/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
 certutil -D -n east -d sql:/etc/ipsec.d
west #
 for cert in /testing/x509/pkcs12/mainca/west-*.p12; do pk12util -i $cert -w /testing/x509/nss-pw -d sql:/etc/ipsec.d; done
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 # down'ed conn must remain down
west #
 ipsec whack --impair revival
west #
 echo "initdone"
initdone
west #
 # fail quick for -bad certs that are supposed to fail
west #
 ipsec whack --impair suppress-retransmits
west #
 # stock certificate test
west #
 ipsec auto --up west
002 "west" #1: initiating v2 parent SA
1v2 "west" #1: initiate
1v2 "west" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west" #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west" #2: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west
002 "west": terminating SAs using this connection
002 "west" #2: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west" #1: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 # following tests should work
west #
 ipsec auto --up west-bcCritical
002 "west-bcCritical" #3: initiating v2 parent SA
1v2 "west-bcCritical" #3: initiate
1v2 "west-bcCritical" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-bcCritical" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcCritical" #4: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-bcCritical" #4: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-bcCritical
002 "west-bcCritical": terminating SAs using this connection
002 "west-bcCritical" #4: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-bcCritical" #3: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuOmit
002 "west-ekuOmit" #5: initiating v2 parent SA
1v2 "west-ekuOmit" #5: initiate
1v2 "west-ekuOmit" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuOmit" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuOmit" #6: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ekuOmit" #6: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ekuOmit
002 "west-ekuOmit": terminating SAs using this connection
002 "west-ekuOmit" #6: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-bcOmit
002 "west-bcOmit" #7: initiating v2 parent SA
1v2 "west-bcOmit" #7: initiate
1v2 "west-bcOmit" #7: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-bcOmit" #8: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcOmit" #8: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-bcOmit" #8: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-bcOmit
002 "west-bcOmit": terminating SAs using this connection
002 "west-bcOmit" #8: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-bcOmit" #7: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuCritical-eku-ipsecIKE
002 "west-ekuCritical-eku-ipsecIKE" #9: initiating v2 parent SA
1v2 "west-ekuCritical-eku-ipsecIKE" #9: initiate
1v2 "west-ekuCritical-eku-ipsecIKE" #9: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical-eku-ipsecIKE" #10: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-ipsecIKE" #10: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ekuCritical-eku-ipsecIKE" #10: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ekuCritical-eku-ipsecIKE
002 "west-ekuCritical-eku-ipsecIKE": terminating SAs using this connection
002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-serverAuth
002 "west-eku-serverAuth" #11: initiating v2 parent SA
1v2 "west-eku-serverAuth" #11: initiate
1v2 "west-eku-serverAuth" #11: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-serverAuth" #12: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-serverAuth" #12: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-eku-serverAuth" #12: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-eku-serverAuth
002 "west-eku-serverAuth": terminating SAs using this connection
002 "west-eku-serverAuth" #12: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-nonRepudiation
002 "west-ku-nonRepudiation" #13: initiating v2 parent SA
1v2 "west-ku-nonRepudiation" #13: initiate
1v2 "west-ku-nonRepudiation" #13: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ku-nonRepudiation" #14: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-nonRepudiation" #14: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ku-nonRepudiation" #14: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ku-nonRepudiation
002 "west-ku-nonRepudiation": terminating SAs using this connection
002 "west-ku-nonRepudiation" #14: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-sanCritical
002 "west-sanCritical" #15: initiating v2 parent SA
1v2 "west-sanCritical" #15: initiate
1v2 "west-sanCritical" #15: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-sanCritical" #16: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-sanCritical" #16: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-sanCritical" #16: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-sanCritical
002 "west-sanCritical": terminating SAs using this connection
002 "west-sanCritical" #16: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-sanCritical" #15: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 # This one works now - older NSS versions relied on NSS TLS fallback
west #
 ipsec auto --up west-ekuCritical
002 "west-ekuCritical" #17: initiating v2 parent SA
1v2 "west-ekuCritical" #17: initiate
