15T13:13:53.451377+00:00 berkelium charon: 05[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:53.451600+00:00 berkelium charon: 05[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:53.451869+00:00 berkelium charon: 05[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:53.452094+00:00 berkelium charon: 05[IKE] peer supports MOBIKE
2015-04-15T13:13:53.464048+00:00 berkelium charon: 04[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:53.464329+00:00 berkelium charon: 04[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.464829+00:00 berkelium charon: 04[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:53.465076+00:00 berkelium charon: 04[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:53.465323+00:00 berkelium charon: 04[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:53.465570+00:00 berkelium charon: 04[CFG] looking for a child config for 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:13:53.465817+00:00 berkelium charon: 04[CFG] proposing traffic selectors for us:
2015-04-15T13:13:53.466063+00:00 berkelium charon: 04[CFG]  10.64.0.169/32
2015-04-15T13:13:53.466310+00:00 berkelium charon: 04[CFG] proposing traffic selectors for other:
2015-04-15T13:13:53.466560+00:00 berkelium charon: 04[CFG]  10.64.0.170/32
2015-04-15T13:13:53.466806+00:00 berkelium charon: 04[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4" with prio 5+5
2015-04-15T13:13:53.467053+00:00 berkelium charon: 04[CFG] found matching child config "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4" with prio 10
2015-04-15T13:13:53.467299+00:00 berkelium charon: 04[CFG] selecting proposal:
2015-04-15T13:13:53.467545+00:00 berkelium charon: 04[CFG]   proposal matches
2015-04-15T13:13:53.467819+00:00 berkelium charon: 04[CFG] received proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:53.468066+00:00 berkelium charon: 04[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:53.468314+00:00 berkelium charon: 04[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:53.468558+00:00 berkelium charon: 04[CFG] selecting traffic selectors for us:
2015-04-15T13:13:53.468803+00:00 berkelium charon: 04[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:13:53.469048+00:00 berkelium charon: 04[CFG] selecting traffic selectors for other:
2015-04-15T13:13:53.469293+00:00 berkelium charon: 04[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:13:53.469538+00:00 berkelium charon: 04[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{1} established with SPIs cbe073c7_i c4ce191e_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:13:53.470030+00:00 berkelium charon: 04[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:53.470277+00:00 berkelium charon: 04[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1770 bytes)
2015-04-15T13:13:53.470535+00:00 berkelium ipsec[10698]: 13[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.470786+00:00 berkelium ipsec[10698]: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:53.471029+00:00 berkelium ipsec[10698]: 13[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (297 bytes)
2015-04-15T13:13:53.471272+00:00 berkelium ipsec[10698]: 14[NET] received packet: from 2620:0:861:101:10:64:0:170[500] to 2620:0:861:101:10:64:0:169[500] (264 bytes)
2015-04-15T13:13:53.471519+00:00 berkelium ipsec[10698]: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:13:53.471782+00:00 berkelium ipsec[10698]: 14[CFG] looking for an ike config for 2620:0:861:101:10:64:0:169...2620:0:861:101:10:64:0:170
2015-04-15T13:13:53.472027+00:00 berkelium ipsec[10698]: 14[CFG]   candidate: 2620::861:101:10:64:0:169...2620::861:101:10:64:0:170, prio 3096
2015-04-15T13:13:53.472270+00:00 berkelium ipsec[10698]: 14[CFG] found matching ike config: 2620::861:101:10:64:0:169...2620::861:101:10:64:0:170 with prio 3096
2015-04-15T13:13:53.472517+00:00 berkelium ipsec[10698]: 14[IKE] 2620:0:861:101:10:64:0:170 is initiating an IKE_SA
2015-04-15T13:13:53.472770+00:00 berkelium ipsec[10698]: 14[CFG] selecting proposal:
2015-04-15T13:13:53.473017+00:00 berkelium ipsec[10698]: 14[CFG]   proposal matches
2015-04-15T13:13:53.473261+00:00 berkelium ipsec[10698]: 14[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.473505+00:00 berkelium ipsec[10698]: 14[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.473755+00:00 berkelium ipsec[10698]: 14[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:53.474002+00:00 berkelium ipsec[10698]: 14[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.474247+00:00 berkelium ipsec[10698]: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:53.474492+00:00 berkelium ipsec[10698]: 14[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (297 bytes)
2015-04-15T13:13:53.474736+00:00 berkelium ipsec[10698]: 04[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1851 bytes)
2015-04-15T13:13:53.474981+00:00 berkelium ipsec[10698]: 04[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:53.475229+00:00 berkelium ipsec[10698]: 04[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.475475+00:00 berkelium ipsec[10698]: 04[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.475737+00:00 berkelium ipsec[10698]: 04[CFG] looking for peer configs matching 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.475992+00:00 berkelium ipsec[10698]: 04[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4", match: 20/20/3096 (me/other/ike)
2015-04-15T13:13:53.476241+00:00 berkelium ipsec[10698]: 04[CFG] selected peer config 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4'
2015-04-15T13:13:53.476499+00:00 berkelium ipsec[10698]: 04[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.476750+00:00 berkelium ipsec[10698]: 04[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:53.477000+00:00 berkelium ipsec[10698]: 04[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.477247+00:00 berkelium ipsec[10698]: 04[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.477492+00:00 berkelium ipsec[10698]: 04[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:53.477739+00:00 berkelium ipsec[10698]: 04[CFG] certificate status is not available
2015-04-15T13:13:53.477988+00:00 berkelium ipsec[10698]: 04[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:53.478240+00:00 berkelium ipsec[10698]: 04[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:53.478493+00:00 berkelium ipsec[10698]: 04[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:53.478740+00:00 berkelium ipsec[10698]: 04[IKE] peer supports MOBIKE
2015-04-15T13:13:53.478989+00:00 berkelium ipsec[10698]: 05[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (1887 bytes)
2015-04-15T13:13:53.479239+00:00 berkelium ipsec[10698]: 05[ENC] parsed IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:53.479487+00:00 berkelium ipsec[10698]: 05[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.479765+00:00 berkelium ipsec[10698]: 05[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.480014+00:00 berkelium ipsec[10698]: 05[CFG] looking for peer configs matching 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.480264+00:00 berkelium ipsec[10698]: 05[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6", match: 20/20/3096 (me/other/ike)
2015-04-15T13:13:53.480516+00:00 berkelium ipsec[10698]: 05[CFG] selected peer config 'berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6'
2015-04-15T13:13:53.480767+00:00 berkelium ipsec[10698]: 05[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.481021+00:00 berkelium ipsec[10698]: 05[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:53.481268+00:00 berkelium ipsec[10698]: 05[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:53.481517+00:00 berkelium ipsec[10698]: 05[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:53.481763+00:00 berkelium ipsec[10698]: 05[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:53.482014+00:00 berkelium ipsec[10698]: 05[CFG] certificate status is not available
2015-04-15T13:13:53.482262+00:00 berkelium ipsec[10698]: 05[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:53.482514+00:00 berkelium ipsec[10698]: 05[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:53.482766+00:00 berkelium ipsec[10698]: 05[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:53.483020+00:00 berkelium ipsec[10698]: 05[IKE] peer supports MOBIKE
2015-04-15T13:13:53.483267+00:00 berkelium ipsec[10698]: 04[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:53.483523+00:00 berkelium charon: 05[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:53.483789+00:00 berkelium charon: 05[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4] established between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:53.484294+00:00 berkelium charon: 05[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:53.484550+00:00 berkelium charon: 05[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:53.484806+00:00 berkelium charon: 05[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:53.485061+00:00 berkelium charon: 05[CFG] looking for a child config for 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:53.485316+00:00 berkelium charon: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:13:53.485571+00:00 berkelium charon: 05[CFG]  2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:53.485825+00:00 berkelium charon: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:13:53.486083+00:00 berkelium charon: 05[CFG]  2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:53.486332+00:00 berkelium charon: 05[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 5+5
2015-04-15T13:13:53.486586+00:00 berkelium charon: 05[CFG] found matching child config "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 10
2015-04-15T13:13:53.486838+00:00 berkelium charon: 05[CFG] selecting proposal:
2015-04-15T13:13:53.487092+00:00 berkelium charon: 05[CFG]   proposal matches
2015-04-15T13:13:53.487343+00:00 berkelium charon: 05[CFG] received proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:53.487599+00:00 berkelium charon: 05[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:53.487906+00:00 berkelium charon: 05[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:53.488158+00:00 berkelium charon: 05[CFG] selecting traffic selectors for us:
2015-04-15T13:13:53.488411+00:00 berkelium charon: 05[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:53.488663+00:00 berkelium charon: 05[CFG] selecting traffic selectors for other:
2015-04-15T13:13:53.488915+00:00 berkelium charon: 05[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:53.489170+00:00 berkelium charon: 05[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{2} established with SPIs c4c1f64f_i cf2218d1_o and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:53.489671+00:00 berkelium charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:53.489923+00:00 berkelium charon: 05[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1806 bytes)
2015-04-15T13:13:54.871975+00:00 berkelium charon: 03[IKE] retransmit 1 of request with message ID 0
2015-04-15T13:13:54.872245+00:00 berkelium charon: 03[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:13:54.878253+00:00 berkelium charon: 08[IKE] retransmit 1 of request with message ID 0
2015-04-15T13:13:54.878577+00:00 berkelium charon: 08[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (264 bytes)
2015-04-15T13:13:54.878807+00:00 berkelium charon: 07[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (297 bytes)
2015-04-15T13:13:54.879037+00:00 berkelium charon: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:54.879266+00:00 berkelium charon: 07[CFG] selecting proposal:
2015-04-15T13:13:54.879495+00:00 berkelium charon: 07[CFG]   proposal matches
2015-04-15T13:13:54.879748+00:00 berkelium charon: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.879988+00:00 berkelium charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.880219+00:00 berkelium charon: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.880462+00:00 berkelium ipsec[10698]: 04[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.880694+00:00 berkelium ipsec[10698]: 04[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:54.880919+00:00 berkelium ipsec[10698]: 04[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:54.881142+00:00 berkelium ipsec[10698]: 04[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.881366+00:00 berkelium ipsec[10698]: 04[CFG] looking for a child config for 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:13:54.881589+00:00 berkelium ipsec[10698]: 04[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.881811+00:00 berkelium ipsec[10698]: 04[CFG]  10.64.0.169/32
2015-04-15T13:13:54.882032+00:00 berkelium ipsec[10698]: 04[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.882258+00:00 berkelium ipsec[10698]: 04[CFG]  10.64.0.170/32
2015-04-15T13:13:54.882481+00:00 berkelium ipsec[10698]: 04[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4" with prio 5+5
2015-04-15T13:13:54.882705+00:00 berkelium ipsec[10698]: 04[CFG] found matching child config "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4" with prio 10
2015-04-15T13:13:54.882927+00:00 berkelium ipsec[10698]: 04[CFG] selecting proposal:
2015-04-15T13:13:54.883147+00:00 berkelium ipsec[10698]: 04[CFG]   proposal matches
2015-04-15T13:13:54.883369+00:00 berkelium ipsec[10698]: 04[CFG] received proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.883593+00:00 berkelium ipsec[10698]: 04[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:54.883851+00:00 berkelium ipsec[10698]: 04[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.884076+00:00 berkelium ipsec[10698]: 04[CFG] selecting traffic selectors for us:
2015-04-15T13:13:54.884300+00:00 berkelium ipsec[10698]: 04[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:13:54.884526+00:00 berkelium ipsec[10698]: 04[CFG] selecting traffic selectors for other:
2015-04-15T13:13:54.884750+00:00 berkelium ipsec[10698]: 04[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:13:54.884975+00:00 berkelium ipsec[10698]: 04[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{1} established with SPIs cbe073c7_i c4ce191e_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:13:54.885198+00:00 berkelium ipsec[10698]: 04[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:54.885422+00:00 berkelium ipsec[10698]: 04[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1770 bytes)
2015-04-15T13:13:54.885646+00:00 berkelium ipsec[10698]: 05[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:54.885870+00:00 berkelium ipsec[10698]: 05[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4] established between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.886094+00:00 berkelium ipsec[10698]: 05[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:54.886317+00:00 berkelium ipsec[10698]: 05[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:54.886540+00:00 berkelium ipsec[10698]: 05[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.886766+00:00 berkelium charon: 07[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.887032+00:00 berkelium charon: 07[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.887275+00:00 berkelium charon: 11[NET] received packet: from 2620:0:861:101:10:64:0:170[500] to 2620:0:861:101:10:64:0:169[500] (297 bytes)
2015-04-15T13:13:54.887505+00:00 berkelium charon: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:54.887760+00:00 berkelium charon: 11[CFG] selecting proposal:
2015-04-15T13:13:54.887994+00:00 berkelium charon: 11[CFG]   proposal matches
2015-04-15T13:13:54.888222+00:00 berkelium charon: 11[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.888452+00:00 berkelium charon: 11[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.888681+00:00 berkelium charon: 11[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.888920+00:00 berkelium ipsec[10698]: 05[CFG] looking for a child config for 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.889154+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.889379+00:00 berkelium ipsec[10698]: 05[CFG]  2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:54.889602+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.889826+00:00 berkelium ipsec[10698]: 05[CFG]  2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.890050+00:00 berkelium ipsec[10698]: 05[CFG]   candidate "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 5+5
2015-04-15T13:13:54.890274+00:00 berkelium ipsec[10698]: 05[CFG] found matching child config "berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6" with prio 10
2015-04-15T13:13:54.890501+00:00 berkelium ipsec[10698]: 05[CFG] selecting proposal:
2015-04-15T13:13:54.890723+00:00 berkelium ipsec[10698]: 05[CFG]   proposal matches
2015-04-15T13:13:54.890946+00:00 berkelium ipsec[10698]: 05[CFG] received proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.891169+00:00 berkelium ipsec[10698]: 05[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:54.891392+00:00 berkelium ipsec[10698]: 05[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.891615+00:00 berkelium ipsec[10698]: 05[CFG] selecting traffic selectors for us:
