/testing/guestbin/swan-prep --x509
Preparing X.509 files
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n road -d sql:/etc/ipsec.d
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n north -d sql:/etc/ipsec.d
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# certutil -D -n east -d sql:/etc/ipsec.d
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# cp policies/* /etc/ipsec.d/policies/
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# restorecon -R /etc/ipsec.d
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Redirecting to: /etc/init.d/ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Starting pluto IKE daemon for IPsec: 
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# /testing/pluto/bin/wait-until-pluto-started
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --impair suppress-retransmits
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # ensure for tests acquires expire before our failureshunt=2m
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo 30 > /proc/sys/net/core/xfrm_acq_expires
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # give OE policies time to load
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# sleep 5
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # one packet, which gets eaten by XFRM, so east does not initiate
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 1 -I 192.1.3.33 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data.

--- 192.1.2.23 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 1 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# wait on OE IKE negotiation
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# wait on OE IKE negotiation' <<<<<<<<<<tuc<<<<<<<<<<sleep 1
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 2 -I 192.1.3.33 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data.

--- 192.1.2.23 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 37ms

kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 2 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# ping should succeed through tunnel
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# ping should succeed through tunnel' <<<<<<<<<<tuc<<<<<<<<<<# should show established tunnel and no bare shunts
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# should show established tunnel and no bare shunts' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --shuntstatus
000 Bare Shunt list:
000  
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh
==== cut ====
start raw xfrm state:
src 192.1.3.33/32 dst 192.1.2.23/32 \	dir out priority 1564647 ptype main \
src 192.1.3.33/32 dst 192.1.2.0/24 \	dir out priority 1564647 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
src 192.1.2.253/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.2.253/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.2.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.254/32 \	dir out priority 1564639 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
end raw xfrm state:
==== tuc ====
north Mon Aug 26 18:31:59 UTC 2019
XFRM state:
src 192.1.2.23 dst 192.1.3.33
	proto esp spi 0x39c2f5f7 reqid 16433 mode tunnel
	replay-window 0 
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 192.1.2.23/32 dst 192.1.3.33/32 
src 192.1.3.33 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 192.1.3.33/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth1 
XFRM policy:
src 192.1.2.253/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.2.253/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.253/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.253/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.254/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.0/24
	dir out priority 1564647 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.33/32 dst 192.1.2.23/32
	dir out priority 1564647 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth1
192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
NSS_CERTIFICATES

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
west                                                         P,,  
west-ec                                                      P,,  
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo done
done
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# echo "initdone"
initdone
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # A tunnel should have established with non-zero byte counters
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ping -n -c 4 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.

--- 192.1.2.23 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 64ms

kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'ping -n -c 4 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# jacob two two for east?
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh '# jacob two two for east?' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec whack --trafficstatus
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh | sed "s/\(.\)port [0-9][0-9][0-9][0-9] /\1port XXXX /g"
==== cut ====
start raw xfrm state:
src 192.1.3.33/32 dst 192.1.2.23/32 \	dir out priority 1564647 ptype main \
src 192.1.3.33/32 dst 192.1.2.0/24 \	dir out priority 1564647 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
src 192.1.2.253/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.2.253/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.2.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.253/32 \	dir out priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \	dir fwd priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \	dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.254/32 \	dir out priority 1564639 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \	socket in priority 0 ptype main \
end raw xfrm state:
==== tuc ====
north Mon Aug 26 18:32:51 UTC 2019
XFRM state:
src 192.1.3.33 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 192.1.3.33/32 dst 192.1.2.23/32 proto udp sport 36404 dport XXXX dev eth1 
src 192.1.2.23 dst 192.1.3.33
	proto esp spi 0x83aec089 reqid 16433 mode tunnel
	replay-window 0 
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
	sel src 192.1.2.23/32 dst 192.1.3.33/32 
XFRM policy:
src 192.1.2.253/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.2.253/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
	dir fwd priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
	dir in priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.253/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.253/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.254/32
	dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.0/24
	dir out priority 1564647 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.33/32 dst 192.1.2.23/32
	dir out priority 1564647 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth1
192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
NSS_CERTIFICATES

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
west                                                         P,,  
west-ec                                                      P,,  
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# # you should see both RSA and NULL
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# grep IKEv2_AUTH_ /tmp/pluto.log
|    auth method: IKEv2_AUTH_NULL (0xd)
|    auth method: IKEv2_AUTH_RSA (0x1)
|    auth method: IKEv2_AUTH_NULL (0xd)
|    auth method: IKEv2_AUTH_RSA (0x1)
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== cut ====
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.0.3.254:4500
000 interface eth0/eth0 192.0.3.254:500
000 interface eth1/eth1 192.1.3.33:4500
000 interface eth1/eth1 192.1.3.33:500
000  
000  
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/tmp, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=v3.28-685-gbfd5aef521-master-s2, pluto_vendorid=OE-Libreswan-v3.28-685, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug: base+cpu-usage impair: suppress-retransmits
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "block": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0
000 "block":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "block":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "block":   our auth:unset, their auth:unset
000 "block":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "block":   labeled_ipsec:no;
000 "block":   policy_label:unset;
000 "block":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "block":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "block":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "block":   policy: AUTH_NEVER+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE;
000 "block":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "block":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "block":   our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "block":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "block":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0
000 "clear":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear":   our auth:unset, their auth:unset
000 "clear":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear":   labeled_ipsec:no;
000 "clear":   policy_label:unset;
000 "clear":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear":   policy: AUTH_NEVER+GROUP+GROUTED+PASS+NEVER_NEGOTIATE;
000 "clear":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear":   our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.2.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.2.253/32":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.2.253/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear#192.1.2.253/32":   our auth:unset, their auth:unset
000 "clear#192.1.2.253/32":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.2.253/32":   labeled_ipsec:no;
000 "clear#192.1.2.253/32":   policy_label:unset;
000 "clear#192.1.2.253/32":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.2.253/32":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.2.253/32":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.2.253/32":   policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.2.253/32":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.2.253/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.2.253/32":   our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.2.253/32":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.2.253/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.3.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.3.253/32":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.3.253/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear#192.1.3.253/32":   our auth:unset, their auth:unset
000 "clear#192.1.3.253/32":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.3.253/32":   labeled_ipsec:no;
000 "clear#192.1.3.253/32":   policy_label:unset;
000 "clear#192.1.3.253/32":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.3.253/32":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.3.253/32":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.3.253/32":   policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.3.253/32":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.3.253/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.3.253/32":   our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.3.253/32":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.3.253/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.3.254/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.3.254/32":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.3.254/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear#192.1.3.254/32":   our auth:unset, their auth:unset
000 "clear#192.1.3.254/32":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.3.254/32":   labeled_ipsec:no;
000 "clear#192.1.3.254/32":   policy_label:unset;
000 "clear#192.1.3.254/32":   ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.3.254/32":   retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.3.254/32":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.3.254/32":   policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.3.254/32":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.3.254/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.3.254/32":   our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.3.254/32":   dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.3.254/32":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "clear-or-private":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear-or-private":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear-or-private":   our auth:null, their auth:rsasig
000 "clear-or-private":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "clear-or-private":   labeled_ipsec:no;
000 "clear-or-private":   policy_label:unset;
000 "clear-or-private":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "clear-or-private":   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "clear-or-private":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear-or-private":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "clear-or-private":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear-or-private":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "clear-or-private":   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "clear-or-private":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "clear-or-private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private":   our auth:null, their auth:rsasig
000 "private":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private":   labeled_ipsec:no;
000 "private":   policy_label:unset;
000 "private":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private":   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP;
000 "private":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private":   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear":   our auth:null, their auth:rsasig
000 "private-or-clear":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear":   labeled_ipsec:no;
000 "private-or-clear":   policy_label:unset;
000 "private-or-clear":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear":   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear":   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#192.1.2.0/24": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunistic[%fromcert]===192.1.2.0/24; prospective erouted; eroute owner: #0
000 "private-or-clear#192.1.2.0/24":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear#192.1.2.0/24":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear#192.1.2.0/24":   our auth:null, their auth:rsasig
000 "private-or-clear#192.1.2.0/24":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear#192.1.2.0/24":   labeled_ipsec:no;
000 "private-or-clear#192.1.2.0/24":   policy_label:unset;
000 "private-or-clear#192.1.2.0/24":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear#192.1.2.0/24":   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear#192.1.2.0/24":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#192.1.2.0/24":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear#192.1.2.0/24":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#192.1.2.0/24":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear#192.1.2.0/24":   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear#192.1.2.0/24":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#192.1.2.0/24":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#192.1.2.0/24"[1]: 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...192.1.2.23[%fromcert]; unrouted HOLD; eroute owner: #0
000 "private-or-clear#192.1.2.0/24"[1]:     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear#192.1.2.0/24"[1]:   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear#192.1.2.0/24"[1]:   our auth:null, their auth:rsasig
000 "private-or-clear#192.1.2.0/24"[1]:   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear#192.1.2.0/24"[1]:   labeled_ipsec:no;
000 "private-or-clear#192.1.2.0/24"[1]:   policy_label:unset;
000 "private-or-clear#192.1.2.0/24"[1]:   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear#192.1.2.0/24"[1]:   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear#192.1.2.0/24"[1]:   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#192.1.2.0/24"[1]:   policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear#192.1.2.0/24"[1]:   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#192.1.2.0/24"[1]:   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear#192.1.2.0/24"[1]:   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear#192.1.2.0/24"[1]:   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#192.1.2.0/24"[1]:   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear-all": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear-all":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear-all":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear-all":   our auth:null, their auth:rsasig
000 "private-or-clear-all":   modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear-all":   labeled_ipsec:no;
000 "private-or-clear-all":   policy_label:unset;
000 "private-or-clear-all":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear-all":   retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear-all":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear-all":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear-all":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear-all":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear-all":   our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear-all":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000  
000 Total IPsec connections: loaded 11, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 #3: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:4500 STATE_PARENT_I2 (sent v2I2, expected v2R2); EVENT_SA_REPLACE in 45s; idle;
000 #3: pending CHILD SA for "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23
000  
000 Bare Shunt list:
000  
000 192.1.3.33/32:36404 -17-> 192.1.2.23/32:1025 => %hold 0    %acquire-netlink
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== tuc ====
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# ../bin/check-for-core.sh
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566844133.486:265910): avc:  denied  { write } for  pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566844133.996:266013): avc:  denied  { write } for  pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566844371.178:281728): avc:  denied  { write } for  pid=15826 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=64265215 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]# : ==== end ====
kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients\[root@north certoe-07-nat-2-clients]#