--- west.console.txt	2019-08-24 18:12:56.228675511 +0000
+++ OUTPUT/west.console.txt	2019-08-26 18:28:24.459944978 +0000
@@ -21,6 +21,7 @@
 pk12util: PKCS12 IMPORT SUCCESSFUL
 pk12util: PKCS12 IMPORT SUCCESSFUL
 pk12util: PKCS12 IMPORT SUCCESSFUL
+pk12util: PKCS12 IMPORT SUCCESSFUL
 west #
  ipsec start
 Redirecting to: [initsystem]
@@ -45,17 +46,13 @@
 1v2 "west" #1: initiate
 1v2 "west" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west" #2: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west" #2: Authenticated using RSA
-002 "west" #2: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west" #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west" #2: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west
 002 "west": terminating SAs using this connection
-002 "west" #2: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west" #2: ESP traffic information: in=0B out=0B
-002 "west" #1: deleting state (STATE_PARENT_I3) and sending notification
+002 "west" #2: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west" #1: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  # following tests should work
 west #
@@ -64,17 +61,13 @@
 1v2 "west-bcCritical" #3: initiate
 1v2 "west-bcCritical" #3: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-bcCritical" #4: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-bcCritical" #4: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-bcCritical" #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-bcCritical" #4: Authenticated using RSA
-002 "west-bcCritical" #4: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-bcCritical" #4: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-bcCritical" #4: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-bcCritical" #4: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-bcCritical
 002 "west-bcCritical": terminating SAs using this connection
-002 "west-bcCritical" #4: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-bcCritical" #4: ESP traffic information: in=0B out=0B
-002 "west-bcCritical" #3: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-bcCritical" #4: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-bcCritical" #3: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -83,17 +76,13 @@
 1v2 "west-ekuOmit" #5: initiate
 1v2 "west-ekuOmit" #5: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ekuOmit" #6: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ekuOmit" #6: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ekuOmit" #6: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ekuOmit" #6: Authenticated using RSA
-002 "west-ekuOmit" #6: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ekuOmit" #6: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ekuOmit" #6: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ekuOmit" #6: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ekuOmit
 002 "west-ekuOmit": terminating SAs using this connection
-002 "west-ekuOmit" #6: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ekuOmit" #6: ESP traffic information: in=0B out=0B
-002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ekuOmit" #6: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ekuOmit" #5: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -102,17 +91,13 @@
 1v2 "west-bcOmit" #7: initiate
 1v2 "west-bcOmit" #7: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-bcOmit" #8: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-bcOmit" #8: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-bcOmit" #8: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-bcOmit" #8: Authenticated using RSA
-002 "west-bcOmit" #8: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-bcOmit" #8: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-bcOmit" #8: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-bcOmit" #8: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-bcOmit
 002 "west-bcOmit": terminating SAs using this connection
-002 "west-bcOmit" #8: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-bcOmit" #8: ESP traffic information: in=0B out=0B
-002 "west-bcOmit" #7: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-bcOmit" #8: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-bcOmit" #7: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -121,17 +106,13 @@
 1v2 "west-ekuCritical-eku-ipsecIKE" #9: initiate
 1v2 "west-ekuCritical-eku-ipsecIKE" #9: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ekuCritical-eku-ipsecIKE" #10: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ekuCritical-eku-ipsecIKE" #10: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ekuCritical-eku-ipsecIKE" #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ekuCritical-eku-ipsecIKE" #10: Authenticated using RSA
-002 "west-ekuCritical-eku-ipsecIKE" #10: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ekuCritical-eku-ipsecIKE" #10: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ekuCritical-eku-ipsecIKE" #10: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ekuCritical-eku-ipsecIKE" #10: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ekuCritical-eku-ipsecIKE
 002 "west-ekuCritical-eku-ipsecIKE": terminating SAs using this connection
-002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ekuCritical-eku-ipsecIKE" #10: ESP traffic information: in=0B out=0B
-002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -140,17 +121,13 @@
 1v2 "west-eku-serverAuth" #11: initiate
 1v2 "west-eku-serverAuth" #11: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-eku-serverAuth" #12: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-eku-serverAuth" #12: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-eku-serverAuth" #12: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-eku-serverAuth" #12: Authenticated using RSA
-002 "west-eku-serverAuth" #12: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-eku-serverAuth" #12: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-eku-serverAuth" #12: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-eku-serverAuth" #12: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-eku-serverAuth
 002 "west-eku-serverAuth": terminating SAs using this connection
-002 "west-eku-serverAuth" #12: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-eku-serverAuth" #12: ESP traffic information: in=0B out=0B
