/testing/guestbin/swan-prep --x509 Preparing X.509 files east # crlutil -I -i /testing/x509/crls/cacrlvalid.crl -d sql:/etc/ipsec.d crlutil: unable to import CRL: SEC_ERROR_CRL_BAD_SIGNATURE: The CRL for the certificate's issuer has an invalid signature. east # certutil -d sql:/etc/ipsec.d -D -n west east # ipsec start Redirecting to: [initsystem] east # /testing/pluto/bin/wait-until-pluto-started east # ipsec auto --add nss-cert-crl 002 added connection description "nss-cert-crl" east # ipsec auto --status |grep nss-cert-crl 000 "nss-cert-crl": 192.0.2.254/32===192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45<192.1.2.45>[%fromcert]===192.0.1.254/32; unrouted; eroute owner: #0 000 "nss-cert-crl": oriented; my_ip=192.0.2.254; their_ip=192.0.1.254; mycert=east; my_updown=ipsec _updown; 000 "nss-cert-crl": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "nss-cert-crl": our auth:rsasig, their auth:rsasig 000 "nss-cert-crl": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "nss-cert-crl": labeled_ipsec:no; 000 "nss-cert-crl": policy_label:unset; 000 "nss-cert-crl": CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any' 000 "nss-cert-crl": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "nss-cert-crl": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "nss-cert-crl": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "nss-cert-crl": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "nss-cert-crl": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "nss-cert-crl": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "nss-cert-crl": our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert 000 "nss-cert-crl": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "nss-cert-crl": newest ISAKMP SA: #0; newest IPsec SA: #0; east # echo "initdone" initdone east # crlutil -L -d sql:/etc/ipsec.d | grep mainca east # ipsec auto --listall | grep -A10 "List of CRLs" | grep -E 'Issuer|Entry|Serial' whack: is Pluto running? connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused) east # east # ipsec stop Redirecting to: [initsystem] Shutting down pluto IKE daemon whack: is Pluto running? connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused) .......... Attempt to shut Pluto down failed! Trying kill /etc/init.d/ipsec: line 162: kill: p: invalid signal specification east # ipsec status whack: Pluto is not running (no "/run/pluto/pluto.ctl") east # grep '^leak' /tmp/pluto.log leak-detective enabled east # ../bin/check-for-core.sh east # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi