# added different CA kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# /testing/guestbin/swan-prep --x509 --signedbyother Preparing X.509 files kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# certutil -D -n east -d sql:/etc/ipsec.d kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# cp policies/* /etc/ipsec.d/policies/ kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: namespaces direct start via ipsec pluto kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# # give OE policies time to load kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# sleep 5 kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# ipsec whack --impair suppress-retransmits kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# # this should fail AUTH on mismatched CA kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# ipsec whack --oppohere 192.1.2.45 --oppothere 192.1.2.23 002 initiate on demand from 192.1.2.45:0 to 192.1.2.23:0 proto=0 because: whack 181 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: initiate 002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23: constructed local IKE proposals for private-or-clear#192.1.2.0/24 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_GCM_C_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 2:IKE:ENCR=AES_GCM_C_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=NONE;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 3:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 4:IKE:ENCR=AES_CBC_128;PRF=HMAC_SHA2_512,HMAC_SHA2_256;INTEG=HMAC_SHA2_512_256,HMAC_SHA2_256_128;DH=MODP2048,MODP3072,MODP4096,MODP8192,ECP_256,ECP_384,ECP_521,CURVE25519 002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: IMPAIR: suppressing retransmits; scheduling timeout in 10 seconds kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.1.2.45/32 dst 192.1.2.0/24 \ dir out priority 1564647 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 127.0.0.1/32 dst 192.1.2.45/32 \ dir fwd priority 1564639 ptype main \ src 127.0.0.1/32 dst 192.1.2.45/32 \ dir in priority 1564639 ptype main \ src 192.1.2.45/32 dst 127.0.0.1/32 \ dir out priority 1564639 ptype main \ src 192.1.2.253/32 dst 192.1.2.45/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.253/32 dst 192.1.2.45/32 \ dir in priority 1564639 ptype main \ src 192.1.2.45/32 dst 192.1.2.253/32 \ dir out priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.2.45/32 \ dir fwd priority 1564639 ptype main \ src 192.1.3.253/32 dst 192.1.2.45/32 \ dir in priority 1564639 ptype main \ src 192.1.2.45/32 dst 192.1.3.253/32 \ dir out priority 1564639 ptype main \ src 192.1.2.254/32 dst 192.1.2.45/32 \ dir fwd priority 1564639 ptype main \ src 192.1.2.254/32 dst 192.1.2.45/32 \ dir in priority 1564639 ptype main \ src 192.1.2.45/32 dst 192.1.2.254/32 \ dir out priority 1564639 ptype main \ end raw xfrm state: ==== tuc ==== west Sat Sep 21 07:31:38 UTC 2019 XFRM state: XFRM policy: src 127.0.0.1/32 dst 192.1.2.45/32 dir fwd priority 1564639 ptype main src 127.0.0.1/32 dst 192.1.2.45/32 dir in priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.2.45/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.2.45/32 dir in priority 1564639 ptype main src 192.1.2.254/32 dst 192.1.2.45/32 dir fwd priority 1564639 ptype main src 192.1.2.254/32 dst 192.1.2.45/32 dir in priority 1564639 ptype main src 192.1.2.45/32 dst 127.0.0.1/32 dir out priority 1564639 ptype main src 192.1.2.45/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.2.45/32 dst 192.1.2.254/32 dir out priority 1564639 ptype main src 192.1.2.45/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.2.45/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.2.45/32 dir in priority 1564639 ptype main src 192.1.2.45/32 dst 192.1.2.0/24 dir out priority 1564647 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, Libreswan test CA for otherca - Libreswan ,, east-ec P,, hashsha1 P,, nic P,, north P,, road P,, signedbyother u,u,u west u,u,u kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# : ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca]# ipsec auto --status whack: is Pluto running? connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused) kroot@swantest:/home/build/libreswan/testing/pluto/certoe-02-whack-badca\[root@west certoe-02-whack-badca 33]# >>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 33 final.sh 'ipsec auto --status' <<<<<<<<<>>>>>>>>>cutnonzeroexit>>>>>>>>>> exit status 1 final.sh 'if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi' <<<<<<<<<