/testing/guestbin/swan-prep --x509 --x509name north
Preparing X.509 files
west #
 # delete the CA, both ends hardcode both certificates
west #
 certutil -D -n "Libreswan test CA for mainca - Libreswan" -d sql:/etc/ipsec.d
west #
 certutil -D -n "east-ec" -d sql:/etc/ipsec.d
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-ikev2
002 "westnet-eastnet-ikev2": added IKEv2 connection
west #
 ipsec auto --status | grep westnet-eastnet-ikev2
000 "westnet-eastnet-ikev2": 192.0.1.0/24===192.1.2.45...192.1.2.23===192.0.2.0/24; unrouted; eroute owner: #0
000 "westnet-eastnet-ikev2":     oriented; my_ip=unset; their_ip=unset; mycert=north; peercert=east; my_updown=ipsec _updown;
000 "westnet-eastnet-ikev2":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "westnet-eastnet-ikev2":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
000 "westnet-eastnet-ikev2":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "westnet-eastnet-ikev2":   sec_label:unset;
000 "westnet-eastnet-ikev2":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
000 "westnet-eastnet-ikev2":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "westnet-eastnet-ikev2":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "westnet-eastnet-ikev2":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "westnet-eastnet-ikev2":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "westnet-eastnet-ikev2":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "westnet-eastnet-ikev2":   conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "westnet-eastnet-ikev2":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "westnet-eastnet-ikev2":   our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=192.1.2.23
000 "westnet-eastnet-ikev2":   liveness: passive; dpdaction:hold; dpddelay:0s; retransmit-timeout:60s
000 "westnet-eastnet-ikev2":   nat-traversal: encaps:auto; keepalive:20s
000 "westnet-eastnet-ikev2":   newest IKE SA: #0; newest IPsec SA: #0; conn serial: $1;
west #
 echo "initdone"
initdone
west #
 # we are expecting to fail
west #
 ipsec whack --impair suppress-retransmits
west #
 ipsec whack --impair revival
west #
 ipsec auto --up westnet-eastnet-ikev2
1v2 "westnet-eastnet-ikev2" #1: initiating IKEv2 connection
1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "westnet-eastnet-ikev2" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "westnet-eastnet-ikev2" #1: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED
036 "westnet-eastnet-ikev2" #1: encountered fatal error in state STATE_V2_PARENT_I2
002 "westnet-eastnet-ikev2" #1: deleting state (STATE_V2_PARENT_I2) and NOT sending notification
002 "westnet-eastnet-ikev2" #1: IMPAIR: skipping revival of connection that is supposed to remain up
west #
 echo done
done
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east                                                         P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
north                                                        Pu,u,u
road                                                         P,,  
west #
 
