/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
 certutil -D -n east -d sql:/etc/ipsec.d
west #
 for cert in /testing/x509/pkcs12/mainca/west-*.p12; do pk12util -i $cert -w /testing/x509/nss-pw -d sql:/etc/ipsec.d; done
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 # down'ed conn must remain down
west #
 ipsec whack --impair revival
west #
 echo "initdone"
initdone
west #
 # fail quick for -bad certs that are supposed to fail
west #
 ipsec whack --impair suppress-retransmits
west #
 # stock certificate test
west #
 ipsec auto --up west
002 "west" #1: initiating v2 parent SA
1v2 "west" #1: initiate
1v2 "west" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west" #2: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west" #2: Authenticated using RSA
002 "west" #2: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west
002 "west": terminating SAs using this connection
002 "west" #2: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west" #2: ESP traffic information: in=0B out=0B
002 "west" #1: deleting state (STATE_PARENT_I3) and sending notification
west #
 # following tests should work
west #
 ipsec auto --up west-bcCritical
002 "west-bcCritical" #3: initiating v2 parent SA
1v2 "west-bcCritical" #3: initiate
1v2 "west-bcCritical" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-bcCritical" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcCritical" #4: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-bcCritical" #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-bcCritical" #4: Authenticated using RSA
002 "west-bcCritical" #4: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-bcCritical" #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-bcCritical
002 "west-bcCritical": terminating SAs using this connection
002 "west-bcCritical" #4: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-bcCritical" #4: ESP traffic information: in=0B out=0B
002 "west-bcCritical" #3: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuOmit
002 "west-ekuOmit" #5: initiating v2 parent SA
1v2 "west-ekuOmit" #5: initiate
1v2 "west-ekuOmit" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuOmit" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuOmit" #6: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuOmit" #6: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuOmit" #6: Authenticated using RSA
002 "west-ekuOmit" #6: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuOmit" #6: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuOmit
002 "west-ekuOmit": terminating SAs using this connection
002 "west-ekuOmit" #6: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ekuOmit" #6: ESP traffic information: in=0B out=0B
002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-bcOmit
002 "west-bcOmit" #7: initiating v2 parent SA
1v2 "west-bcOmit" #7: initiate
1v2 "west-bcOmit" #7: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-bcOmit" #8: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcOmit" #8: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-bcOmit" #8: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-bcOmit" #8: Authenticated using RSA
002 "west-bcOmit" #8: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-bcOmit" #8: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-bcOmit
002 "west-bcOmit": terminating SAs using this connection
002 "west-bcOmit" #8: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-bcOmit" #8: ESP traffic information: in=0B out=0B
002 "west-bcOmit" #7: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuCritical-eku-ipsecIKE
002 "west-ekuCritical-eku-ipsecIKE" #9: initiating v2 parent SA
1v2 "west-ekuCritical-eku-ipsecIKE" #9: initiate
1v2 "west-ekuCritical-eku-ipsecIKE" #9: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical-eku-ipsecIKE" #10: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-ipsecIKE" #10: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical-eku-ipsecIKE" #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical-eku-ipsecIKE" #10: Authenticated using RSA
002 "west-ekuCritical-eku-ipsecIKE" #10: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical-eku-ipsecIKE" #10: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical-eku-ipsecIKE
002 "west-ekuCritical-eku-ipsecIKE": terminating SAs using this connection
002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ekuCritical-eku-ipsecIKE" #10: ESP traffic information: in=0B out=0B
002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-serverAuth
002 "west-eku-serverAuth" #11: initiating v2 parent SA
1v2 "west-eku-serverAuth" #11: initiate
1v2 "west-eku-serverAuth" #11: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-serverAuth" #12: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-serverAuth" #12: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-serverAuth" #12: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-serverAuth" #12: Authenticated using RSA
002 "west-eku-serverAuth" #12: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-serverAuth" #12: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-serverAuth
002 "west-eku-serverAuth": terminating SAs using this connection
002 "west-eku-serverAuth" #12: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-eku-serverAuth" #12: ESP traffic information: in=0B out=0B
002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-nonRepudiation
002 "west-ku-nonRepudiation" #13: initiating v2 parent SA
1v2 "west-ku-nonRepudiation" #13: initiate
1v2 "west-ku-nonRepudiation" #13: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ku-nonRepudiation" #14: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-nonRepudiation" #14: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ku-nonRepudiation" #14: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ku-nonRepudiation" #14: Authenticated using RSA
002 "west-ku-nonRepudiation" #14: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ku-nonRepudiation" #14: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ku-nonRepudiation
002 "west-ku-nonRepudiation": terminating SAs using this connection
002 "west-ku-nonRepudiation" #14: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ku-nonRepudiation" #14: ESP traffic information: in=0B out=0B
002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-sanCritical
002 "west-sanCritical" #15: initiating v2 parent SA
1v2 "west-sanCritical" #15: initiate
1v2 "west-sanCritical" #15: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-sanCritical" #16: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-sanCritical" #16: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-sanCritical" #16: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-sanCritical" #16: Authenticated using RSA
002 "west-sanCritical" #16: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-sanCritical" #16: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-sanCritical
002 "west-sanCritical": terminating SAs using this connection
002 "west-sanCritical" #16: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-sanCritical" #16: ESP traffic information: in=0B out=0B
002 "west-sanCritical" #15: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 # This one works now - older NSS versions relied on NSS TLS fallback
west #
 ipsec auto --up west-ekuCritical
002 "west-ekuCritical" #17: initiating v2 parent SA
1v2 "west-ekuCritical" #17: initiate
1v2 "west-ekuCritical" #17: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical" #18: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical" #18: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical" #18: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical" #18: Authenticated using RSA
