/testing/guestbin/swan-prep kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # confirm that the network is alive kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # ensure that clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # confirm clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 ==== cut ==== ping -q -n -c 1 -i 2 -w 1 -I 192.0.1.254 192.0.2.254 ==== tuc ==== ==== cut ==== PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ==== tuc ==== down kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec whack --impair suppress-retransmits kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec auto --add westnet-eastnet-ipcomp 002 added connection description "westnet-eastnet-ipcomp" kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec auto --status | grep westnet-eastnet-ipcomp 000 "westnet-eastnet-ipcomp": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0 000 "westnet-eastnet-ipcomp": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-ipcomp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-ipcomp": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-ipcomp": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-ipcomp": labeled_ipsec:no; 000 "westnet-eastnet-ipcomp": policy_label:unset; 000 "westnet-eastnet-ipcomp": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-ipcomp": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-ipcomp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-ipcomp": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-ipcomp": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-ipcomp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-ipcomp": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-ipcomp": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-ipcomp": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec auto --up westnet-eastnet-ipcomp 002 "westnet-eastnet-ipcomp" #1: initiating v2 parent SA 181 "westnet-eastnet-ipcomp" #1: initiate 002 "westnet-eastnet-ipcomp": constructed local IKE proposals for westnet-eastnet-ipcomp (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 181 "westnet-eastnet-ipcomp" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 002 "westnet-eastnet-ipcomp" #1: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 002 "westnet-eastnet-ipcomp": constructed local ESP/AH proposals for westnet-eastnet-ipcomp (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED 2:ESP:ENCR=AES_GCM_C_128;INTEG=NONE;DH=NONE;ESN=DISABLED 3:ESP:ENCR=AES_CBC_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 4:ESP:ENCR=AES_CBC_128;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=NONE;ESN=DISABLED 182 "westnet-eastnet-ipcomp" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 002 "westnet-eastnet-ipcomp" #2: IMPAIR: suppressing retransmits; scheduling timeout in 60 seconds 002 "westnet-eastnet-ipcomp" #2: IKEv2 mode peer ID is ID_FQDN: '@east' 003 "westnet-eastnet-ipcomp" #2: Authenticated using RSA 002 "westnet-eastnet-ipcomp" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] 004 "westnet-eastnet-ipcomp" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xa4e1cbaf <0x77739d80 xfrm=AES_GCM_16_256-NONE IPCOMP=>0x0000b822 <0x0000ee8f NATOA=none NATD=none DPD=passive} kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # first pings hit regular ESP since pings too small to compress kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.090 ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.079 ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.067 ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.070 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 61ms rtt min/avg/max/mdev = 0.067/0.076/0.090/0.012 ms kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # this oddly shows up as 0 packets and 4 packets on ipcomp kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ip -o -s xfrm state|grep "proto comp" | sed "s/^\(.*\)\(lifetime current:.*\)\(add .*$\)/\2/" lifetime current:\ 0(bytes), 0(packets)\ lifetime current:\ 336(bytes), 4(packets)\ kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # test compression via large pings that can be compressed on IPCOMP SA kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ping -n -c 4 -s 8184 -p ff -I 192.0.1.254 192.0.2.254 PATTERN: 0xff PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 8184(8212) bytes of data. 8192 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.405 ms 8192 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.423 ms 8192 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.429 ms 8192 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.413 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 96ms rtt min/avg/max/mdev = 0.405/0.417/0.429/0.022 ms kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # this then shows up as 4 packets and 8 packets on ipcomp kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ip -o -s xfrm state|grep "proto comp" | sed "s/^\(.*\)\(lifetime current:.*\)\(add .*$\)/\2/" lifetime current:\ 32848(bytes), 4(packets)\ lifetime current:\ 33184(bytes), 8(packets)\ kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# # We cannot run ipsec whack --trafficstatus because compression causes the byte count to slightly differ each run kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.0.1.0/24 dst 192.0.2.0/24 \ dir out priority 1042407 ptype main \ tmpl src 192.1.2.45 dst 192.1.2.23\ proto comp reqid 16390 mode tunnel\ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir fwd priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir in priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 18:37:01 UTC 2019 XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0x77739d80 reqid 16389 mode transport replay-window 32 aead rfc4106(gcm(aes)) 0x22ba1462b35378beeeedbdcf68669207f71952d1af5768a5de8d4cb88784c07f374ea886 128 anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.23 dst 192.1.2.45 proto comp spi 0x0000ee8f reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.23 dst 192.1.2.45 proto 4 spi 0xc0010217 reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xa4e1cbaf reqid 16389 mode transport replay-window 32 aead rfc4106(gcm(aes)) 0x4280ea7c19b07c5b44805e6a4e5f6238e50056b2ed6ae3a1ca4fda011c44e54e350b7269 128 anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.45 dst 192.1.2.23 proto comp spi 0x0000b822 reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto 4 spi 0xc001022d reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto comp reqid 16390 mode tunnel tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# : ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ipsec auto --status 000 using kernel interface: netkey 000 interface lo/lo 127.0.0.1:4500 000 interface lo/lo 127.0.0.1:500 000 interface eth0/eth0 192.0.1.254:4500 000 interface eth0/eth0 192.0.1.254:500 000 interface eth1/eth1 192.1.2.45:4500 000 interface eth1/eth1 192.1.2.45:500 000 000 000 fips mode=disabled; 000 SElinux=disabled 000 seccomp=disabled 000 000 config setup options: 000 000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d 000 nssdir=/etc/ipsec.d, dumpdir=/tmp, statsbin=unset 000 dnssec-rootkey-file=/var/lib/unbound/root.key, dnssec-trusted= 000 sbindir=/usr/local/sbin, libexecdir=/usr/local/libexec/ipsec 000 pluto_version=v3.28-685-gbfd5aef521-master-s2, pluto_vendorid=OE-Libreswan-v3.28-685, audit-log=yes 000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, perpeerlog=no, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s 000 ddos-cookies-threshold=50000, ddos-max-halfopen=25000, ddos-mode=auto 000 ikeport=500, ikebuf=0, msg_errqueue=yes, strictcrlpolicy=no, crlcheckinterval=0, listen=, nflog-all=0 000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri= 000 ocsp-trust-name= 000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get 000 global-redirect=no, global-redirect-to= 000 secctx-attr-type=32001 000 debug: base+cpu-usage impair: suppress-retransmits 000 000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500 000 virtual-private (%priv): 000 000 Kernel algorithms supported: 000 000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256 000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=SERPENT_CBC, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: name=TWOFISH_CBC, keysizemin=128, keysizemax=256 000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128 000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128 000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256 000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384 000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512 000 algorithm AH/ESP auth: name=NONE, key-length=0 000 000 IKE algorithms supported: 000 000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128 000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256 000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16 000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20 000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32 000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48 000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64 000 algorithm IKE PRF: name=AES_XCBC, hashlen=16 000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536 000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048 000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072 000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096 000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144 000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192 000 algorithm IKE DH Key Exchange: name=DH19, bits=512 000 algorithm IKE DH Key Exchange: name=DH20, bits=768 000 algorithm IKE DH Key Exchange: name=DH21, bits=1056 000 algorithm IKE DH Key Exchange: name=DH31, bits=256 000 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 000 000 Connection list: 000 000 "westnet-eastnet-ipcomp": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; erouted; eroute owner: #2 000 "westnet-eastnet-ipcomp": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-ipcomp": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-ipcomp": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-ipcomp": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-ipcomp": labeled_ipsec:no; 000 "westnet-eastnet-ipcomp": policy_label:unset; 000 "westnet-eastnet-ipcomp": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-ipcomp": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-ipcomp": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-ipcomp": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-ipcomp": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-ipcomp": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-ipcomp": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-ipcomp": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-ipcomp": newest ISAKMP SA: #1; newest IPsec SA: #2; 000 "westnet-eastnet-ipcomp": IKEv2 algorithm newest: AES_GCM_16_256-HMAC_SHA2_512-MODP2048 000 "westnet-eastnet-ipcomp": ESP algorithm newest: AES_GCM_16_256-NONE; pfsgroup= 000 000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #1: "westnet-eastnet-ipcomp":500 STATE_PARENT_I3 (PARENT SA established); EVENT_SA_REKEY in 2598s; newest ISAKMP; idle; 000 #2: "westnet-eastnet-ipcomp":500 STATE_V2_IPSEC_I (IPsec SA established); EVENT_SA_REKEY in 28040s; newest IPSEC; eroute owner; isakmp#1; idle; 000 #2: "westnet-eastnet-ipcomp" esp.a4e1cbaf@192.1.2.23 esp.77739d80@192.1.2.45 comp.b822@192.1.2.23 comp.ee8f@192.1.2.45 tun.0@192.1.2.23 tun.0@192.1.2.45 ref=0 refhim=0 Traffic: ESPin=653B ESPout=658B! ESPmax=0B IPCOMPout=0B IPCOMPin=0B! IPCOMPmax=0B 000 000 Bare Shunt list: 000 kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# : ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566844133.486:265910): avc: denied { write } for pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844133.996:266013): avc: denied { write } for pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844621.812:300363): avc: denied { write } for pid=17877 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=1016830235 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]# : ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/ikev2-14-compress\[root@west ikev2-14-compress]#