/testing/guestbin/swan-prep --x509
Preparing X.509 files
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# certutil -D -n road -d sql:/etc/ipsec.d
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# certutil -D -n north -d sql:/etc/ipsec.d
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# certutil -D -n east -d sql:/etc/ipsec.d
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# cp policies/* /etc/ipsec.d/policies/
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# restorecon -R /etc/ipsec.d
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Redirecting to: /etc/init.d/ipsec start
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Error: Peer netns reference is invalid.
Starting pluto IKE daemon for IPsec:
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# /testing/pluto/bin/wait-until-pluto-started
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ipsec whack --impair suppress-retransmits
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# # ensure for tests acquires expire before our failureshunt=2m
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# echo 30 > /proc/sys/net/core/xfrm_acq_expires
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# # give OE policies time to load
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# sleep 5
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# # one packet, which gets eaten by XFRM, so east does not initiate
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ping -n -c 1 -I 192.1.3.33 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 1 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# wait on OE IKE negotiation
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# wait on OE IKE negotiation' <<<<<<<<<<tuc<<<<<<<<<<sleep 1
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ping -n -c 2 -I 192.1.3.33 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 37ms
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh 'ping -n -c 2 -I 192.1.3.33 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# ping should succeed through tunnel
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# ping should succeed through tunnel' <<<<<<<<<<tuc<<<<<<<<<<# should show established tunnel and no bare shunts
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 northinit.sh '# should show established tunnel and no bare shunts' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ipsec whack --shuntstatus
000 Bare Shunt list:
000
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh
==== cut ====
start raw xfrm state:
src 192.1.3.33/32 dst 192.1.2.23/32 \ dir out priority 1564647 ptype main \
src 192.1.3.33/32 dst 192.1.2.0/24 \ dir out priority 1564647 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\
src 192.1.2.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.2.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.254/32 \ dir out priority 1564639 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
end raw xfrm state:
==== tuc ====
north Mon Aug 26 18:31:59 UTC 2019
XFRM state:
src 192.1.2.23 dst 192.1.3.33
proto esp spi 0x39c2f5f7 reqid 16433 mode tunnel
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.1.2.23/32 dst 192.1.3.33/32
src 192.1.3.33 dst 192.1.2.23
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.1.3.33/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth1
XFRM policy:
src 192.1.2.253/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.2.253/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.253/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.253/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.254/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.0/24
dir out priority 1564647 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 192.1.3.33/32 dst 192.1.2.23/32
dir out priority 1564647 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth1
192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan CT,,
east-ec P,,
hashsha1 P,,
nic P,,
west P,,
west-ec P,,
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# echo done
done
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# echo "initdone"
initdone
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# # A tunnel should have established with non-zero byte counters
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ping -n -c 4 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 64ms
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'ping -n -c 4 192.1.2.23' <<<<<<<<<<tuc<<<<<<<<<<# jacob two two for east?
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients 1]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh '# jacob two two for east?' <<<<<<<<<<tuc<<<<<<<<<<ipsec whack --trafficstatus
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ipsec whack --trafficstatus
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ../../pluto/bin/ipsec-look.sh | sed "s/\(.\)port [0-9][0-9][0-9][0-9] /\1port XXXX /g"
==== cut ====
start raw xfrm state:
src 192.1.3.33/32 dst 192.1.2.23/32 \ dir out priority 1564647 ptype main \
src 192.1.3.33/32 dst 192.1.2.0/24 \ dir out priority 1564647 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\
src 192.1.2.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.2.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.3.253/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \ dir fwd priority 1564639 ptype main \
src 192.1.3.254/32 dst 192.1.3.33/32 \ dir in priority 1564639 ptype main \
src 192.1.3.33/32 dst 192.1.3.254/32 \ dir out priority 1564639 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \
src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \
end raw xfrm state:
==== tuc ====
north Mon Aug 26 18:32:51 UTC 2019
XFRM state:
src 192.1.3.33 dst 192.1.2.23
proto esp spi 0x00000000 reqid 0 mode transport
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.1.3.33/32 dst 192.1.2.23/32 proto udp sport 36404 dport XXXX dev eth1
src 192.1.2.23 dst 192.1.3.33
proto esp spi 0x83aec089 reqid 16433 mode tunnel
replay-window 0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
sel src 192.1.2.23/32 dst 192.1.3.33/32
XFRM policy:
src 192.1.2.253/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.2.253/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.3.253/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
dir fwd priority 1564639 ptype main
src 192.1.3.254/32 dst 192.1.3.33/32
dir in priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.253/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.253/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.3.254/32