002 "west-ekuCritical" #18: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical" #18: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical
002 "west-ekuCritical": terminating SAs using this connection
002 "west-ekuCritical" #18: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ekuCritical" #18: ESP traffic information: in=0B out=0B
002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuCritical
002 "west-kuCritical" #19: initiating v2 parent SA
1v2 "west-kuCritical" #19: initiate
1v2 "west-kuCritical" #19: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-kuCritical" #20: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuCritical" #20: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-kuCritical" #20: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-kuCritical" #20: Authenticated using RSA
002 "west-kuCritical" #20: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-kuCritical" #20: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-kuCritical
002 "west-kuCritical": terminating SAs using this connection
002 "west-kuCritical" #20: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-kuCritical" #20: ESP traffic information: in=0B out=0B
002 "west-kuCritical" #19: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuOmit
002 "west-kuOmit" #21: initiating v2 parent SA
1v2 "west-kuOmit" #21: initiate
1v2 "west-kuOmit" #21: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-kuOmit" #22: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuOmit" #22: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-kuOmit" #22: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-kuOmit" #22: Authenticated using RSA
002 "west-kuOmit" #22: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-kuOmit" #22: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-kuOmit
002 "west-kuOmit": terminating SAs using this connection
002 "west-kuOmit" #22: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-kuOmit" #22: ESP traffic information: in=0B out=0B
002 "west-kuOmit" #21: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-clientAuth
002 "west-eku-clientAuth" #23: initiating v2 parent SA
1v2 "west-eku-clientAuth" #23: initiate
1v2 "west-eku-clientAuth" #23: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-clientAuth" #24: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-clientAuth" #24: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-clientAuth" #24: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-clientAuth" #24: Authenticated using RSA
002 "west-eku-clientAuth" #24: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-clientAuth" #24: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-clientAuth
002 "west-eku-clientAuth": terminating SAs using this connection
002 "west-eku-clientAuth" #24: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-eku-clientAuth" #24: ESP traffic information: in=0B out=0B
002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-ipsecIKE
002 "west-eku-ipsecIKE" #25: initiating v2 parent SA
1v2 "west-eku-ipsecIKE" #25: initiate
1v2 "west-eku-ipsecIKE" #25: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-eku-ipsecIKE" #26: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-ipsecIKE" #26: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-ipsecIKE" #26: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-ipsecIKE" #26: Authenticated using RSA
002 "west-eku-ipsecIKE" #26: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-ipsecIKE" #26: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-ipsecIKE
002 "west-eku-ipsecIKE": terminating SAs using this connection
002 "west-eku-ipsecIKE" #26: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-eku-ipsecIKE" #26: ESP traffic information: in=0B out=0B
002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-keyAgreement-digitalSignature
002 "west-ku-keyAgreement-digitalSignature" #27: initiating v2 parent SA
1v2 "west-ku-keyAgreement-digitalSignature" #27: initiate
1v2 "west-ku-keyAgreement-digitalSignature" #27: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ku-keyAgreement-digitalSignature" #28: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-keyAgreement-digitalSignature" #28: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ku-keyAgreement-digitalSignature" #28: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ku-keyAgreement-digitalSignature" #28: Authenticated using RSA
002 "west-ku-keyAgreement-digitalSignature" #28: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ku-keyAgreement-digitalSignature" #28: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ku-keyAgreement-digitalSignature
002 "west-ku-keyAgreement-digitalSignature": terminating SAs using this connection
002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ku-keyAgreement-digitalSignature" #28: ESP traffic information: in=0B out=0B
002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 # fails on older versions of NSS only
west #
 ipsec auto --up west-ekuCritical-eku-emailProtection
002 "west-ekuCritical-eku-emailProtection" #29: initiating v2 parent SA
1v2 "west-ekuCritical-eku-emailProtection" #29: initiate
1v2 "west-ekuCritical-eku-emailProtection" #29: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuCritical-eku-emailProtection" #30: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-emailProtection" #30: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical-eku-emailProtection" #30: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical-eku-emailProtection" #30: Authenticated using RSA
002 "west-ekuCritical-eku-emailProtection" #30: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical-eku-emailProtection" #30: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical-eku-emailProtection
002 "west-ekuCritical-eku-emailProtection": terminating SAs using this connection
002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ekuCritical-eku-emailProtection" #30: ESP traffic information: in=0B out=0B
002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 # following tests should fail
west #
 ipsec auto --up west-ekuBOGUS-bad
002 "west-ekuBOGUS-bad" #31: initiating v2 parent SA
1v2 "west-ekuBOGUS-bad" #31: initiate
1v2 "west-ekuBOGUS-bad" #31: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "west-ekuBOGUS-bad" #32: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuBOGUS-bad" #32: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuBOGUS-bad" #32: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
WIP 003 "west-ekuBOGUS-bad" #32: Authenticated using RSA
WIP 002 "west-ekuBOGUS-bad" #32: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
WIP 004 "west-ekuBOGUS-bad" #32: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuBOGUS-bad
002 "west-ekuBOGUS-bad": terminating SAs using this connection
002 "west-ekuBOGUS-bad" #32: deleting state (STATE_V2_IPSEC_I) and sending notification
005 "west-ekuBOGUS-bad" #32: ESP traffic information: in=0B out=0B
002 "west-ekuBOGUS-bad" #31: deleting state (STATE_PARENT_I3) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-keyAgreement-bad
000 initiating all conns with alias='west-ku-keyAgreement-bad'
021 no connection named "west-ku-keyAgreement-bad"
west #
 ipsec auto --delete west-ku-keyAgreement-bad
west #
 echo "done"
done
west #
 # confirm all verifications used the NSS IPsec profile and not TLS client/server profile
west #
 grep profile /tmp/pluto.log  | grep -v Starting
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
west #
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi