The tests were run on my machine. It gets a lot of retransmissions etc.
that count as errors, but I've ignored them.
PLEASE: everyone look at each of these to see if you are responsible
and can fix them. Most look easy.
(I hope your MUA does not make these harder to read by damaging the
formatting.)
testing/pluto/ikev2-ddns-02 failed west:output-different
script changed, reference output did not.
testing/pluto/newoe-15-portpass failed road:output-different
extra src policy
testing/pluto/newoe-18-private-clear failed road:output-different
extra src policy
testing/pluto/newoe-18-poc-blockall failed road:output-different
extra src policy
testing/pluto/newoe-18-private-clearall failed road:output-different
extra src policy
testing/pluto/newoe-19-poc-poc-clear failed road:output-different
extra src policy
testing/pluto/newoe-20-ipv6 failed east:output-different road:output-different
--- MASTER/testing/pluto/newoe-20-ipv6/road.console.txt
+++ OUTPUT/testing/pluto/newoe-20-ipv6/road.console.txt
@@ -11,8 +11,11 @@
echo "fe80::/10" >> /etc/ipsec.d/policies/clear
road #
cp /source/programs/configs/v6neighbor-hole.conf /etc/ipsec.d/
+cp: cannot stat ‘/source/programs/configs/v6neighbor-hole.conf’: No
such file or directory
road #
ipsec start
+warning: could not open include filename:
'/etc/ipsec.d/v6neighbor-hole.conf'
+warning: could not open include filename:
'/etc/ipsec.d/v6neighbor-hole.conf'
Redirecting to: systemctl start ipsec.service
road #
# ensure for tests acquires expire before our failureshunt=2m
testing/pluto/newoe-21-liveness-clear failed east:output-different
road:output-different
road's script changed but reference log did not
testing/pluto/certoe-07-nat-2-clients failed road:output-different
extra src policy
testing/pluto/rawrsaoe-asymetric-nat failed east:output-different
road:output-different
some kind of real failure
testing/pluto/dnsoe-01 failed east:output-different road:output-different
some kind of real failure
testing/pluto/dnsoe-02 failed east:output-different road:output-different
some kind of real failure
testing/pluto/dpd-01 failed west:output-different
not sure.
testing/pluto/ikev2-liveness-05 failed west:output-different
script changed but not reference output
testing/pluto/delete-sa-01 failed east:output-different west:output-different
+whack error: SAwest-east unexpected argument "leftrsasigkey"
etc.
testing/pluto/nat-pluto-02-klips-klips failed road:output-different
-006 #2: "road-eastnet-nat", type=ESP, add_time=1234567890, id='@east'
+006 #2: "road-eastnet-nat", type=ESP, add_time=1234567890,
inBytes=336, outBytes=336, id='@east'
testing/pluto/xauth-pluto-17 failed road:output-different
Worth examination, I think.
