/testing/guestbin/swan-prep
east #
 # System Role deployment on nic will push configurations to our machine
east #
 # into /etc/ipsec.d/
east #
 # because it will change files, we can't mount bind them. So use a fressh empty dir
east #
 rm -rf OUTPUT/east/ipsec.d
east #
 mkdir -p OUTPUT/east/ipsec.d/policies
east #
 chmod 777 OUTPUT/east
east #
 mount -o bind,rw OUTPUT/east/ipsec.d /etc/ipsec.d
east #
 ( cd /etc/ipsec.d/policies; touch private private-or-clear clear block )
east #
 # initnss normally happens in the initsystem - but not for namespace testing
east #
 # ../../guestbin/if-namespace.sh ipsec initnss
east #
 ipsec initnss
Initializing NSS database
east #
 PATH/bin/pk12util -i /testing/x509/pkcs12/mainca/east.p12 -d sql:/etc/ipsec.d -w /testing/x509/nss-pw
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 # test config for syntax errors
east #
 ipsec addconn --checkconfig --config /etc/ipsec.conf
east #
 # start for test
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 # test secrets reading for early warning of syntax errors
east #
 ipsec secrets
002 loading secrets from "/etc/ipsec.secrets"
002 no secrets filename matched "/etc/ipsec.d/*.secrets"
east #
 ../../guestbin/if-namespace.sh PATH/sbin/sshd -o PidFile=/var/run/pluto/sshd.pid
east #
 # ready for System Role to drop file(s) into /etc/ipsec.d/
east #
 echo "initdone"
initdone
east #
 # New files should have dropped in, and we are ready to restart
east #
 ipsec restart
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 # give OE a chance to load
east #
 ../../guestbin/wait-for.sh --match 'loaded 6,' -- ipsec status
000 Total IPsec connections: loaded 6, active 0
east #
 ipsec status
000 using kernel interface: xfrm
000  
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 192.0.2.254:4500
000 interface eth0 UDP 192.0.2.254:500
000 interface eth1 UDP 192.1.2.23:4500
000 interface eth1 UDP 192.1.2.23:500
000  
000 fips mode=disabled;
000 SElinux=XXXXX
000 seccomp=OFF
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
000 sbindir=PATH/sbin, libexecdir=PATH/libexec/ipsec
000 nhelpers=-1, uniqueids=yes, dnssec-enable=yes, logappend=no, logip=yes, shuntlifetime=900s, xfrmlifetime=30s
000 ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
000 ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
000 ocsp-trust-name=<unset>
000 ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
000 global-redirect=no, global-redirect-to=<unset>
000 secctx-attr-type=XXXX
000 debug ...
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000  
000 Kernel algorithms supported:
000  
000 algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
000 algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
000 algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
000 algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
000 algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
000 algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
000 algorithm AH/ESP auth: name=NONE, key-length=0
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
000 algorithm IKE PRF: name=HMAC_MD5, hashlen=16
000 algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
000 algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
000 algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
000 algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
000 algorithm IKE PRF: name=AES_XCBC, hashlen=16
000 algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
000 algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
000 algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
000 algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
000 algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
000 algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
000 algorithm IKE DH Key Exchange: name=DH19, bits=512
000 algorithm IKE DH Key Exchange: name=DH20, bits=768
000 algorithm IKE DH Key Exchange: name=DH21, bits=1056
000 algorithm IKE DH Key Exchange: name=DH31, bits=256
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "clear": 192.1.2.23---192.1.2.254...%group; unrouted; eroute owner: #0
000 "clear":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear":   our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "clear":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "clear":   sec_label:unset;
000 "clear":   ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:0;
000 "clear":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear":   policy: IKEv2+AUTH_NEVER+GROUP+GROUTED+PASS+NEVER_NEGOTIATE;
000 "clear":   v2-auth-hash-policy: none;
000 "clear":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear":   our idtype: ID_IPV4_ADDR; our id=192.1.2.23; their idtype: %none; their id=(none)
000 "clear":   liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "clear":   nat-traversal: encaps:no; keepalive:no
000 "clear":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $3;
000 "clear#192.1.2.254/32": 192.1.2.23---192.1.2.254...%any===192.1.2.254/32; prospective erouted; eroute owner: #0
000 "clear#192.1.2.254/32":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "clear#192.1.2.254/32":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "clear#192.1.2.254/32":   our auth:never, their auth:never, our autheap:none, their autheap:none;
000 "clear#192.1.2.254/32":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "clear#192.1.2.254/32":   sec_label:unset;
000 "clear#192.1.2.254/32":   ike_life: 0s; ipsec_life: 0s; ipsec_max_bytes: 0B; ipsec_max_packets: 0; replay_window: 0; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;
000 "clear#192.1.2.254/32":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:0;
000 "clear#192.1.2.254/32":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "clear#192.1.2.254/32":   policy: IKEv2+AUTH_NEVER+GROUPINSTANCE+PASS+NEVER_NEGOTIATE;
000 "clear#192.1.2.254/32":   v2-auth-hash-policy: none;
000 "clear#192.1.2.254/32":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "clear#192.1.2.254/32":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
000 "clear#192.1.2.254/32":   our idtype: ID_IPV4_ADDR; our id=192.1.2.23; their idtype: %none; their id=(none)
000 "clear#192.1.2.254/32":   liveness: passive; dpdaction:disabled; dpddelay:0s; retransmit-timeout:0s
000 "clear#192.1.2.254/32":   nat-traversal: encaps:no; keepalive:no
000 "clear#192.1.2.254/32":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $6, instantiated from: $3;
000 "private": 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private":     oriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
000 "private":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "private":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private":   sec_label:unset;
000 "private":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
000 "private":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "private":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP;
000 "private":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "private":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private":   our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert
000 "private":   liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:2s
000 "private":   nat-traversal: encaps:auto; keepalive:20s
000 "private":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
000 "private#10.1.0.0/24": 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...%opportunistic[%fromcert]===10.1.0.0/24; prospective erouted; eroute owner: #0
000 "private#10.1.0.0/24":     oriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
000 "private#10.1.0.0/24":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private#10.1.0.0/24":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "private#10.1.0.0/24":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private#10.1.0.0/24":   sec_label:unset;
000 "private#10.1.0.0/24":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
000 "private#10.1.0.0/24":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private#10.1.0.0/24":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "private#10.1.0.0/24":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private#10.1.0.0/24":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failureDROP;
000 "private#10.1.0.0/24":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "private#10.1.0.0/24":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private#10.1.0.0/24":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private#10.1.0.0/24":   our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert
000 "private#10.1.0.0/24":   liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:2s
000 "private#10.1.0.0/24":   nat-traversal: encaps:auto; keepalive:20s
000 "private#10.1.0.0/24":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $4, instantiated from: $1;
000 "private-or-clear": 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...%opportunisticgroup[%fromcert]; unrouted; eroute owner: #0
000 "private-or-clear":     oriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
000 "private-or-clear":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "private-or-clear":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private-or-clear":   sec_label:unset;
000 "private-or-clear":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
000 "private-or-clear":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "private-or-clear":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUP+GROUTED+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failurePASS;
000 "private-or-clear":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "private-or-clear":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear":   our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear":   liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:2s
000 "private-or-clear":   nat-traversal: encaps:auto; keepalive:20s
000 "private-or-clear":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $2;
000 "private-or-clear#192.1.2.0/24": 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]---192.1.2.254...%opportunistic[%fromcert]===192.1.2.0/24; prospective erouted; eroute owner: #0
000 "private-or-clear#192.1.2.0/24":     oriented; my_ip=unset; their_ip=unset; mycert=east; my_updown=ipsec _updown;
000 "private-or-clear#192.1.2.0/24":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "private-or-clear#192.1.2.0/24":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "private-or-clear#192.1.2.0/24":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "private-or-clear#192.1.2.0/24":   sec_label:unset;
000 "private-or-clear#192.1.2.0/24":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
000 "private-or-clear#192.1.2.0/24":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 1;
000 "private-or-clear#192.1.2.0/24":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "private-or-clear#192.1.2.0/24":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "private-or-clear#192.1.2.0/24":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+OPPORTUNISTIC+GROUPINSTANCE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+failurePASS;
000 "private-or-clear#192.1.2.0/24":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "private-or-clear#192.1.2.0/24":   conn_prio: 32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "private-or-clear#192.1.2.0/24":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "private-or-clear#192.1.2.0/24":   our idtype: ID_DER_ASN1_DN; our id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org; their idtype: %fromcert; their id=%fromcert
000 "private-or-clear#192.1.2.0/24":   liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:2s
000 "private-or-clear#192.1.2.0/24":   nat-traversal: encaps:auto; keepalive:20s
000 "private-or-clear#192.1.2.0/24":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $5, instantiated from: $2;
000  
000 Total IPsec connections: loaded 6, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 Bare Shunt list:
000  
east #
 echo done
done
east #
 #ipsec stop
east #
 test -f /var/run/pluto/sshd.pid && kill -9 `cat /var/run/pluto/sshd.pid` >/dev/null
east #
 