-002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-eku-serverAuth" #12: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-eku-serverAuth" #11: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -159,17 +136,13 @@
 1v2 "west-ku-nonRepudiation" #13: initiate
 1v2 "west-ku-nonRepudiation" #13: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ku-nonRepudiation" #14: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ku-nonRepudiation" #14: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ku-nonRepudiation" #14: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ku-nonRepudiation" #14: Authenticated using RSA
-002 "west-ku-nonRepudiation" #14: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ku-nonRepudiation" #14: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ku-nonRepudiation" #14: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ku-nonRepudiation" #14: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ku-nonRepudiation
 002 "west-ku-nonRepudiation": terminating SAs using this connection
-002 "west-ku-nonRepudiation" #14: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ku-nonRepudiation" #14: ESP traffic information: in=0B out=0B
-002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ku-nonRepudiation" #14: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ku-nonRepudiation" #13: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -178,17 +151,13 @@
 1v2 "west-sanCritical" #15: initiate
 1v2 "west-sanCritical" #15: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-sanCritical" #16: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-sanCritical" #16: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-sanCritical" #16: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-sanCritical" #16: Authenticated using RSA
-002 "west-sanCritical" #16: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-sanCritical" #16: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-sanCritical" #16: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-sanCritical" #16: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-sanCritical
 002 "west-sanCritical": terminating SAs using this connection
-002 "west-sanCritical" #16: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-sanCritical" #16: ESP traffic information: in=0B out=0B
-002 "west-sanCritical" #15: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-sanCritical" #16: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-sanCritical" #15: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -199,17 +168,13 @@
 1v2 "west-ekuCritical" #17: initiate
 1v2 "west-ekuCritical" #17: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ekuCritical" #18: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ekuCritical" #18: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ekuCritical" #18: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ekuCritical" #18: Authenticated using RSA
-002 "west-ekuCritical" #18: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ekuCritical" #18: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ekuCritical" #18: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ekuCritical" #18: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ekuCritical
 002 "west-ekuCritical": terminating SAs using this connection
-002 "west-ekuCritical" #18: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ekuCritical" #18: ESP traffic information: in=0B out=0B
-002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ekuCritical" #18: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ekuCritical" #17: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -218,17 +183,13 @@
 1v2 "west-kuCritical" #19: initiate
 1v2 "west-kuCritical" #19: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-kuCritical" #20: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-kuCritical" #20: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-kuCritical" #20: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-kuCritical" #20: Authenticated using RSA
-002 "west-kuCritical" #20: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-kuCritical" #20: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-kuCritical" #20: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-kuCritical" #20: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-kuCritical
 002 "west-kuCritical": terminating SAs using this connection
-002 "west-kuCritical" #20: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-kuCritical" #20: ESP traffic information: in=0B out=0B
-002 "west-kuCritical" #19: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-kuCritical" #20: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-kuCritical" #19: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -237,17 +198,13 @@
 1v2 "west-kuOmit" #21: initiate
 1v2 "west-kuOmit" #21: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-kuOmit" #22: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-kuOmit" #22: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-kuOmit" #22: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-kuOmit" #22: Authenticated using RSA
-002 "west-kuOmit" #22: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-kuOmit" #22: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-kuOmit" #22: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-kuOmit" #22: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-kuOmit
 002 "west-kuOmit": terminating SAs using this connection
-002 "west-kuOmit" #22: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-kuOmit" #22: ESP traffic information: in=0B out=0B
-002 "west-kuOmit" #21: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-kuOmit" #22: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-kuOmit" #21: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -256,17 +213,13 @@
 1v2 "west-eku-clientAuth" #23: initiate
 1v2 "west-eku-clientAuth" #23: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-eku-clientAuth" #24: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-eku-clientAuth" #24: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-eku-clientAuth" #24: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-eku-clientAuth" #24: Authenticated using RSA
-002 "west-eku-clientAuth" #24: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-eku-clientAuth" #24: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-eku-clientAuth" #24: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-eku-clientAuth" #24: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-eku-clientAuth
