--- west.console.txt 2019-08-24 18:12:56.228675511 +0000 +++ OUTPUT/west.console.txt 2019-08-26 13:14:19.896721092 +0000 @@ -21,6 +21,7 @@ pk12util: PKCS12 IMPORT SUCCESSFUL pk12util: PKCS12 IMPORT SUCCESSFUL pk12util: PKCS12 IMPORT SUCCESSFUL +pk12util: PKCS12 IMPORT SUCCESSFUL west # ipsec start Redirecting to: [initsystem] @@ -45,17 +46,13 @@ 1v2 "west" #1: initiate 1v2 "west" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west" #2: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west" #2: Authenticated using RSA -002 "west" #2: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west" #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west" #2: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west 002 "west": terminating SAs using this connection -002 "west" #2: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west" #2: ESP traffic information: in=0B out=0B -002 "west" #1: deleting state (STATE_PARENT_I3) and sending notification +002 "west" #2: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west" #1: deleting state (STATE_PARENT_I2) and NOT sending notification west # # following tests should work west # @@ -64,17 +61,13 @@ 1v2 "west-bcCritical" #3: initiate 1v2 "west-bcCritical" #3: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-bcCritical" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-bcCritical" #4: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-bcCritical" #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-bcCritical" #4: Authenticated using RSA -002 "west-bcCritical" #4: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-bcCritical" #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-bcCritical" #4: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-bcCritical" #4: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-bcCritical 002 "west-bcCritical": terminating SAs using this connection -002 "west-bcCritical" #4: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-bcCritical" #4: ESP traffic information: in=0B out=0B -002 "west-bcCritical" #3: deleting state (STATE_PARENT_I3) and sending notification +002 "west-bcCritical" #4: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-bcCritical" #3: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -83,17 +76,13 @@ 1v2 "west-ekuOmit" #5: initiate 1v2 "west-ekuOmit" #5: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ekuOmit" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ekuOmit" #6: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ekuOmit" #6: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ekuOmit" #6: Authenticated using RSA -002 "west-ekuOmit" #6: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ekuOmit" #6: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ekuOmit" #6: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ekuOmit" #6: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ekuOmit 002 "west-ekuOmit": terminating SAs using this connection -002 "west-ekuOmit" #6: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ekuOmit" #6: ESP traffic information: in=0B out=0B -002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ekuOmit" #6: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -102,17 +91,13 @@ 1v2 "west-bcOmit" #7: initiate 1v2 "west-bcOmit" #7: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-bcOmit" #8: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-bcOmit" #8: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-bcOmit" #8: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-bcOmit" #8: Authenticated using RSA -002 "west-bcOmit" #8: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-bcOmit" #8: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-bcOmit" #8: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-bcOmit" #8: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-bcOmit 002 "west-bcOmit": terminating SAs using this connection -002 "west-bcOmit" #8: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-bcOmit" #8: ESP traffic information: in=0B out=0B -002 "west-bcOmit" #7: deleting state (STATE_PARENT_I3) and sending notification +002 "west-bcOmit" #8: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-bcOmit" #7: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -121,17 +106,13 @@ 1v2 "west-ekuCritical-eku-ipsecIKE" #9: initiate 1v2 "west-ekuCritical-eku-ipsecIKE" #9: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ekuCritical-eku-ipsecIKE" #10: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ekuCritical-eku-ipsecIKE" #10: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ekuCritical-eku-ipsecIKE" #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ekuCritical-eku-ipsecIKE" #10: Authenticated using RSA -002 "west-ekuCritical-eku-ipsecIKE" #10: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ekuCritical-eku-ipsecIKE" #10: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ekuCritical-eku-ipsecIKE" #10: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ekuCritical-eku-ipsecIKE" #10: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ekuCritical-eku-ipsecIKE 002 "west-ekuCritical-eku-ipsecIKE": terminating SAs using this connection -002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ekuCritical-eku-ipsecIKE" #10: ESP traffic information: in=0B out=0B -002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -140,17 +121,13 @@ 1v2 "west-eku-serverAuth" #11: initiate 1v2 "west-eku-serverAuth" #11: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-eku-serverAuth" #12: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-eku-serverAuth" #12: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-eku-serverAuth" #12: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-eku-serverAuth" #12: Authenticated using RSA -002 "west-eku-serverAuth" #12: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-eku-serverAuth" #12: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-eku-serverAuth" #12: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-eku-serverAuth" #12: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-eku-serverAuth 002 "west-eku-serverAuth": terminating