2015-04-15T13:13:54.891861+00:00 berkelium ipsec[10698]: 05[CFG]  config: 2620:0:861:101:10:64:0:169/128, received: 2620:0:861:101:10:64:0:169/128 => match: 2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:54.892086+00:00 berkelium ipsec[10698]: 05[CFG] selecting traffic selectors for other:
2015-04-15T13:13:54.892311+00:00 berkelium ipsec[10698]: 05[CFG]  config: 2620:0:861:101:10:64:0:170/128, received: 2620:0:861:101:10:64:0:170/128 => match: 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.892534+00:00 berkelium ipsec[10698]: 05[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6{2} established with SPIs c4c1f64f_i cf2218d1_o and TS 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.892761+00:00 berkelium ipsec[10698]: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:54.892986+00:00 berkelium ipsec[10698]: 05[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1806 bytes)
2015-04-15T13:13:54.893209+00:00 berkelium ipsec[10698]: 03[IKE] retransmit 1 of request with message ID 0
2015-04-15T13:13:54.893433+00:00 berkelium ipsec[10698]: 03[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:13:54.893656+00:00 berkelium ipsec[10698]: 08[IKE] retransmit 1 of request with message ID 0
2015-04-15T13:13:54.893879+00:00 berkelium ipsec[10698]: 08[NET] sending packet: from 2620:0:861:101:10:64:0:169[500] to 2620:0:861:101:10:64:0:170[500] (264 bytes)
2015-04-15T13:13:54.894103+00:00 berkelium ipsec[10698]: 07[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (297 bytes)
2015-04-15T13:13:54.894325+00:00 berkelium ipsec[10698]: 07[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:54.894548+00:00 berkelium ipsec[10698]: 07[CFG] selecting proposal:
2015-04-15T13:13:54.894771+00:00 berkelium ipsec[10698]: 07[CFG]   proposal matches
2015-04-15T13:13:54.894999+00:00 berkelium charon: 11[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.895231+00:00 berkelium charon: 11[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.895472+00:00 berkelium ipsec[10698]: 07[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.895709+00:00 berkelium ipsec[10698]: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.929325+00:00 berkelium charon: 07[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:54.929596+00:00 berkelium charon: 07[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.929832+00:00 berkelium charon: 07[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:13:54.930289+00:00 berkelium charon: 07[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.930517+00:00 berkelium charon: 07[CFG]  10.64.0.169/32
2015-04-15T13:13:54.930746+00:00 berkelium charon: 07[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.930973+00:00 berkelium charon: 07[CFG]  10.64.0.170/32
2015-04-15T13:13:54.931200+00:00 berkelium charon: 07[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.931429+00:00 berkelium charon: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:54.931691+00:00 berkelium charon: 07[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1846 bytes)
2015-04-15T13:13:54.937638+00:00 berkelium charon: 11[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:54.937907+00:00 berkelium charon: 11[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.938144+00:00 berkelium charon: 11[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6
2015-04-15T13:13:54.938598+00:00 berkelium charon: 11[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.938829+00:00 berkelium charon: 11[CFG]  2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:54.939063+00:00 berkelium charon: 11[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.939292+00:00 berkelium charon: 11[CFG]  2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.939519+00:00 berkelium charon: 11[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.939759+00:00 berkelium charon: 11[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:54.939988+00:00 berkelium charon: 11[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1882 bytes)
2015-04-15T13:13:54.961855+00:00 berkelium charon: 10[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (65 bytes)
2015-04-15T13:13:54.962120+00:00 berkelium charon: 10[ENC] parsed INFORMATIONAL request 2 [ D ]
2015-04-15T13:13:54.962356+00:00 berkelium charon: 10[IKE] received DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3]
2015-04-15T13:13:54.962586+00:00 berkelium charon: 10[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.963039+00:00 berkelium charon: 10[IKE] IKE_SA deleted
2015-04-15T13:13:54.963490+00:00 berkelium charon: 10[ENC] generating INFORMATIONAL response 2 [ ]
2015-04-15T13:13:54.963734+00:00 berkelium charon: 10[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (57 bytes)
2015-04-15T13:13:54.969054+00:00 berkelium charon: 09[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1764 bytes)
2015-04-15T13:13:54.969324+00:00 berkelium charon: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:54.969557+00:00 berkelium charon: 09[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.969787+00:00 berkelium charon: 09[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.970016+00:00 berkelium charon: 09[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:54.970247+00:00 berkelium charon: 09[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.970478+00:00 berkelium charon: 09[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.970710+00:00 berkelium charon: 09[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:54.970938+00:00 berkelium charon: 09[CFG] certificate status is not available
2015-04-15T13:13:54.971167+00:00 berkelium charon: 09[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:54.971396+00:00 berkelium charon: 09[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:54.971624+00:00 berkelium charon: 09[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:54.971879+00:00 berkelium charon: 09[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.972332+00:00 berkelium charon: 09[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:54.972585+00:00 berkelium charon: 09[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:54.972814+00:00 berkelium charon: 09[CFG] selecting proposal:
2015-04-15T13:13:54.973042+00:00 berkelium charon: 09[CFG]   proposal matches
2015-04-15T13:13:54.973270+00:00 berkelium charon: 09[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.973502+00:00 berkelium charon: 09[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:54.973731+00:00 berkelium charon: 09[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.973958+00:00 berkelium charon: 09[CFG] selecting traffic selectors for us:
2015-04-15T13:13:54.974186+00:00 berkelium charon: 09[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:13:54.974414+00:00 berkelium charon: 09[CFG] selecting traffic selectors for other:
2015-04-15T13:13:54.974637+00:00 berkelium charon: 09[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:13:54.974869+00:00 berkelium charon: 09[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3} established with SPIs c875337d_i c01c350e_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:13:54.975328+00:00 berkelium charon: 12[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (65 bytes)
2015-04-15T13:13:54.975553+00:00 berkelium charon: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
2015-04-15T13:13:54.975791+00:00 berkelium charon: 12[IKE] received DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4]
2015-04-15T13:13:54.976012+00:00 berkelium charon: 12[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4] between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.976468+00:00 berkelium charon: 09[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:13:54.976698+00:00 berkelium charon: 12[IKE] IKE_SA deleted
2015-04-15T13:13:54.977147+00:00 berkelium charon: 09[IKE] peer supports MOBIKE
2015-04-15T13:13:54.977373+00:00 berkelium charon: 12[ENC] generating INFORMATIONAL response 2 [ ]
2015-04-15T13:13:54.977598+00:00 berkelium charon: 12[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (57 bytes)
2015-04-15T13:13:54.977837+00:00 berkelium ipsec[10698]: 07[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.978068+00:00 berkelium ipsec[10698]: 07[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.978296+00:00 berkelium ipsec[10698]: 07[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.978522+00:00 berkelium ipsec[10698]: 11[NET] received packet: from 2620:0:861:101:10:64:0:170[500] to 2620:0:861:101:10:64:0:169[500] (297 bytes)
2015-04-15T13:13:54.978746+00:00 berkelium ipsec[10698]: 11[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:13:54.978970+00:00 berkelium ipsec[10698]: 11[CFG] selecting proposal:
2015-04-15T13:13:54.979193+00:00 berkelium ipsec[10698]: 11[CFG]   proposal matches
2015-04-15T13:13:54.979415+00:00 berkelium ipsec[10698]: 11[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.979639+00:00 berkelium ipsec[10698]: 11[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.979873+00:00 berkelium ipsec[10698]: 11[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:13:54.980097+00:00 berkelium ipsec[10698]: 11[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.980325+00:00 berkelium ipsec[10698]: 11[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.980553+00:00 berkelium ipsec[10698]: 07[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:54.980777+00:00 berkelium ipsec[10698]: 07[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.981003+00:00 berkelium ipsec[10698]: 07[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:13:54.981226+00:00 berkelium ipsec[10698]: 07[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.981451+00:00 berkelium ipsec[10698]: 07[CFG]  10.64.0.169/32
2015-04-15T13:13:54.981673+00:00 berkelium ipsec[10698]: 07[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.981896+00:00 berkelium ipsec[10698]: 07[CFG]  10.64.0.170/32
2015-04-15T13:13:54.982149+00:00 berkelium ipsec[10698]: 07[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.982370+00:00 berkelium ipsec[10698]: 07[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:54.982600+00:00 berkelium ipsec[10698]: 07[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1846 bytes)
2015-04-15T13:13:54.982827+00:00 berkelium ipsec[10698]: 11[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:13:54.983052+00:00 berkelium ipsec[10698]: 11[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:13:54.983276+00:00 berkelium ipsec[10698]: 11[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6
2015-04-15T13:13:54.983499+00:00 berkelium ipsec[10698]: 11[CFG] proposing traffic selectors for us:
2015-04-15T13:13:54.983731+00:00 berkelium ipsec[10698]: 11[CFG]  2620:0:861:101:10:64:0:169/128
2015-04-15T13:13:54.983949+00:00 berkelium ipsec[10698]: 11[CFG] proposing traffic selectors for other:
2015-04-15T13:13:54.984177+00:00 berkelium ipsec[10698]: 11[CFG]  2620:0:861:101:10:64:0:170/128
2015-04-15T13:13:54.984397+00:00 berkelium ipsec[10698]: 11[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:13:54.984627+00:00 berkelium charon: 13[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (1668 bytes)
2015-04-15T13:13:54.984860+00:00 berkelium charon: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
2015-04-15T13:13:54.985098+00:00 berkelium charon: 13[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.985326+00:00 berkelium charon: 13[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.985555+00:00 berkelium charon: 13[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:54.985782+00:00 berkelium charon: 13[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.986012+00:00 berkelium charon: 13[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.986241+00:00 berkelium charon: 13[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:54.986473+00:00 berkelium charon: 13[CFG] certificate status is not available
2015-04-15T13:13:54.986699+00:00 berkelium charon: 13[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:54.986926+00:00 berkelium charon: 13[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:54.987153+00:00 berkelium charon: 13[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:54.987380+00:00 berkelium charon: 13[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] established between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.987844+00:00 berkelium charon: 13[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:54.988074+00:00 berkelium charon: 13[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:54.988302+00:00 berkelium charon: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
2015-04-15T13:13:54.988529+00:00 berkelium charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
2015-04-15T13:13:54.988757+00:00 berkelium charon: 13[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:13:54.988983+00:00 berkelium charon: 13[IKE] peer supports MOBIKE
2015-04-15T13:13:54.989221+00:00 berkelium ipsec[10698]: 11[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:13:54.989451+00:00 berkelium ipsec[10698]: 11[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (1882 bytes)
2015-04-15T13:13:54.989680+00:00 berkelium ipsec[10698]: 10[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (65 bytes)
2015-04-15T13:13:54.989905+00:00 berkelium ipsec[10698]: 10[ENC] parsed INFORMATIONAL request 2 [ D ]
2015-04-15T13:13:54.990129+00:00 berkelium ipsec[10698]: 10[IKE] received DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3]
2015-04-15T13:13:54.990352+00:00 berkelium ipsec[10698]: 10[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[3] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.990575+00:00 berkelium ipsec[10698]: 10[IKE] IKE_SA deleted
2015-04-15T13:13:54.990798+00:00 berkelium ipsec[10698]: 10[ENC] generating INFORMATIONAL response 2 [ ]
2015-04-15T13:13:54.991023+00:00 berkelium ipsec[10698]: 10[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (57 bytes)
2015-04-15T13:13:54.991246+00:00 berkelium ipsec[10698]: 09[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1764 bytes)
2015-04-15T13:13:54.991469+00:00 berkelium ipsec[10698]: 09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:13:54.991702+00:00 berkelium ipsec[10698]: 09[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.991930+00:00 berkelium ipsec[10698]: 09[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.992154+00:00 berkelium ipsec[10698]: 09[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:13:54.992378+00:00 berkelium ipsec[10698]: 09[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:13:54.992602+00:00 berkelium ipsec[10698]: 09[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:13:54.992825+00:00 berkelium ipsec[10698]: 09[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:13:54.993048+00:00 berkelium ipsec[10698]: 09[CFG] certificate status is not available
2015-04-15T13:13:54.993272+00:00 berkelium ipsec[10698]: 09[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:13:54.993495+00:00 berkelium ipsec[10698]: 09[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:13:54.993718+00:00 berkelium ipsec[10698]: 09[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:13:54.993942+00:00 berkelium ipsec[10698]: 09[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:13:54.994169+00:00 berkelium ipsec[10698]: 09[IKE] scheduling reauthentication in 300s
2015-04-15T13:13:54.994393+00:00 berkelium ipsec[10698]: 09[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:13:54.994617+00:00 berkelium ipsec[10698]: 09[CFG] selecting proposal:
2015-04-15T13:13:54.994841+00:00 berkelium ipsec[10698]: 09[CFG]   proposal matches
2015-04-15T13:13:54.995064+00:00 berkelium ipsec[10698]: 09[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.995288+00:00 berkelium ipsec[10698]: 09[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:13:54.995521+00:00 berkelium ipsec[10698]: 09[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:13:54.995766+00:00 berkelium ipsec[10698]: 09[CFG] selecting traffic selectors for us:
2015-04-15T13:13:58.163688+00:00 berkelium charon: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:13:58.163954+00:00 berkelium charon: 05[CFG]  dynamic
2015-04-15T13:13:58.164229+00:00 berkelium charon: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:13:58.164476+00:00 berkelium charon: 05[CFG]  dynamic
2015-04-15T13:13:58.164709+00:00 berkelium charon: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:13:58.164933+00:00 berkelium charon: 05[CFG]  dynamic
2015-04-15T13:13:58.165160+00:00 berkelium charon: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:13:58.165427+00:00 berkelium charon: 05[CFG]  dynamic
2015-04-15T13:15:01.771727+00:00 berkelium CRON[10886]: (root) CMD (command -v debian-sa1 > /dev/null && debian-sa1 1 1)

Again this error message appears in the error event:

2015-04-15T13:17:54.994614+00:00 berkelium charon: 13[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
2015-04-15T13:17:54.974384+00:00 berkelium charon: 11[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1]
2015-04-15T13:17:54.974911+00:00 berkelium charon: 11[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.w
mnet]
2015-04-15T13:17:54.975353+00:00 berkelium charon: 11[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1]
2015-04-15T13:17:54.975574+00:00 berkelium charon: 11[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:17:54.975815+00:00 berkelium charon: 11[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
2015-04-15T13:17:54.976038+00:00 berkelium charon: 10[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
2015-04-15T13:17:54.976259+00:00 berkelium charon: 10[ENC] parsed INFORMATIONAL response 2 [ ]
2015-04-15T13:17:54.976479+00:00 berkelium charon: 10[IKE] IKE_SA deleted
2015-04-15T13:17:54.976917+00:00 berkelium charon: 10[IKE] restarting CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:17:54.977137+00:00 berkelium charon: 10[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] to 10.64.0.170
2015-04-15T13:17:54.978176+00:00 berkelium charon: 10[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:17:54.978473+00:00 berkelium charon: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:17:54.978707+00:00 berkelium charon: 10[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:17:54.986608+00:00 berkelium charon: 09[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2]
2015-04-15T13:17:54.987135+00:00 berkelium charon: 09[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101
:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:54.987582+00:00 berkelium charon: 09[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2]
2015-04-15T13:17:54.987818+00:00 berkelium charon: 09[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:17:54.988039+00:00 berkelium charon: 09[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (65 bytes)
2015-04-15T13:17:54.988274+00:00 berkelium ipsec[10698]: 09[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:17:54.988504+00:00 berkelium ipsec[10698]: 09[CFG] selecting traffic selectors for other:
2015-04-15T13:17:54.988723+00:00 berkelium ipsec[10698]: 09[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:17:54.988941+00:00 berkelium ipsec[10698]: 09[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3} established with SPIs c875337d_i c01c350e_o and TS 10.64.0.169/32 === 10.64.0.
170/32
2015-04-15T13:17:54.989162+00:00 berkelium ipsec[10698]: 12[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (65 bytes)
2015-04-15T13:17:54.989381+00:00 berkelium ipsec[10698]: 09[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:17:54.989598+00:00 berkelium ipsec[10698]: 12[ENC] parsed INFORMATIONAL request 2 [ D ]
2015-04-15T13:17:54.989814+00:00 berkelium ipsec[10698]: 12[IKE] received DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4]
2015-04-15T13:17:54.990033+00:00 berkelium ipsec[10698]: 12[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[4] between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:8
61:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:54.990249+00:00 berkelium ipsec[10698]: 12[IKE] IKE_SA deleted
2015-04-15T13:17:54.990466+00:00 berkelium ipsec[10698]: 09[IKE] peer supports MOBIKE
2015-04-15T13:17:54.990681+00:00 berkelium ipsec[10698]: 12[ENC] generating INFORMATIONAL response 2 [ ]
2015-04-15T13:17:54.990896+00:00 berkelium ipsec[10698]: 12[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (57 bytes)
2015-04-15T13:17:54.991113+00:00 berkelium ipsec[10698]: 13[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (1668 bytes)
2015-04-15T13:17:54.991329+00:00 berkelium ipsec[10698]: 13[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(TS_UNACCEPT) ]
2015-04-15T13:17:54.991549+00:00 berkelium ipsec[10698]: 13[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:17:54.991779+00:00 berkelium ipsec[10698]: 13[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:17:54.991995+00:00 berkelium ipsec[10698]: 13[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:17:54.992211+00:00 berkelium ipsec[10698]: 13[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:17:54.992427+00:00 berkelium ipsec[10698]: 13[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:17:54.992643+00:00 berkelium ipsec[10698]: 13[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:17:54.992860+00:00 berkelium ipsec[10698]: 13[CFG] certificate status is not available
2015-04-15T13:17:54.993075+00:00 berkelium ipsec[10698]: 13[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:17:54.993292+00:00 berkelium ipsec[10698]: 13[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:17:54.993507+00:00 berkelium ipsec[10698]: 13[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:17:54.993732+00:00 berkelium charon: 13[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (57 bytes)
2015-04-15T13:17:54.993958+00:00 berkelium charon: 13[ENC] parsed INFORMATIONAL response 2 [ ]
015-04-15T13:17:54.994177+00:00 berkelium charon: 13[IKE] IKE_SA deleted
2015-04-15T13:17:54.994614+00:00 berkelium charon: 13[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
2015-04-15T13:17:54.994832+00:00 berkelium charon: 13[IKE] reauthenticating IKE_SA failed
2015-04-15T13:17:54.995061+00:00 berkelium charon: 14[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (297 bytes)
2015-04-15T13:17:54.995286+00:00 berkelium charon: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:17:54.995507+00:00 berkelium charon: 14[CFG] selecting proposal:
2015-04-15T13:17:54.995741+00:00 berkelium charon: 14[CFG]   proposal matches
2015-04-15T13:17:54.995965+00:00 berkelium charon: 14[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:17:54.996186+00:00 berkelium charon: 14[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:17:54.996406+00:00 berkelium charon: 14[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:17:54.996637+00:00 berkelium ipsec[10698]: 13[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] established between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:54.996859+00:00 berkelium ipsec[10698]: 13[IKE] scheduling reauthentication in 300s
2015-04-15T13:17:54.997076+00:00 berkelium ipsec[10698]: 13[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:17:54.997291+00:00 berkelium ipsec[10698]: 13[IKE] received TS_UNACCEPTABLE notify, no CHILD_SA built
2015-04-15T13:17:54.997508+00:00 berkelium ipsec[10698]: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
2015-04-15T13:17:54.997724+00:00 berkelium ipsec[10698]: 13[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:17:54.997939+00:00 berkelium ipsec[10698]: 13[IKE] peer supports MOBIKE
2015-04-15T13:17:54.998157+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:17:54.998374+00:00 berkelium ipsec[10698]: 05[CFG]  dynamic
2015-04-15T13:17:54.998590+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:17:54.998806+00:00 berkelium ipsec[10698]: 05[CFG]  dynamic
2015-04-15T13:17:54.999023+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for us:
2015-04-15T13:17:54.999239+00:00 berkelium ipsec[10698]: 05[CFG]  dynamic
2015-04-15T13:17:54.999455+00:00 berkelium ipsec[10698]: 05[CFG] proposing traffic selectors for other:
2015-04-15T13:17:54.999695+00:00 berkelium ipsec[10698]: 05[CFG]  dynamic
2015-04-15T13:17:54.999928+00:00 berkelium ipsec[10698]: 11[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1]
2015-04-15T13:17:55.000148+00:00 berkelium ipsec[10698]: 11[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:55.000364+00:00 berkelium ipsec[10698]: 11[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[1]
2015-04-15T13:17:55.000584+00:00 berkelium ipsec[10698]: 11[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:17:55.000807+00:00 berkelium ipsec[10698]: 11[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
2015-04-15T13:17:55.001027+00:00 berkelium ipsec[10698]: 10[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
2015-04-15T13:17:55.001244+00:00 berkelium ipsec[10698]: 10[ENC] parsed INFORMATIONAL response 2 [ ]
2015-04-15T13:17:55.001460+00:00 berkelium ipsec[10698]: 10[IKE] IKE_SA deleted
2015-04-15T13:17:55.001675+00:00 berkelium ipsec[10698]: 10[IKE] restarting CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:17:55.001892+00:00 berkelium ipsec[10698]: 10[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] to 10.64.0.170
2015-04-15T13:17:55.002108+00:00 berkelium ipsec[10698]: 10[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:17:55.002323+00:00 berkelium ipsec[10698]: 10[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:17:55.002538+00:00 berkelium ipsec[10698]: 10[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:17:55.002753+00:00 berkelium ipsec[10698]: 09[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2]
2015-04-15T13:17:55.002969+00:00 berkelium ipsec[10698]: 09[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2] between 2620:0:861:101:10:64:0:169[CN=berkelium.eqiad.wmnet]...2620:0:861:101:10:64:0:170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:55.003188+00:00 berkelium charon: 14[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:17:55.003417+00:00 berkelium charon: 14[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:17:55.003663+00:00 berkelium ipsec[10698]: 09[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv6[2]
2015-04-15T13:17:55.003887+00:00 berkelium ipsec[10698]: 09[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:17:55.025452+00:00 berkelium charon: 14[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:17:55.025713+00:00 berkelium charon: 14[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:17:55.025943+00:00 berkelium charon: 14[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3}
2015-04-15T13:17:55.026387+00:00 berkelium charon: 14[CFG] proposing traffic selectors for us:
2015-04-15T13:17:55.026607+00:00 berkelium charon: 14[CFG]  10.64.0.169/32
2015-04-15T13:17:55.026827+00:00 berkelium charon: 14[CFG] proposing traffic selectors for other:
2015-04-15T13:17:55.027048+00:00 berkelium charon: 14[CFG]  10.64.0.170/32
2015-04-15T13:17:55.027267+00:00 berkelium charon: 14[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:17:55.027490+00:00 berkelium charon: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:17:55.027725+00:00 berkelium charon: 14[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1854 bytes)
2015-04-15T13:17:55.060876+00:00 berkelium charon: 06[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1764 bytes)
2015-04-15T13:17:55.061110+00:00 berkelium charon: 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:17:55.061333+00:00 berkelium charon: 06[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:17:55.061554+00:00 berkelium charon: 06[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:17:55.061778+00:00 berkelium charon: 06[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:17:55.062001+00:00 berkelium charon: 06[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:17:55.062223+00:00 berkelium charon: 06[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:17:55.062445+00:00 berkelium charon: 06[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:17:55.062666+00:00 berkelium charon: 06[CFG] certificate status is not available
2015-04-15T13:17:55.062888+00:00 berkelium charon: 06[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:17:55.063109+00:00 berkelium charon: 06[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:17:55.063335+00:00 berkelium charon: 06[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:17:55.063557+00:00 berkelium charon: 06[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:17:55.064021+00:00 berkelium charon: 06[IKE] scheduling reauthentication in 300s
2015-04-15T13:17:55.064247+00:00 berkelium charon: 06[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:17:55.064470+00:00 berkelium charon: 06[CFG] selecting proposal:
2015-04-15T13:17:55.064691+00:00 berkelium charon: 06[CFG]   proposal matches
2015-04-15T13:17:55.064910+00:00 berkelium charon: 06[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:17:55.065131+00:00 berkelium charon: 06[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:17:55.065351+00:00 berkelium charon: 06[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:17:55.065572+00:00 berkelium charon: 06[CFG] selecting traffic selectors for us:
2015-04-15T13:17:55.065795+00:00 berkelium charon: 06[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:17:55.066016+00:00 berkelium charon: 06[CFG] selecting traffic selectors for other:
2015-04-15T13:17:55.066237+00:00 berkelium charon: 06[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:17:55.066456+00:00 berkelium charon: 06[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3} established with SPIs cede5e88_i c32e17c1_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:17:55.066896+00:00 berkelium charon: 06[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:17:55.067120+00:00 berkelium charon: 06[IKE] peer supports MOBIKE

Subsequent event:

2015-04-15T13:21:55.064844+00:00 berkelium charon: 09[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5]
2015-04-15T13:21:55.065399+00:00 berkelium charon: 09[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:21:55.065843+00:00 berkelium charon: 09[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5]
2015-04-15T13:21:55.066066+00:00 berkelium charon: 09[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:21:55.066287+00:00 berkelium charon: 09[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
2015-04-15T13:21:55.066513+00:00 berkelium charon: 12[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
2015-04-15T13:21:55.066736+00:00 berkelium charon: 12[ENC] parsed INFORMATIONAL response 2 [ ]
2015-04-15T13:21:55.066958+00:00 berkelium charon: 12[IKE] IKE_SA deleted
2015-04-15T13:21:55.067398+00:00 berkelium charon: 12[IKE] restarting CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:21:55.067619+00:00 berkelium charon: 12[IKE] initiating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[6] to 10.64.0.170
2015-04-15T13:21:55.068100+00:00 berkelium ipsec[10698]: 09[NET] sending packet: from 2620:0:861:101:10:64:0:169[4500] to 2620:0:861:101:10:64:0:170[4500] (65 bytes)
2015-04-15T13:21:55.068331+00:00 berkelium ipsec[10698]: 13[NET] received packet: from 2620:0:861:101:10:64:0:170[4500] to 2620:0:861:101:10:64:0:169[4500] (57 bytes)
2015-04-15T13:21:55.068548+00:00 berkelium ipsec[10698]: 13[ENC] parsed INFORMATIONAL response 2 [ ]
2015-04-15T13:21:55.068821+00:00 berkelium ipsec[10698]: 13[IKE] IKE_SA deleted
2015-04-15T13:21:55.069043+00:00 berkelium ipsec[10698]: 13[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate
2015-04-15T13:21:55.069261+00:00 berkelium ipsec[10698]: 13[IKE] reauthenticating IKE_SA failed
2015-04-15T13:21:55.069478+00:00 berkelium ipsec[10698]: 14[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (297 bytes)
2015-04-15T13:21:55.069695+00:00 berkelium ipsec[10698]: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:21:55.069912+00:00 berkelium ipsec[10698]: 14[CFG] selecting proposal:
2015-04-15T13:21:55.070129+00:00 berkelium ipsec[10698]: 14[CFG]   proposal matches
2015-04-15T13:21:55.070350+00:00 berkelium ipsec[10698]: 14[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.070568+00:00 berkelium ipsec[10698]: 14[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.070790+00:00 berkelium ipsec[10698]: 14[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.071011+00:00 berkelium ipsec[10698]: 14[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.071230+00:00 berkelium ipsec[10698]: 14[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.071448+00:00 berkelium ipsec[10698]: 14[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:21:55.071674+00:00 berkelium ipsec[10698]: 14[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:21:55.071892+00:00 berkelium ipsec[10698]: 14[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3}
2015-04-15T13:21:55.072111+00:00 berkelium ipsec[10698]: 14[CFG] proposing traffic selectors for us:
2015-04-15T13:21:55.072328+00:00 berkelium ipsec[10698]: 14[CFG]  10.64.0.169/32
2015-04-15T13:21:55.072547+00:00 berkelium ipsec[10698]: 14[CFG] proposing traffic selectors for other:
2015-04-15T13:21:55.072765+00:00 berkelium ipsec[10698]: 14[CFG]  10.64.0.170/32
2015-04-15T13:21:55.072981+00:00 berkelium ipsec[10698]: 14[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:21:55.073199+00:00 berkelium ipsec[10698]: 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:21:55.073417+00:00 berkelium ipsec[10698]: 14[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1854 bytes)
2015-04-15T13:21:55.073635+00:00 berkelium ipsec[10698]: 06[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1764 bytes)
2015-04-15T13:21:55.073851+00:00 berkelium ipsec[10698]: 06[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:21:55.074068+00:00 berkelium ipsec[10698]: 06[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.074284+00:00 berkelium ipsec[10698]: 06[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.074504+00:00 berkelium charon: 12[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.074734+00:00 berkelium charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
2015-04-15T13:21:55.074957+00:00 berkelium charon: 12[NET] sending packet: from 10.64.0.169[500] to 10.64.0.170[500] (264 bytes)
2015-04-15T13:21:55.075178+00:00 berkelium charon: 13[NET] received packet: from 10.64.0.170[500] to 10.64.0.169[500] (297 bytes)
2015-04-15T13:21:55.075401+00:00 berkelium charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
2015-04-15T13:21:55.075621+00:00 berkelium charon: 13[CFG] selecting proposal:
2015-04-15T13:21:55.075854+00:00 berkelium charon: 13[CFG]   proposal matches
2015-04-15T13:21:55.076074+00:00 berkelium charon: 13[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.076074+00:00 berkelium charon: 13[CFG] received proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.076298+00:00 berkelium charon: 13[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.076519+00:00 berkelium charon: 13[CFG] selected proposal: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_384/ECP_384_BP
2015-04-15T13:21:55.076751+00:00 berkelium ipsec[10698]: 06[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:21:55.076973+00:00 berkelium ipsec[10698]: 06[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.077192+00:00 berkelium ipsec[10698]: 06[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.077410+00:00 berkelium ipsec[10698]: 06[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:21:55.077627+00:00 berkelium ipsec[10698]: 06[CFG] certificate status is not available
2015-04-15T13:21:55.077844+00:00 berkelium ipsec[10698]: 06[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:21:55.078061+00:00 berkelium ipsec[10698]: 06[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:21:55.078282+00:00 berkelium ipsec[10698]: 06[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:21:55.078500+00:00 berkelium ipsec[10698]: 06[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:21:55.078718+00:00 berkelium ipsec[10698]: 06[IKE] scheduling reauthentication in 300s
2015-04-15T13:21:55.078937+00:00 berkelium ipsec[10698]: 06[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:21:55.079153+00:00 berkelium ipsec[10698]: 06[CFG] selecting proposal:
2015-04-15T13:21:55.079370+00:00 berkelium ipsec[10698]: 06[CFG]   proposal matches
