/testing/guestbin/swan-prep
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 echo "initdone"
initdone
west #
 # these should load properly
west #
 ipsec auto --add default-implicit-authby
002 added IKEv2 connection "default-implicit-authby"
west #
 ipsec auto --add default-specified-authby
002 added IKEv2 connection "default-specified-authby"
west #
 ipsec auto --add ecdsa-rsa
002 added IKEv2 connection "ecdsa-rsa"
west #
 ipsec auto --add ecdsa
002 added IKEv2 connection "ecdsa"
west #
 ipsec auto --add ecdsa-sha2
002 added IKEv2 connection "ecdsa-sha2"
west #
 ipsec auto --add ecdsa-sha2_256
002 added IKEv2 connection "ecdsa-sha2_256"
west #
 ipsec auto --add ecdsa-sha2_384
002 added IKEv2 connection "ecdsa-sha2_384"
west #
 ipsec auto --add ecdsa-sha2_512
002 added IKEv2 connection "ecdsa-sha2_512"
west #
 ipsec auto --add rsa-sha1
002 added IKEv2 connection "rsa-sha1"
west #
 ipsec auto --add rsa-sha2
002 added IKEv2 connection "rsa-sha2"
west #
 ipsec auto --add rsa-sha2_256
002 added IKEv2 connection "rsa-sha2_256"
west #
 ipsec auto --add rsa-sha2_384
002 added IKEv2 connection "rsa-sha2_384"
west #
 ipsec auto --add rsa-sha2_512
002 added IKEv2 connection "rsa-sha2_512"
west #
 ipsec status |grep policy: | grep -v modecfg
000 "default-implicit-authby":   policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "default-implicit-authby":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "default-specified-authby":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "default-specified-authby":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ecdsa":   policy: ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "ecdsa":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ecdsa-rsa":   policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "ecdsa-rsa":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ecdsa-sha2":   policy: ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "ecdsa-sha2":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "ecdsa-sha2_256":   policy: ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "ecdsa-sha2_256":   v2-auth-hash-policy: SHA2_256;
000 "ecdsa-sha2_384":   policy: ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "ecdsa-sha2_384":   v2-auth-hash-policy: SHA2_384;
000 "ecdsa-sha2_512":   policy: ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "ecdsa-sha2_512":   v2-auth-hash-policy: SHA2_512;
000 "rsa-sha1":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5;
000 "rsa-sha1":   v2-auth-hash-policy: none;
000 "rsa-sha2":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "rsa-sha2":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "rsa-sha2_256":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "rsa-sha2_256":   v2-auth-hash-policy: SHA2_256;
000 "rsa-sha2_384":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "rsa-sha2_384":   v2-auth-hash-policy: SHA2_384;
000 "rsa-sha2_512":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO;
000 "rsa-sha2_512":   v2-auth-hash-policy: SHA2_512;
west #
 # these should fail to load
west #
 cp west-errors.conf /etc/ipsec.d/
west #
 echo "include /etc/ipsec.d/west-errors.conf" >> /etc/ipsec.conf
west #
 ipsec auto --add ecdsa-sha1-should-fail
while loading 'ecdsa-sha1-should-fail': authby=ecdsa cannot use sha1, only sha2
while loading 'ikev1-rsa2-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
while loading 'ikev1-ecdsa-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
addconn, in config '/etc/ipsec.conf', ignoring: authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
conn ecdsa-sha1-should-fail did not load properly
west #
 ipsec auto --add ikev1-rsa2-should-fail
while loading 'ecdsa-sha1-should-fail': authby=ecdsa cannot use sha1, only sha2
while loading 'ikev1-rsa2-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
while loading 'ikev1-ecdsa-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
addconn, in config '/etc/ipsec.conf', ignoring: authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
conn ikev1-rsa2-should-fail did not load properly
west #
 ipsec auto --add ikev1-ecdsa-should-fail
while loading 'ecdsa-sha1-should-fail': authby=ecdsa cannot use sha1, only sha2
while loading 'ikev1-rsa2-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
while loading 'ikev1-ecdsa-should-fail': authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
addconn, in config '/etc/ipsec.conf', ignoring: authby=ecdsa cannot use sha1, only sha2
ikev1 connection must use authby= of rsasig, secret or never
ikev1 connection must use authby= of rsasig, secret or never
conn ikev1-ecdsa-should-fail did not load properly
west #
 rm /etc/ipsec.d/west-errors.conf
west #
 echo done
done
west #
 