SAs using this connection -002 "west-eku-serverAuth" #12: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-eku-serverAuth" #12: ESP traffic information: in=0B out=0B -002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I3) and sending notification +002 "west-eku-serverAuth" #12: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -159,17 +136,13 @@ 1v2 "west-ku-nonRepudiation" #13: initiate 1v2 "west-ku-nonRepudiation" #13: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ku-nonRepudiation" #14: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ku-nonRepudiation" #14: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ku-nonRepudiation" #14: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ku-nonRepudiation" #14: Authenticated using RSA -002 "west-ku-nonRepudiation" #14: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ku-nonRepudiation" #14: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ku-nonRepudiation" #14: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ku-nonRepudiation" #14: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ku-nonRepudiation 002 "west-ku-nonRepudiation": terminating SAs using this connection -002 "west-ku-nonRepudiation" #14: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ku-nonRepudiation" #14: ESP traffic information: in=0B out=0B -002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ku-nonRepudiation" #14: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -178,17 +151,13 @@ 1v2 "west-sanCritical" #15: initiate 1v2 "west-sanCritical" #15: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-sanCritical" #16: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-sanCritical" #16: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-sanCritical" #16: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-sanCritical" #16: Authenticated using RSA -002 "west-sanCritical" #16: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-sanCritical" #16: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-sanCritical" #16: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-sanCritical" #16: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-sanCritical 002 "west-sanCritical": terminating SAs using this connection -002 "west-sanCritical" #16: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-sanCritical" #16: ESP traffic information: in=0B out=0B -002 "west-sanCritical" #15: deleting state (STATE_PARENT_I3) and sending notification +002 "west-sanCritical" #16: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-sanCritical" #15: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -199,17 +168,13 @@ 1v2 "west-ekuCritical" #17: initiate 1v2 "west-ekuCritical" #17: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ekuCritical" #18: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ekuCritical" #18: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ekuCritical" #18: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ekuCritical" #18: Authenticated using RSA -002 "west-ekuCritical" #18: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ekuCritical" #18: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ekuCritical" #18: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ekuCritical" #18: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ekuCritical 002 "west-ekuCritical": terminating SAs using this connection -002 "west-ekuCritical" #18: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ekuCritical" #18: ESP traffic information: in=0B out=0B -002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ekuCritical" #18: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -218,17 +183,13 @@ 1v2 "west-kuCritical" #19: initiate 1v2 "west-kuCritical" #19: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-kuCritical" #20: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-kuCritical" #20: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-kuCritical" #20: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-kuCritical" #20: Authenticated using RSA -002 "west-kuCritical" #20: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-kuCritical" #20: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-kuCritical" #20: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-kuCritical" #20: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-kuCritical 002 "west-kuCritical": terminating SAs using this connection -002 "west-kuCritical" #20: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-kuCritical" #20: ESP traffic information: in=0B out=0B -002 "west-kuCritical" #19: deleting state (STATE_PARENT_I3) and sending notification +002 "west-kuCritical" #20: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-kuCritical" #19: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -237,17 +198,13 @@ 1v2 "west-kuOmit" #21: initiate 1v2 "west-kuOmit" #21: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-kuOmit" #22: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-kuOmit" #22: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-kuOmit" #22: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-kuOmit" #22: Authenticated using RSA -002 "west-kuOmit" #22: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-kuOmit" #22: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-kuOmit" #22: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-kuOmit" #22: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-kuOmit 002 "west-kuOmit": terminating SAs using this connection -002 "west-kuOmit" #22: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-kuOmit" #22: ESP traffic information: in=0B out=0B -002 "west-kuOmit" #21: deleting state (STATE_PARENT_I3) and sending notification +002 "west-kuOmit" #22: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-kuOmit" #21: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -256,17 +213,13 @@ 1v2 "west-eku-clientAuth" #23: initiate 1v2 "west-eku-clientAuth" #23: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-eku-clientAuth" #24: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-eku-clientAuth" #24: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-eku-clientAuth" #24: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-eku-clientAuth" #24: Authenticated using RSA -002 "west-eku-clientAuth" #24: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-eku-clientAuth" #24: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-eku-clientAuth" #24: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-eku-clientAuth" #24: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-eku-clientAuth 002 "west-eku-clientAuth": terminating SAs using this connection -002 "west-eku-clientAuth" #24: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-eku-clientAuth" #24: ESP traffic information: in=0B out=0B -002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I3) and sending notification +002 "west-eku-clientAuth" #24: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -275,17 +228,13 @@ 1v2 "west-eku-ipsecIKE" #25: initiate 1v2 "west-eku-ipsecIKE" #25: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-eku-ipsecIKE" #26: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-eku-ipsecIKE" #26: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-eku-ipsecIKE" #26: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-eku-ipsecIKE" #26: Authenticated using RSA -002 "west-eku-ipsecIKE" #26: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-eku-ipsecIKE" #26: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-eku-ipsecIKE" #26: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-eku-ipsecIKE" #26: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-eku-ipsecIKE 002 "west-eku-ipsecIKE": terminating SAs using this connection -002 "west-eku-ipsecIKE" #26: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-eku-ipsecIKE" #26: ESP traffic information: in=0B out=0B -002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I3) and sending notification +002 "west-eku-ipsecIKE" #26: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -294,17 +243,13 @@ 1v2 "west-ku-keyAgreement-digitalSignature" #27: initiate 1v2 "west-ku-keyAgreement-digitalSignature" #27: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ku-keyAgreement-digitalSignature" #28: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ku-keyAgreement-digitalSignature" #28: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ku-keyAgreement-digitalSignature" #28: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ku-keyAgreement-digitalSignature" #28: Authenticated using RSA -002 "west-ku-keyAgreement-digitalSignature" #28: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ku-keyAgreement-digitalSignature" #28: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ku-keyAgreement-digitalSignature" #28: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ku-keyAgreement-digitalSignature" #28: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ku-keyAgreement-digitalSignature 002 "west-ku-keyAgreement-digitalSignature": terminating SAs using this connection -002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ku-keyAgreement-digitalSignature" #28: ESP traffic information: in=0B out=0B -002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -315,38 +260,30 @@ 1v2 "west-ekuCritical-eku-emailProtection" #29: initiate 1v2 "west-ekuCritical-eku-emailProtection" #29: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ekuCritical-eku-emailProtection" #30: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ekuCritical-eku-emailProtection" #30: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ekuCritical-eku-emailProtection" #30: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "west-ekuCritical-eku-emailProtection" #30: Authenticated using RSA -002 "west-ekuCritical-eku-emailProtection" #30: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -004 "west-ekuCritical-eku-emailProtection" #30: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ekuCritical-eku-emailProtection" #30: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ekuCritical-eku-emailProtection" #30: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ekuCritical-eku-emailProtection 002 "west-ekuCritical-eku-emailProtection": terminating SAs using this connection -002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ekuCritical-eku-emailProtection" #30: ESP traffic information: in=0B out=0B -002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # - # following tests should fail + # following tests should fail (but it does not?) west # ipsec auto --up west-ekuBOGUS-bad 002 "west-ekuBOGUS-bad" #31: initiating v2 parent SA 1v2 "west-ekuBOGUS-bad" #31: initiate 1v2 "west-ekuBOGUS-bad" #31: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "west-ekuBOGUS-bad" #32: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "west-ekuBOGUS-bad" #32: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "west-ekuBOGUS-bad" #32: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -WIP 003 "west-ekuBOGUS-bad" #32: Authenticated using RSA -WIP 002 "west-ekuBOGUS-bad" #32: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] -WIP 004 "west-ekuBOGUS-bad" #32: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "west-ekuBOGUS-bad" #32: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "west-ekuBOGUS-bad" #32: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ipsec auto --delete west-ekuBOGUS-bad 002 "west-ekuBOGUS-bad": terminating SAs using this connection -002 "west-ekuBOGUS-bad" #32: deleting state (STATE_V2_IPSEC_I) and sending notification -005 "west-ekuBOGUS-bad" #32: ESP traffic information: in=0B out=0B -002 "west-ekuBOGUS-bad" #31: deleting state (STATE_PARENT_I3) and sending notification +002 "west-ekuBOGUS-bad" #32: deleting state (STATE_PARENT_I2) and NOT sending notification +002 "west-ekuBOGUS-bad" #31: deleting state (STATE_PARENT_I2) and NOT sending notification west # sleep 2 west # @@ -362,38 +299,6 @@ # confirm all verifications used the NSS IPsec profile and not TLS client/server profile west # grep profile /tmp/pluto.log | grep -v Starting -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) -| verify_end_cert trying profile IPsec -| certificate is valid (profile IPsec) west # west # ../bin/check-for-core.sh