1v2 "west-ekuCritical" #17: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical" #18: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical" #18: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ekuCritical" #18: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ekuCritical
002 "west-ekuCritical": terminating SAs using this connection
002 "west-ekuCritical" #18: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuCritical
002 "west-kuCritical" #19: initiating v2 parent SA
1v2 "west-kuCritical" #19: initiate
1v2 "west-kuCritical" #19: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-kuCritical" #20: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuCritical" #20: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-kuCritical" #20: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-kuCritical
002 "west-kuCritical": terminating SAs using this connection
002 "west-kuCritical" #20: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-kuCritical" #19: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuOmit
002 "west-kuOmit" #21: initiating v2 parent SA
1v2 "west-kuOmit" #21: initiate
1v2 "west-kuOmit" #21: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-kuOmit" #22: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuOmit" #22: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-kuOmit" #22: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-kuOmit
002 "west-kuOmit": terminating SAs using this connection
002 "west-kuOmit" #22: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-kuOmit" #21: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-clientAuth
002 "west-eku-clientAuth" #23: initiating v2 parent SA
1v2 "west-eku-clientAuth" #23: initiate
1v2 "west-eku-clientAuth" #23: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-clientAuth" #24: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-clientAuth" #24: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-eku-clientAuth" #24: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-eku-clientAuth
002 "west-eku-clientAuth": terminating SAs using this connection
002 "west-eku-clientAuth" #24: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-ipsecIKE
002 "west-eku-ipsecIKE" #25: initiating v2 parent SA
1v2 "west-eku-ipsecIKE" #25: initiate
1v2 "west-eku-ipsecIKE" #25: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-ipsecIKE" #26: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-ipsecIKE" #26: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-eku-ipsecIKE" #26: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-eku-ipsecIKE
002 "west-eku-ipsecIKE": terminating SAs using this connection
002 "west-eku-ipsecIKE" #26: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-keyAgreement-digitalSignature
002 "west-ku-keyAgreement-digitalSignature" #27: initiating v2 parent SA
1v2 "west-ku-keyAgreement-digitalSignature" #27: initiate
1v2 "west-ku-keyAgreement-digitalSignature" #27: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ku-keyAgreement-digitalSignature" #28: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-keyAgreement-digitalSignature" #28: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ku-keyAgreement-digitalSignature" #28: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ku-keyAgreement-digitalSignature
002 "west-ku-keyAgreement-digitalSignature": terminating SAs using this connection
002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 # fails on older versions of NSS only
west #
 ipsec auto --up west-ekuCritical-eku-emailProtection
002 "west-ekuCritical-eku-emailProtection" #29: initiating v2 parent SA
1v2 "west-ekuCritical-eku-emailProtection" #29: initiate
1v2 "west-ekuCritical-eku-emailProtection" #29: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical-eku-emailProtection" #30: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-emailProtection" #30: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ekuCritical-eku-emailProtection" #30: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ekuCritical-eku-emailProtection
002 "west-ekuCritical-eku-emailProtection": terminating SAs using this connection
002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 # following tests should fail (but it does not?)
west #
 ipsec auto --up west-ekuBOGUS-bad
002 "west-ekuBOGUS-bad" #31: initiating v2 parent SA
1v2 "west-ekuBOGUS-bad" #31: initiate
1v2 "west-ekuBOGUS-bad" #31: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuBOGUS-bad" #32: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuBOGUS-bad" #32: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
000 "west-ekuBOGUS-bad" #32: scheduling retry attempt 1 of an unlimited number, but releasing whack
west #
 ipsec auto --delete west-ekuBOGUS-bad
002 "west-ekuBOGUS-bad": terminating SAs using this connection
002 "west-ekuBOGUS-bad" #32: deleting state (STATE_PARENT_I2) and NOT sending notification
002 "west-ekuBOGUS-bad" #31: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-keyAgreement-bad
000 initiating all conns with alias='west-ku-keyAgreement-bad'
021 no connection named "west-ku-keyAgreement-bad"
west #
 ipsec auto --delete west-ku-keyAgreement-bad
west #
 echo "done"
done
west #
 # confirm all verifications used the NSS IPsec profile and not TLS client/server profile
west #
 grep profile /tmp/pluto.log  | grep -v Starting
west #
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi