/testing/guestbin/swan-prep --x509 Preparing X.509 files west # certutil -d sql:/etc/ipsec.d -D -n east west # ipsec start Redirecting to: [initsystem] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec auto --add nss-cert 002 added connection description "nss-cert" west # ipsec auto --listall 000 000 List of Public Keys: 000 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_USER_FQDN 'user-west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_FQDN '@west.testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_USER_FQDN 'west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_IPV4_ADDR '192.1.2.45' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 000 0: RSA (none) (none) 000 000 List of X.509 End Certificates: 000 000 End certificate "west" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA: has private key 000 000 End certificate "road" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "north" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "hashsha1" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=hashsha1.testing.libreswan.org, E=user-hashsha1@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "nic" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=nic.testing.libreswan.org, E=user-nic@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 List of X.509 CA Certificates: 000 000 Root CA certificate "Libreswan test CA for mainca - Libreswan" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 1024 bit RSA 000 000 Root CA certificate "east-ec" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east-ec.testing.libreswan.org, E=testing@libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east-ec.testing.libreswan.org, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 384 bit(other) 000 000 List of CRLs: west # ipsec auto --status |grep nss-cert 000 "nss-cert": 192.0.1.254/32===192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]...192.1.2.23<192.1.2.23>[%fromcert]===192.0.2.254/32; unrouted; eroute owner: #0 000 "nss-cert": oriented; my_ip=192.0.1.254; their_ip=192.0.2.254; mycert=west; my_updown=ipsec _updown; 000 "nss-cert": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "nss-cert": our auth:rsasig, their auth:rsasig 000 "nss-cert": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "nss-cert": labeled_ipsec:no; 000 "nss-cert": policy_label:unset; 000 "nss-cert": CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any' 000 "nss-cert": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "nss-cert": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "nss-cert": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "nss-cert": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "nss-cert": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "nss-cert": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "nss-cert": our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert 000 "nss-cert": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "nss-cert": newest ISAKMP SA: #0; newest IPsec SA: #0; west # ipsec whack --impair suppress-retransmits west # echo "initdone" initdone west # ipsec auto --up nss-cert 002 "nss-cert" #1: initiating Main Mode 1v1 "nss-cert" #1: STATE_MAIN_I1: initiate 1v1 "nss-cert" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "nss-cert" #1: I am sending my cert 002 "nss-cert" #1: I am sending a certificate request 1v1 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' 002 "nss-cert" #1: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA 003 "nss-cert" #1: Authenticated using RSA 004 "nss-cert" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "nss-cert" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 1v1 "nss-cert" #2: STATE_QUICK_I1: initiate 004 "nss-cert" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} west # echo done done west # certutil -L -d sql:/etc/ipsec.d Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI west u,u,u Libreswan test CA for mainca - Libreswan CT,, road P,, north P,, hashsha1 P,, east-ec P,, nic P,, west # ipsec auto --listall 000 000 List of Public Keys: 000 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_USER_FQDN 'user-west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_FQDN '@west.testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_USER_FQDN 'west@testing.libreswan.org' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 TIMESTAMP, 3072 RSA Key AwXXXXXXX (has private key), until TIMESTAMP ok 000 ID_IPV4_ADDR '192.1.2.45' 000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 000 List of Pre-shared secrets (from /etc/ipsec.secrets) 000 000 0: RSA (none) (none) 000 000 List of X.509 End Certificates: 000 000 End certificate "west" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA: has private key 000 000 End certificate "road" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "north" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=north.testing.libreswan.org, E=user-north@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "hashsha1" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=hashsha1.testing.libreswan.org, E=user-hashsha1@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 End certificate "nic" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=nic.testing.libreswan.org, E=user-nic@testing.libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 3072 bit RSA 000 000 List of X.509 CA Certificates: 000 000 Root CA certificate "east-ec" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east-ec.testing.libreswan.org, E=testing@libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east-ec.testing.libreswan.org, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 384 bit(other) 000 000 Root CA certificate "Libreswan test CA for mainca - Libreswan" - SN: 0xXX 000 subject: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 issuer: C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org 000 not before: TIMESTAMP 000 not after: TIMESTAMP 000 1024 bit RSA 000 000 List of CRLs: west # west # ../bin/check-for-core.sh west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi