/testing/guestbin/swan-prep --x509 --revoked
Preparing X.509 files
west #
 certutil -d sql:/etc/ipsec.d -D -n east
west #
 # confirm that the network is alive
west #
 ping -n -c2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # make sure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 # confirm with a ping
west #
 ping -n -c2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
 ipsec setup start
[ 00.00] registered KLIPS /proc/sys/net
[ 00.00] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=253 name=cbc(twofish) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=252 name=cbc(serpent) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=6 name=cbc(cast5) keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=192 keymaxbits=192, found(0)
[ 00.00] KLIPS: lookup for ciphername=cipher_null: not found
[ 00.00] 
Redirecting to: systemctl start ipsec.service
[ 00.00] 
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add nss-cert-ocsp
002 added connection description "nss-cert-ocsp"
west #
 ipsec auto --status |grep nss-cert-ocsp
000 "nss-cert-ocsp": 192.0.1.254/32===192.1.2.45<192.1.2.45>[C=ca, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=revoked.testing.libreswan.org, E=testing@libreswan.org]...192.1.2.23<192.1.2.23>[%fromcert]===192.0.2.254/32; unrouted; eroute owner: #0
000 "nss-cert-ocsp":     oriented; my_ip=192.0.1.254; their_ip=192.0.2.254; mycert=revoked
000 "nss-cert-ocsp":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "nss-cert-ocsp":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "nss-cert-ocsp":   labeled_ipsec:no;
000 "nss-cert-ocsp":   policy_label:unset;
000 "nss-cert-ocsp":   CAs: 'C=ca, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any'
000 "nss-cert-ocsp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "nss-cert-ocsp":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "nss-cert-ocsp":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "nss-cert-ocsp":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "nss-cert-ocsp":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "nss-cert-ocsp":   dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "nss-cert-ocsp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
west #
 echo "initdone"
initdone
west #
 ipsec auto --up nss-cert-ocsp
002 "nss-cert-ocsp" #1: initiating Main Mode
104 "nss-cert-ocsp" #1: STATE_MAIN_I1: initiate
003 "nss-cert-ocsp" #1: received Vendor ID payload [Dead Peer Detection]
003 "nss-cert-ocsp" #1: received Vendor ID payload [FRAGMENTATION]
003 "nss-cert-ocsp" #1: received Vendor ID payload [RFC 3947]
002 "nss-cert-ocsp" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
106 "nss-cert-ocsp" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "nss-cert-ocsp" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "nss-cert-ocsp" #1: I am sending my cert
002 "nss-cert-ocsp" #1: I am sending a certificate request
108 "nss-cert-ocsp" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 500ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 1000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 2000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 4000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 8000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 16000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 32000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
010 "nss-cert-ocsp" #1: STATE_MAIN_I3: retransmission; will wait 60000ms for response
003 "nss-cert-ocsp" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "nss-cert-ocsp" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
003 "nss-cert-ocsp" #1: received and ignored informational message
#\[root@west ]#  timedout send line: ipsec auto --up nss-cert-ocsp
 ping -n -c2 -I 192.0.1.254 192.0.2.254
west #
 echo done
ipsec look
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
done
west #
Couldn't stat file: No such file or directory
west #
 000 using kernel interface: klips
000 interface ipsec0/eth1 192.1.2.45@4500
000 interface ipsec0/eth1 192.1.2.45@500
000  
000  
000 fips mode=disabled;
000 SElinux=XXXXX
000  
000 config setup options:
000  
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto, statsbin=unset
000 sbindir=PATH/sbin, libexecdir=PATH/libexec/ipsec
000 nhelpers=-1, uniqueids=yes, perpeerlog=no
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0
000 secctx-attr-type=XXXX
000 myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000  
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000  
000 ESP algorithms supported:
000  
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=64, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=64, keysizemin=128, keysizemax=128
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=128, keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128
000  
000 IKE algorithms supported:
000  
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 Connection list:
000  
000 "nss-cert-ocsp": 192.0.1.254/32===192.1.2.45<192.1.2.45>[C=ca, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=revoked.testing.libreswan.org, E=testing@libreswan.org]...192.1.2.23<192.1.2.23>[%fromcert]===192.0.2.254/32; unrouted; eroute owner: #0
000 "nss-cert-ocsp":     oriented; my_ip=192.0.1.254; their_ip=192.0.2.254; mycert=revoked
000 "nss-cert-ocsp":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "nss-cert-ocsp":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "nss-cert-ocsp":   labeled_ipsec:no;
000 "nss-cert-ocsp":   policy_label:unset;
000 "nss-cert-ocsp":   CAs: 'C=ca, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any'
000 "nss-cert-ocsp":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "nss-cert-ocsp":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "nss-cert-ocsp":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "nss-cert-ocsp":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "nss-cert-ocsp":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "nss-cert-ocsp":   dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "nss-cert-ocsp":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000  
000 Total IPsec connections: loaded 1, active 0
000  
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), authenticated(0), anonymous(1)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000  
000 #1: "nss-cert-ocsp":500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 52s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "nss-cert-ocsp" replacing #0
000  
000 Bare Shunt list:
000  
west #
 if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

