/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
 certutil -D -n east -d sql:/etc/ipsec.d
west #
 for cert in /testing/x509/pkcs12/mainca/west-*.p12; do pk12util -i $cert -w /testing/x509/nss-pw -d sql:/etc/ipsec.d; done
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 # down'ed conn must remain down
west #
 ipsec whack --impair revival
west #
 echo "initdone"
initdone
west #
 # fail quick for -bad certs that are supposed to fail
west #
 ipsec whack --impair suppress-retransmits
west #
 # stock certificate test
west #
 ipsec auto --up west
1v2 "west" #1: initiating IKEv2 connection
1v2 "west" #1: sent IKE_SA_INIT request
1v2 "west" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west" #1: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west" #1: authenticated using RSA with SHA2_512
002 "west" #2: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west
002 "west": terminating SAs using this connection
002 "west" #2: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west" #2: ESP traffic information: in=0B out=0B
002 "west" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 # following tests should work
west #
 ipsec auto --up west-bcCritical
1v2 "west-bcCritical" #3: initiating IKEv2 connection
1v2 "west-bcCritical" #3: sent IKE_SA_INIT request
1v2 "west-bcCritical" #3: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcCritical" #3: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-bcCritical" #4: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-bcCritical" #3: authenticated using RSA with SHA2_512
002 "west-bcCritical" #4: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-bcCritical" #4: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-bcCritical
002 "west-bcCritical": terminating SAs using this connection
002 "west-bcCritical" #4: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-bcCritical" #4: ESP traffic information: in=0B out=0B
002 "west-bcCritical" #3: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuOmit
1v2 "west-ekuOmit" #5: initiating IKEv2 connection
1v2 "west-ekuOmit" #5: sent IKE_SA_INIT request
1v2 "west-ekuOmit" #5: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuOmit" #5: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuOmit" #6: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuOmit" #5: authenticated using RSA with SHA2_512
002 "west-ekuOmit" #6: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuOmit" #6: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuOmit
002 "west-ekuOmit": terminating SAs using this connection
002 "west-ekuOmit" #6: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ekuOmit" #6: ESP traffic information: in=0B out=0B
002 "west-ekuOmit" #5: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-bcOmit
1v2 "west-bcOmit" #7: initiating IKEv2 connection
1v2 "west-bcOmit" #7: sent IKE_SA_INIT request
1v2 "west-bcOmit" #7: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-bcOmit" #7: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-bcOmit" #8: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-bcOmit" #7: authenticated using RSA with SHA2_512
002 "west-bcOmit" #8: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-bcOmit" #8: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-bcOmit
002 "west-bcOmit": terminating SAs using this connection
002 "west-bcOmit" #8: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-bcOmit" #8: ESP traffic information: in=0B out=0B
002 "west-bcOmit" #7: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ekuCritical-eku-ipsecIKE
1v2 "west-ekuCritical-eku-ipsecIKE" #9: initiating IKEv2 connection
1v2 "west-ekuCritical-eku-ipsecIKE" #9: sent IKE_SA_INIT request
1v2 "west-ekuCritical-eku-ipsecIKE" #9: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-ipsecIKE" #9: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical-eku-ipsecIKE" #10: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical-eku-ipsecIKE" #9: authenticated using RSA with SHA2_512
002 "west-ekuCritical-eku-ipsecIKE" #10: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical-eku-ipsecIKE" #10: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical-eku-ipsecIKE
002 "west-ekuCritical-eku-ipsecIKE": terminating SAs using this connection
002 "west-ekuCritical-eku-ipsecIKE" #10: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ekuCritical-eku-ipsecIKE" #10: ESP traffic information: in=0B out=0B
002 "west-ekuCritical-eku-ipsecIKE" #9: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-serverAuth
1v2 "west-eku-serverAuth" #11: initiating IKEv2 connection
1v2 "west-eku-serverAuth" #11: sent IKE_SA_INIT request
1v2 "west-eku-serverAuth" #11: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-serverAuth" #11: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-serverAuth" #12: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-serverAuth" #11: authenticated using RSA with SHA2_512
002 "west-eku-serverAuth" #12: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-serverAuth" #12: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-serverAuth
002 "west-eku-serverAuth": terminating SAs using this connection
002 "west-eku-serverAuth" #12: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-eku-serverAuth" #12: ESP traffic information: in=0B out=0B
002 "west-eku-serverAuth" #11: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-nonRepudiation
1v2 "west-ku-nonRepudiation" #13: initiating IKEv2 connection
1v2 "west-ku-nonRepudiation" #13: sent IKE_SA_INIT request
1v2 "west-ku-nonRepudiation" #13: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-nonRepudiation" #13: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ku-nonRepudiation" #14: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ku-nonRepudiation" #13: authenticated using RSA with SHA2_512
002 "west-ku-nonRepudiation" #14: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ku-nonRepudiation" #14: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ku-nonRepudiation
002 "west-ku-nonRepudiation": terminating SAs using this connection
002 "west-ku-nonRepudiation" #14: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ku-nonRepudiation" #14: ESP traffic information: in=0B out=0B
002 "west-ku-nonRepudiation" #13: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-sanCritical
1v2 "west-sanCritical" #15: initiating IKEv2 connection
1v2 "west-sanCritical" #15: sent IKE_SA_INIT request
1v2 "west-sanCritical" #15: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-sanCritical" #15: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-sanCritical" #16: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-sanCritical" #15: authenticated using RSA with SHA2_512
002 "west-sanCritical" #16: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-sanCritical" #16: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-sanCritical
002 "west-sanCritical": terminating SAs using this connection
002 "west-sanCritical" #16: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-sanCritical" #16: ESP traffic information: in=0B out=0B
002 "west-sanCritical" #15: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 # This one works now - older NSS versions relied on NSS TLS fallback
west #
 ipsec auto --up west-ekuCritical
1v2 "west-ekuCritical" #17: initiating IKEv2 connection
1v2 "west-ekuCritical" #17: sent IKE_SA_INIT request
1v2 "west-ekuCritical" #17: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical" #17: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical" #18: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical" #17: authenticated using RSA with SHA2_512
002 "west-ekuCritical" #18: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical" #18: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical
002 "west-ekuCritical": terminating SAs using this connection
002 "west-ekuCritical" #18: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ekuCritical" #18: ESP traffic information: in=0B out=0B
002 "west-ekuCritical" #17: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuCritical
1v2 "west-kuCritical" #19: initiating IKEv2 connection
1v2 "west-kuCritical" #19: sent IKE_SA_INIT request
1v2 "west-kuCritical" #19: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuCritical" #19: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-kuCritical" #20: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-kuCritical" #19: authenticated using RSA with SHA2_512
002 "west-kuCritical" #20: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-kuCritical" #20: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-kuCritical
002 "west-kuCritical": terminating SAs using this connection
002 "west-kuCritical" #20: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-kuCritical" #20: ESP traffic information: in=0B out=0B
002 "west-kuCritical" #19: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-kuOmit
1v2 "west-kuOmit" #21: initiating IKEv2 connection
1v2 "west-kuOmit" #21: sent IKE_SA_INIT request
1v2 "west-kuOmit" #21: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-kuOmit" #21: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-kuOmit" #22: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-kuOmit" #21: authenticated using RSA with SHA2_512
002 "west-kuOmit" #22: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-kuOmit" #22: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-kuOmit
002 "west-kuOmit": terminating SAs using this connection
002 "west-kuOmit" #22: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-kuOmit" #22: ESP traffic information: in=0B out=0B
002 "west-kuOmit" #21: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-clientAuth
1v2 "west-eku-clientAuth" #23: initiating IKEv2 connection
1v2 "west-eku-clientAuth" #23: sent IKE_SA_INIT request
1v2 "west-eku-clientAuth" #23: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-clientAuth" #23: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-clientAuth" #24: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-clientAuth" #23: authenticated using RSA with SHA2_512
002 "west-eku-clientAuth" #24: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-clientAuth" #24: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-clientAuth
002 "west-eku-clientAuth": terminating SAs using this connection
002 "west-eku-clientAuth" #24: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-eku-clientAuth" #24: ESP traffic information: in=0B out=0B
002 "west-eku-clientAuth" #23: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-eku-ipsecIKE
1v2 "west-eku-ipsecIKE" #25: initiating IKEv2 connection
1v2 "west-eku-ipsecIKE" #25: sent IKE_SA_INIT request
1v2 "west-eku-ipsecIKE" #25: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-eku-ipsecIKE" #25: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-eku-ipsecIKE" #26: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-eku-ipsecIKE" #25: authenticated using RSA with SHA2_512
002 "west-eku-ipsecIKE" #26: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-eku-ipsecIKE" #26: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-eku-ipsecIKE
002 "west-eku-ipsecIKE": terminating SAs using this connection
002 "west-eku-ipsecIKE" #26: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-eku-ipsecIKE" #26: ESP traffic information: in=0B out=0B
002 "west-eku-ipsecIKE" #25: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 ipsec auto --up west-ku-keyAgreement-digitalSignature
1v2 "west-ku-keyAgreement-digitalSignature" #27: initiating IKEv2 connection
1v2 "west-ku-keyAgreement-digitalSignature" #27: sent IKE_SA_INIT request
1v2 "west-ku-keyAgreement-digitalSignature" #27: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ku-keyAgreement-digitalSignature" #27: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ku-keyAgreement-digitalSignature" #28: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ku-keyAgreement-digitalSignature" #27: authenticated using RSA with SHA2_512
002 "west-ku-keyAgreement-digitalSignature" #28: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ku-keyAgreement-digitalSignature" #28: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ku-keyAgreement-digitalSignature
002 "west-ku-keyAgreement-digitalSignature": terminating SAs using this connection
002 "west-ku-keyAgreement-digitalSignature" #28: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ku-keyAgreement-digitalSignature" #28: ESP traffic information: in=0B out=0B
002 "west-ku-keyAgreement-digitalSignature" #27: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 # fails on older versions of NSS only
west #
 ipsec auto --up west-ekuCritical-eku-emailProtection
1v2 "west-ekuCritical-eku-emailProtection" #29: initiating IKEv2 connection
1v2 "west-ekuCritical-eku-emailProtection" #29: sent IKE_SA_INIT request
1v2 "west-ekuCritical-eku-emailProtection" #29: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuCritical-eku-emailProtection" #29: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuCritical-eku-emailProtection" #30: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuCritical-eku-emailProtection" #29: authenticated using RSA with SHA2_512
002 "west-ekuCritical-eku-emailProtection" #30: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuCritical-eku-emailProtection" #30: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuCritical-eku-emailProtection
002 "west-ekuCritical-eku-emailProtection": terminating SAs using this connection
002 "west-ekuCritical-eku-emailProtection" #30: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ekuCritical-eku-emailProtection" #30: ESP traffic information: in=0B out=0B
002 "west-ekuCritical-eku-emailProtection" #29: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 sleep 2
west #
 # following test should fail (but it does not - It is an nss-ism - we will ignore it for now)
west #
 ipsec auto --up west-ekuBOGUS-bad
1v2 "west-ekuBOGUS-bad" #31: initiating IKEv2 connection
1v2 "west-ekuBOGUS-bad" #31: sent IKE_SA_INIT request
1v2 "west-ekuBOGUS-bad" #31: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "west-ekuBOGUS-bad" #31: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "west-ekuBOGUS-bad" #32: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
003 "west-ekuBOGUS-bad" #31: authenticated using RSA with SHA2_512
002 "west-ekuBOGUS-bad" #32: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-ekuBOGUS-bad" #32: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --delete west-ekuBOGUS-bad
002 "west-ekuBOGUS-bad": terminating SAs using this connection
002 "west-ekuBOGUS-bad" #32: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "west-ekuBOGUS-bad" #32: ESP traffic information: in=0B out=0B
002 "west-ekuBOGUS-bad" #31: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
west #
 echo "done"
done
west #
 # confirm all verifications used the NSS IPsec profile and not TLS client/server profile
west #
 grep profile /tmp/pluto.log  | grep -v Starting
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
| verify_end_cert trying profile IPsec
| certificate is valid (profile IPsec)
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
west #
 
