/testing/guestbin/swan-prep
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# cp policies/* /etc/ipsec.d/policies/
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Redirecting to: /etc/init.d/ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Starting pluto IKE daemon for IPsec: 
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# /testing/pluto/bin/wait-until-pluto-started
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# # give OE policies time to load
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# sleep 5
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec auto --add passthrough-in
002 added connection description "passthrough-in"
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec auto --route passthrough-in
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec auto --add passthrough-out
002 added connection description "passthrough-out"
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec auto --route passthrough-out
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# # ensure for tests acquires expire before our failureshunt=2m
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# echo 30 > /proc/sys/net/core/xfrm_acq_expires
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# echo "initdone"
initdone
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.264 ms

--- 192.1.2.23 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time 25ms
rtt min/avg/max/mdev = 0.264/0.264/0.264/0.000 ms
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# # wait on OE retransmits and rekeying
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# sleep 5
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# # ping should succeed through tunnel
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ping -n -c 1 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.089 ms

--- 192.1.2.23 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.089/0.089/0.089/0.000 ms
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# sleep 5
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec whack --trafficstatus
whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 roadrun.sh 'ipsec whack --trafficstatus' <<<<<<<<<<tuc<<<<<<<<<<# echo should go through passthrough, not increase traffic counter of tunnel
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 roadrun.sh '# echo should go through passthrough, not increase traffic counter of tunnel' <<<<<<<<<<tuc<<<<<<<<<<echo "PLAINTEXT" | nc -s 192.1.3.209 192.1.2.23 22
Ncat: Connection refused.
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 roadrun.sh 'echo "PLAINTEXT" | nc -s 192.1.3.209 192.1.2.23 22' <<<<<<<<<<tuc<<<<<<<<<<sleep 5
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec whack --trafficstatus
whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 roadrun.sh 'ipsec whack --trafficstatus' <<<<<<<<<<tuc<<<<<<<<<<echo done
done
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ../../pluto/bin/ipsec-look.sh
==== cut ====
start raw xfrm state:
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 2088927 ptype main \	tmpl src 192.1.3.209 dst 192.1.2.23\		proto esp reqid 16437 mode tunnel\
src 192.1.2.23/32 dst 192.1.3.209/32 \	dir fwd priority 2088927 ptype main \	tmpl src 192.1.2.23 dst 192.1.3.209\		proto esp reqid 16437 mode tunnel\
src 192.1.2.23/32 dst 192.1.3.209/32 \	dir in priority 2088927 ptype main \	tmpl src 192.1.2.23 dst 192.1.3.209\		proto esp reqid 16437 mode tunnel\
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp sport 22 \	dir fwd priority 843743 ptype main \
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp sport 22 \	dir in priority 843743 ptype main \
src 192.1.3.209/32 dst 0.0.0.0/0 proto tcp dport 22 \	dir out priority 843743 ptype main \
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp dport 22 \	dir fwd priority 843743 ptype main \
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp dport 22 \	dir in priority 843743 ptype main \
src 192.1.3.209/32 dst 0.0.0.0/0 proto tcp sport 22 \	dir out priority 843743 ptype main \
src 192.1.3.209/32 dst 192.1.2.0/24 \	dir out priority 2088935 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
src 192.1.2.253/32 dst 192.1.3.209/32 \	dir fwd priority 1564639 ptype main \
src 192.1.2.253/32 dst 192.1.3.209/32 \	dir in priority 1564639 ptype main \
src 192.1.3.209/32 dst 192.1.2.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.209/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.209/32 \	dir in priority 1564639 ptype main \
src 192.1.3.209/32 dst 192.1.3.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.209/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.209/32 \	dir in priority 1564639 ptype main \
src 192.1.3.209/32 dst 192.1.3.254/32 \	dir out priority 1564639 ptype main \
src 192.1.2.254/32 dst 192.1.3.209/32 \	dir fwd priority 1564639 ptype main \
src 192.1.2.254/32 dst 192.1.3.209/32 \	dir in priority 1564639 ptype main \
src 192.1.3.209/32 dst 192.1.2.254/32 \	dir out priority 1564639 ptype main \
end raw xfrm state:
==== tuc ====
road Mon Aug 26 13:16:42 UTC 2019
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xa9ebb061 reqid 16437 mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0x775ce0027043459b165a7f46ffab101d9c43b3befca2c3e11d089bdb5eaf355006942ef6 128
	anti-replay context: seq 0x2, oseq 0x0, bitmap 0x00000003
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xb8d1a880 reqid 16437 mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0x499025158e01ec3a5ffdc09b28c7401c6eaa0a0f9d5a7395b96607f30cf827bd05f1eb84 128
	anti-replay context: seq 0x0, oseq 0x2, bitmap 0x00000000
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp dport 22
	dir fwd priority 843743 ptype main
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp dport 22
	dir in priority 843743 ptype main
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp sport 22
	dir fwd priority 843743 ptype main
src 0.0.0.0/0 dst 192.1.3.209/32 proto tcp sport 22
	dir in priority 843743 ptype main
src 192.1.3.209/32 dst 0.0.0.0/0 proto tcp dport 22
	dir out priority 843743 ptype main
src 192.1.3.209/32 dst 0.0.0.0/0 proto tcp sport 22
	dir out priority 843743 ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority 1564639 ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority 1564639 ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority 1564639 ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority 1564639 ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority 1564639 ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority 1564639 ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority 1564639 ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority 1564639 ptype main
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 2088927 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16437 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 2088927 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16437 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 2088927 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16437 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 2088935 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# # A tunnel should have established
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# grep "negotiated connection" /tmp/pluto.log
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# : ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ipsec auto --status
whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<<tuc<<<<<<<<<<: ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# ../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566825400.505:199134): avc:  denied  { write } for  pid=11855 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=578344241 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/newoe-15-portpass\[root@road newoe-15-portpass]#