 002 "west-eku-clientAuth": terminating SAs using this connection
-002 "west-eku-clientAuth" #24: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-eku-clientAuth" #24: ESP traffic information: in=0B out=0B
-002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-eku-clientAuth" #24: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-eku-clientAuth" #23: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -275,17 +228,13 @@
 1v2 "west-eku-ipsecIKE" #25: initiate
 1v2 "west-eku-ipsecIKE" #25: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-eku-ipsecIKE" #26: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-eku-ipsecIKE" #26: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-eku-ipsecIKE" #26: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-eku-ipsecIKE" #26: Authenticated using RSA
-002 "west-eku-ipsecIKE" #26: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-eku-ipsecIKE" #26: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-eku-ipsecIKE" #26: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-eku-ipsecIKE" #26: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-eku-ipsecIKE
 002 "west-eku-ipsecIKE": terminating SAs using this connection
-002 "west-eku-ipsecIKE" #26: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-eku-ipsecIKE" #26: ESP traffic information: in=0B out=0B
-002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-eku-ipsecIKE" #26: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-eku-ipsecIKE" #25: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -294,17 +243,13 @@
 1v2 "west-ku-keyAgreement-digitalSignature" #27: initiate
 1v2 "west-ku-keyAgreement-digitalSignature" #27: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ku-keyAgreement-digitalSignature" #28: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ku-keyAgreement-digitalSignature" #28: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ku-keyAgreement-digitalSignature" #28: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ku-keyAgreement-digitalSignature" #28: Authenticated using RSA
-002 "west-ku-keyAgreement-digitalSignature" #28: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ku-keyAgreement-digitalSignature" #28: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ku-keyAgreement-digitalSignature" #28: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ku-keyAgreement-digitalSignature" #28: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ku-keyAgreement-digitalSignature
 002 "west-ku-keyAgreement-digitalSignature": terminating SAs using this connection
-002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ku-keyAgreement-digitalSignature" #28: ESP traffic information: in=0B out=0B
-002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
@@ -315,46 +260,31 @@
 1v2 "west-ekuCritical-eku-emailProtection" #29: initiate
 1v2 "west-ekuCritical-eku-emailProtection" #29: STATE_PARENT_I1: sent v2I1, expected v2R1
 1v2 "west-ekuCritical-eku-emailProtection" #30: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ekuCritical-eku-emailProtection" #30: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ekuCritical-eku-emailProtection" #30: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-003 "west-ekuCritical-eku-emailProtection" #30: Authenticated using RSA
-002 "west-ekuCritical-eku-emailProtection" #30: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-004 "west-ekuCritical-eku-emailProtection" #30: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+002 "west-ekuCritical-eku-emailProtection" #30: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
+000 "west-ekuCritical-eku-emailProtection" #30: scheduling retry attempt 1 of an unlimited number, but releasing whack
 west #
  ipsec auto --delete west-ekuCritical-eku-emailProtection
 002 "west-ekuCritical-eku-emailProtection": terminating SAs using this connection
-002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ekuCritical-eku-emailProtection" #30: ESP traffic information: in=0B out=0B
-002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I3) and sending notification
+002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_PARENT_I2) and NOT sending notification
+002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_PARENT_I2) and NOT sending notification
 west #
  sleep 2
 west #
- # following tests should fail
+ # following tests should fail (but it does not?)
 west #
  ipsec auto --up west-ekuBOGUS-bad
-002 "west-ekuBOGUS-bad" #31: initiating v2 parent SA
-1v2 "west-ekuBOGUS-bad" #31: initiate
-1v2 "west-ekuBOGUS-bad" #31: STATE_PARENT_I1: sent v2I1, expected v2R1
-1v2 "west-ekuBOGUS-bad" #32: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
-002 "west-ekuBOGUS-bad" #32: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
-002 "west-ekuBOGUS-bad" #32: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
-WIP 003 "west-ekuBOGUS-bad" #32: Authenticated using RSA
-WIP 002 "west-ekuBOGUS-bad" #32: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
-WIP 004 "west-ekuBOGUS-bad" #32: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
+whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
 west #
  ipsec auto --delete west-ekuBOGUS-bad
-002 "west-ekuBOGUS-bad": terminating SAs using this connection
-002 "west-ekuBOGUS-bad" #32: deleting state (STATE_V2_IPSEC_I) and sending notification
-005 "west-ekuBOGUS-bad" #32: ESP traffic information: in=0B out=0B
-002 "west-ekuBOGUS-bad" #31: deleting state (STATE_PARENT_I3) and sending notification
+whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
 west #
  sleep 2
 west #
  ipsec auto --up west-ku-keyAgreement-bad
-000 initiating all conns with alias='west-ku-keyAgreement-bad'
-021 no connection named "west-ku-keyAgreement-bad"
+whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
 west #
  ipsec auto --delete west-ku-keyAgreement-bad
+whack: is Pluto running?  connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused)
 west #
  echo "done"
 done
@@ -362,38 +292,6 @@
  # confirm all verifications used the NSS IPsec profile and not TLS client/server profile
 west #
  grep profile /tmp/pluto.log  | grep -v Starting
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
-| verify_end_cert trying profile IPsec
-| certificate is valid (profile IPsec)
 west #
 west #
  ../bin/check-for-core.sh