dir out priority 1564639 ptype main
src 192.1.3.33/32 dst 192.1.2.0/24
dir out priority 1564647 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 0 mode transport
src 192.1.3.33/32 dst 192.1.2.23/32
dir out priority 1564647 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth1
192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan CT,,
east-ec P,,
hashsha1 P,,
nic P,,
west P,,
west-ec P,,
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# # you should see both RSA and NULL
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# grep IKEv2_AUTH_ /tmp/pluto.log
| auth method: IKEv2_AUTH_NULL (0xd)
| auth method: IKEv2_AUTH_RSA (0x1)
| auth method: IKEv2_AUTH_NULL (0xd)
| auth method: IKEv2_AUTH_RSA (0x1)
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# : ==== cut ====
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 192.0.3.254:4500
000 interface eth0/eth0 192.0.3.254:500
000 interface eth1/eth1 192.1.3.33:4500
000 interface eth1/eth1 192.1.3.33:500
000
000
000 fips mode=disabled;
000 SElinux=disabled
000 seccomp=disabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 nssdir=/etc/ipsec.d, dumpdir=/tmp, statsbin=unset
000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted=<unset>
000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec
000 pluto_version=v3.28-685-gbfd5aef521-master-s2, pluto_vendorid=OE-Libreswan-v3.28-685, audit-log=yes
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=32001
000 debug: base+cpu-usage impair: suppress-retransmits
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000
000 Kernel algorithms supported:
000
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 Connection list:
000
000 "block": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0
000 "block": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "block": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "block": our auth:unset, their auth:unset
000 "block": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "block": labeled_ipsec:no;
000 "block": policy_label:unset;
000 "block": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "block": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "block": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "block": policy: AUTH_NEVER+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE;
000 "block": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "block": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "block": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "block": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "block": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.1.3.33---192.1.3.254...%group; unrouted; eroute owner: #0
000 "clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear": our auth:unset, their auth:unset
000 "clear": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear": labeled_ipsec:no;
000 "clear": policy_label:unset;
000 "clear": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear": policy: AUTH_NEVER+GROUP+GROUTED+PASS+NEVER_NEGOTIATE;
000 "clear": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.2.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.2.253/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.2.253/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear#192.1.2.253/32": our auth:unset, their auth:unset
000 "clear#192.1.2.253/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.2.253/32": labeled_ipsec:no;
000 "clear#192.1.2.253/32": policy_label:unset;
000 "clear#192.1.2.253/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.2.253/32": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.2.253/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.2.253/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.2.253/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.2.253/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.2.253/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.2.253/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.2.253/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.3.253/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.3.253/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.3.253/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear#192.1.3.253/32": our auth:unset, their auth:unset
000 "clear#192.1.3.253/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.3.253/32": labeled_ipsec:no;
000 "clear#192.1.3.253/32": policy_label:unset;
000 "clear#192.1.3.253/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.3.253/32": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.3.253/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.3.253/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.3.253/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.3.253/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.3.253/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.3.253/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.3.253/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.1.3.254/32": 192.1.3.33---192.1.3.254...%any; prospective erouted; eroute owner: #0
000 "clear#192.1.3.254/32": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.3.254/32": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear#192.1.3.254/32": our auth:unset, their auth:unset
000 "clear#192.1.3.254/32": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "clear#192.1.3.254/32": labeled_ipsec:no;
000 "clear#192.1.3.254/32": policy_label:unset;
000 "clear#192.1.3.254/32": ike_life: 0s; ipsec_life: 0s; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.3.254/32": retransmit-interval: 0ms; retransmit-timeout: 0s;
000 "clear#192.1.3.254/32": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.3.254/32": policy: AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.3.254/32": conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.3.254/32": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.3.254/32": our idtype: ID_IPV4_ADDR; our id=%any; their idtype: %none; their id=(none)
000 "clear#192.1.3.254/32": dpd: action:disabled; delay:0; timeout:0; nat-t: encaps:no; nat_keepalive:no; ikev1_natt:both
000 "clear#192.1.3.254/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "clear-or-private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear-or-private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "clear-or-private": our auth:null, their auth:rsasig
000 "clear-or-private": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "clear-or-private": labeled_ipsec:no;
000 "clear-or-private": policy_label:unset;
000 "clear-or-private": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "clear-or-private": retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "clear-or-private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear-or-private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "clear-or-private": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear-or-private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "clear-or-private": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "clear-or-private": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "clear-or-private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private": our auth:null, their auth:rsasig
000 "private": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private": labeled_ipsec:no;
000 "private": policy_label:unset;
000 "private": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private": retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failureDROP;
000 "private": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear": our auth:null, their auth:rsasig
000 "private-or-clear": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear": labeled_ipsec:no;
000 "private-or-clear": policy_label:unset;
000 "private-or-clear": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear": retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#192.1.2.0/24": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunistic[%fromcert]===192.1.2.0/24; prospective erouted; eroute owner: #0
000 "private-or-clear#192.1.2.0/24": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear#192.1.2.0/24": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear#192.1.2.0/24": our auth:null, their auth:rsasig
000 "private-or-clear#192.1.2.0/24": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear#192.1.2.0/24": labeled_ipsec:no;
000 "private-or-clear#192.1.2.0/24": policy_label:unset;
000 "private-or-clear#192.1.2.0/24": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear#192.1.2.0/24": retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear#192.1.2.0/24": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#192.1.2.0/24": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear#192.1.2.0/24": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#192.1.2.0/24": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear#192.1.2.0/24": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear#192.1.2.0/24": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#192.1.2.0/24": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#192.1.2.0/24"[1]: 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...192.1.2.23[%fromcert]; unrouted HOLD; eroute owner: #0
000 "private-or-clear#192.1.2.0/24"[1]: oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear#192.1.2.0/24"[1]: xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear#192.1.2.0/24"[1]: our auth:null, their auth:rsasig
000 "private-or-clear#192.1.2.0/24"[1]: modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear#192.1.2.0/24"[1]: labeled_ipsec:no;
000 "private-or-clear#192.1.2.0/24"[1]: policy_label:unset;
000 "private-or-clear#192.1.2.0/24"[1]: ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear#192.1.2.0/24"[1]: retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear#192.1.2.0/24"[1]: initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#192.1.2.0/24"[1]: policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUPINSTANCE+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear#192.1.2.0/24"[1]: conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#192.1.2.0/24"[1]: nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear#192.1.2.0/24"[1]: our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear#192.1.2.0/24"[1]: dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear#192.1.2.0/24"[1]: newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear-all": 192.1.3.33[ID_NULL,+MC+CAT+S=C]---192.1.3.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear-all": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "private-or-clear-all": xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
000 "private-or-clear-all": our auth:null, their auth:rsasig
000 "private-or-clear-all": modecfg info: us:client, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:set;
000 "private-or-clear-all": labeled_ipsec:no;
000 "private-or-clear-all": policy_label:unset;
000 "private-or-clear-all": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "private-or-clear-all": retransmit-interval: 15000ms; retransmit-timeout: 60s;
000 "private-or-clear-all": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear-all": policy: RSASIG+ENCRYPT+TUNNEL+PFS+NEGO_PASS+OPPORTUNISTIC+GROUP+GROUTED+IKEV2_ALLOW+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO+failurePASS;
000 "private-or-clear-all": conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear-all": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear-all": our idtype: ID_NULL; our id=ID_NULL; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear-all": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "private-or-clear-all": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 11, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #3: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:4500 STATE_PARENT_I2 (sent v2I2, expected v2R2); EVENT_SA_REPLACE in 45s; idle;
000 #3: pending CHILD SA for "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23
000
000 Bare Shunt list:
000
000 192.1.3.33/32:36404 -17-> 192.1.2.23/32:1025 => %hold 0 %acquire-netlink
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# : ==== tuc ====
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# ../bin/check-for-core.sh
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
type=AVC msg=audit(1566844133.486:265910): avc: denied { write } for pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566844133.996:266013): avc: denied { write } for pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
type=AVC msg=audit(1566844371.178:281728): avc: denied { write } for pid=15826 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=64265215 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]# : ==== end ====
�kroot@swantest:/home/build/libreswan/testing/pluto/certoe-07-nat-2-clients�\[root@north certoe-07-nat-2-clients]#