2015-04-15T13:21:55.079588+00:00 berkelium ipsec[10698]: 06[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:21:55.079829+00:00 berkelium ipsec[10698]: 06[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:21:55.080046+00:00 berkelium ipsec[10698]: 06[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:21:55.080266+00:00 berkelium ipsec[10698]: 06[CFG] selecting traffic selectors for us:
2015-04-15T13:21:55.080487+00:00 berkelium ipsec[10698]: 06[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:21:55.080705+00:00 berkelium ipsec[10698]: 06[CFG] selecting traffic selectors for other:
2015-04-15T13:21:55.080922+00:00 berkelium ipsec[10698]: 06[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:21:55.081139+00:00 berkelium ipsec[10698]: 06[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3} established with SPIs cede5e88_i c32e17c1_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:21:55.081357+00:00 berkelium ipsec[10698]: 06[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:21:55.081575+00:00 berkelium ipsec[10698]: 06[IKE] peer supports MOBIKE
2015-04-15T13:21:55.081791+00:00 berkelium ipsec[10698]: 09[IKE] reauthenticating IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5]
2015-04-15T13:21:55.082007+00:00 berkelium ipsec[10698]: 09[IKE] deleting IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5] between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:21:55.082226+00:00 berkelium ipsec[10698]: 09[IKE] sending DELETE for IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[5]
2015-04-15T13:21:55.082447+00:00 berkelium ipsec[10698]: 09[ENC] generating INFORMATIONAL request 2 [ D ]
2015-04-15T13:21:55.082664+00:00 berkelium ipsec[10698]: 09[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (65 bytes)
2015-04-15T13:21:55.082882+00:00 berkelium ipsec[10698]: 12[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (57 bytes)
2015-04-15T13:21:55.083102+00:00 berkelium charon: 13[IKE] received cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.083328+00:00 berkelium charon: 13[IKE] sending cert request for "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.083561+00:00 berkelium ipsec[10698]: 12[ENC] parsed INFORMATIONAL response 2 [ ]
2015-04-15T13:21:55.083794+00:00 berkelium ipsec[10698]: 12[IKE] IKE_SA deleted
2015-04-15T13:21:55.084013+00:00 berkelium ipsec[10698]: 12[IKE] restarting CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4
2015-04-15T13:21:55.105978+00:00 berkelium charon: 13[IKE] authentication of 'CN=berkelium.eqiad.wmnet' (myself) with RSA signature successful
2015-04-15T13:21:55.106239+00:00 berkelium charon: 13[IKE] sending end entity cert "CN=berkelium.eqiad.wmnet"
2015-04-15T13:21:55.106491+00:00 berkelium charon: 13[IKE] establishing CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3}
2015-04-15T13:21:55.106936+00:00 berkelium charon: 13[CFG] proposing traffic selectors for us:
2015-04-15T13:21:55.107158+00:00 berkelium charon: 13[CFG]  10.64.0.169/32
2015-04-15T13:21:55.107379+00:00 berkelium charon: 13[CFG] proposing traffic selectors for other:
2015-04-15T13:21:55.107604+00:00 berkelium charon: 13[CFG]  10.64.0.170/32
2015-04-15T13:21:55.107837+00:00 berkelium charon: 13[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/NO_EXT_SEQ
2015-04-15T13:21:55.108059+00:00 berkelium charon: 13[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
2015-04-15T13:21:55.108282+00:00 berkelium charon: 13[NET] sending packet: from 10.64.0.169[4500] to 10.64.0.170[4500] (1854 bytes)
2015-04-15T13:21:55.140663+00:00 berkelium charon: 14[NET] received packet: from 10.64.0.170[4500] to 10.64.0.169[4500] (1764 bytes)
2015-04-15T13:21:55.140933+00:00 berkelium charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
2015-04-15T13:21:55.141163+00:00 berkelium charon: 14[IKE] received end entity cert "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.141387+00:00 berkelium charon: 14[CFG]   using certificate "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.141610+00:00 berkelium charon: 14[CFG]   certificate "CN=curium.eqiad.wmnet" key: 4096 bit RSA
2015-04-15T13:21:55.141833+00:00 berkelium charon: 14[CFG]   using trusted ca certificate "CN=sockpuppet.pmtpa.wmnet"
2015-04-15T13:21:55.142056+00:00 berkelium charon: 14[CFG] checking certificate status of "CN=curium.eqiad.wmnet"
2015-04-15T13:21:55.142278+00:00 berkelium charon: 14[CFG] ocsp check skipped, no ocsp found
2015-04-15T13:21:55.142500+00:00 berkelium charon: 14[CFG] certificate status is not available
2015-04-15T13:21:55.142725+00:00 berkelium charon: 14[CFG]   certificate "CN=sockpuppet.pmtpa.wmnet" key: 1024 bit RSA
2015-04-15T13:21:55.142947+00:00 berkelium charon: 14[CFG]   reached self-signed root ca with a path length of 0
2015-04-15T13:21:55.143170+00:00 berkelium charon: 14[IKE] authentication of 'CN=curium.eqiad.wmnet' with RSA signature successful
2015-04-15T13:21:55.143391+00:00 berkelium charon: 14[IKE] IKE_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4[6] established between 10.64.0.169[CN=berkelium.eqiad.wmnet]...10.64.0.170[CN=curium.eqiad.wmnet]
2015-04-15T13:21:55.143849+00:00 berkelium charon: 14[IKE] scheduling reauthentication in 300s
2015-04-15T13:21:55.144076+00:00 berkelium charon: 14[IKE] maximum IKE_SA lifetime 360s
2015-04-15T13:21:55.144298+00:00 berkelium charon: 14[CFG] selecting proposal:
2015-04-15T13:21:55.144520+00:00 berkelium charon: 14[CFG]   proposal matches
2015-04-15T13:21:55.144739+00:00 berkelium charon: 14[CFG] received proposals: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:21:55.144960+00:00 berkelium charon: 14[CFG] configured proposals: ESP:AES_GCM_16_128/NULL/ECP_384_BP/NO_EXT_SEQ
2015-04-15T13:21:55.145181+00:00 berkelium charon: 14[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
2015-04-15T13:21:55.145402+00:00 berkelium charon: 14[CFG] selecting traffic selectors for us:
2015-04-15T13:21:55.145621+00:00 berkelium charon: 14[CFG]  config: 10.64.0.169/32, received: 10.64.0.169/32 => match: 10.64.0.169/32
2015-04-15T13:21:55.145844+00:00 berkelium charon: 14[CFG] selecting traffic selectors for other:
2015-04-15T13:21:55.146066+00:00 berkelium charon: 14[CFG]  config: 10.64.0.170/32, received: 10.64.0.170/32 => match: 10.64.0.170/32
2015-04-15T13:21:55.146286+00:00 berkelium charon: 14[IKE] CHILD_SA berkelium.eqiad.wmnet-curium.eqiad.wmnet_by_ipv4{3} established with SPIs c27003f0_i c836c016_o and TS 10.64.0.169/32 === 10.64.0.170/32
2015-04-15T13:21:55.146727+00:00 berkelium charon: 14[IKE] received AUTH_LIFETIME of 300s, scheduling reauthentication in 240s
2015-04-15T13:21:55.146947+00:00 berkelium charon: 14[IKE] peer supports MOBIKE

Ok, good news. Further discussion with ecdsa has revealed that this problem is fixed in 5.3.0, which is released but not yet packaged for Debian.

Bug: https://wiki.strongswan.org/issues/431

Matching log lines, from curium:

2015-04-15T13:17:54.995184+00:00 curium ipsec[19207]: 01[CFG] unable to install policy 2620:0:861:101:10:64:0:170/128 === 2620:0:861:101:10:64:0:169/128 out (mark 0/0x00000000) for reqid 4, the same policy for reqid 2 exists
2015-04-15T13:17:54.996139+00:00 curium ipsec[19207]: 01[CFG] unable to install policy 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128 in (mark 0/0x00000000) for reqid 4, the same policy for reqid 2 exists
2015-04-15T13:17:54.996452+00:00 curium ipsec[19207]: 01[CFG] unable to install policy 2620:0:861:101:10:64:0:170/128 === 2620:0:861:101:10:64:0:169/128 out (mark 0/0x00000000) for reqid 4, the same policy for reqid 2 exists
2015-04-15T13:17:54.996764+00:00 curium ipsec[19207]: 01[CFG] unable to install policy 2620:0:861:101:10:64:0:169/128 === 2620:0:861:101:10:64:0:170/128 in (mark 0/0x00000000) for reqid 4, the same policy for reqid 2 exists

Strongswan 5.3.0 has been uploaded to Debian/experimental, and is now running on Berkelium & Curium. So far the problem has not recurred.

No further recurrence? I see we have margin in the configuration now too, which is good. Thoughts on final configuration (as opposed to stress-test) for lifetime + margin to give healthy overlap?

To summarize remaining work:

  • Strongswan 5.3.0 is needed but is currently only in Experimental. It won't be coming to Jessie so it needs to be imported to WMF's apt repo.
  • Determine appropriate values for prod: lifetime, margin, auto.

I see 5.3.0 on curium, does that mean that part is done now?

Strongswan 5.3.0-1+wmf2 is currently in our apt repo. I'll make a separate task for config values.

BBlack reopened this task as Open.EditedJul 30 2015, 11:31 AM

Still seeing a similar symptom now that we have more hosts active. Two ipv6 associations (4009 + 1065, 4018 + 1067) died last night and stayed down for hours, would probably have stayed down indefinitely without a strongswan service restart on either side. My current theory on this is that the default keyingtries=3 connection parameter causes it to simply give up and never retry again (well, until restart) due to some transient issue, and we should set it to the special value %forever. Patch incoming for that and a few other related params that may help...

Change 227977 had a related patch set uploaded (by BBlack):
strongswan: Make SAs and rekey actions more robust, hopefully

https://gerrit.wikimedia.org/r/227977

Change 227977 merged by BBlack:
strongswan: Make SAs and rekey actions more robust, hopefully

https://gerrit.wikimedia.org/r/227977

This is reasonably-well resolved at this point, although we still have intermittent v6 dropouts that rarely make it past 1/3 in the icinga checks. I suspect that's a separate issue and will give it a separate ticket.