--- MASTER/testing/pluto/xauth-pluto-17/road.console.txt
+++ OUTPUT/testing/pluto/xauth-pluto-17/road.console.txt
@@ -31,7 +31,8 @@
002 "xauth-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with
user='use2'
004 "xauth-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client -
possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
002 "xauth-road-eastnet-psk" #1: XAUTH: Successfully Authenticated
-004 "xauth-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client -
possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha
group=MODP1536}
+002 "xauth-road-eastnet-psk" #1: XAUTH completed; ModeCFG skipped as
per configuration
+004 "xauth-road-eastnet-psk" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA
established {auth=PRESHARED_KEY cipher=3des_cbc_192 integ=sha group=MODP1536}
002 "xauth-road-eastnet-psk" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "xauth-road-eastnet-psk" #2: STATE_QUICK_I1: initiate
004 "xauth-road-eastnet-psk" #2: STATE_QUICK_I2: sent QI2, IPsec SA
established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96
NATOA=none NATD=none DPD=active username=use2}
@@ -86,6 +87,18 @@
dir out priority 2088 ptype main
tmpl src 192.1.3.209 dst 192.1.2.23
proto esp reqid REQID mode tunnel
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir fwd priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir in priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 135
+ dir out priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir fwd priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir in priority 1 ptype main
+src ::/0 dst ::/0 proto ipv6-icmp type 136
+ dir out priority 1 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
testing/pluto/xauth-pluto-25-mixed-addresspool failed north:output-different
road:output-different
looks bad:
ipsec whack --trafficstatus
-006 #2: "north-east", username=xnorth, type=ESP, add_time=1234567890,
inBytes=0, outBytes=0
testing/pluto/xauth-pluto-25-lsw299 failed north:output-different
road:output-different
looks bad:
ipsec whack --trafficstatus
-006 #2: "road-east", username=xroad, type=ESP, add_time=1234567890,
inBytes=336, outBytes=336
testing/pluto/netkey-klips-pluto-03 failed west:output-different
lots of differences in xfrm policy
testing/pluto/klips-netkey-pluto-06 failed west:output-different
lots of differences in xfrm policy
testing/pluto/interop-ikev2-strongswan-13-ah-initiator failed
west:output-different
---
MASTER/testing/pluto/interop-ikev2-strongswan-13-ah-initiator/west.console.txt
+++
OUTPUT/testing/pluto/interop-ikev2-strongswan-13-ah-initiator/west.console.txt
@@ -39,10 +39,9 @@
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) ]
-sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan,
OU=Test Department, CN=Libreswan test CA for mainca, [email protected]"
authentication of 'west' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
+generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder failed
west:output-different
---
MASTER/testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder/west.console.txt
+++
OUTPUT/testing/pluto/interop-ikev2-strongswan-17-delete-sa-responder/west.console.txt
@@ -39,10 +39,9 @@
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP)
N(NATD_D_IP) ]
-sending cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan,
OU=Test Department, CN=Libreswan test CA for mainca, [email protected]"
authentication of 'west' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH
SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY)
N(MSG_ID_SYN_SUP) ]
+generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi
TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey failed
west:output-different
---
MASTER/testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey/west.console.txt
+++
OUTPUT/testing/pluto/interop-ikev2-strongswan-35-ipsec-rekey/west.console.txt
@@ -87,8 +87,10 @@
strongswan status
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago,
192.1.2.45[west]...192.1.2.23[east]
-westnet-eastnet-ikev2{6}: INSTALLED, TUNNEL, reqid 1, ESP SPIs:
SPISPI_i SPISPI_o
+westnet-eastnet-ikev2{6}: DELETING, TUNNEL, reqid 1
westnet-eastnet-ikev2{6}: 192.0.1.0/24 === 192.0.2.0/24
+westnet-eastnet-ikev2{7}: INSTALLED, TUNNEL, reqid 1, ESP SPIs:
SPISPI_i SPISPI_o
+westnet-eastnet-ikev2{7}: 192.0.1.0/24 === 192.0.2.0/24
west #
echo done
done
testing/pluto/interop-ikev2-strongswan-35-rekey-reauth failed
east:output-different west:output-different
reqid changed
testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs failed
west:output-different
---
MASTER/testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs/west.console.txt
+++
OUTPUT/testing/pluto/interop-ikev2-strongswan-35-responder-rekey-pfs/west.console.txt
@@ -36,10 +36,8 @@
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago,
192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev2{1}: DELETING, TUNNEL, reqid 1
westnet-eastnet-ikev2{1}: 192.0.1.0/24 === 192.0.2.0/24
-westnet-eastnet-ikev2{2}: DELETING, TUNNEL, reqid 1
+westnet-eastnet-ikev2{2}: REKEYING, TUNNEL, reqid 1, expires in 59
minutes
westnet-eastnet-ikev2{2}: 192.0.1.0/24 === 192.0.2.0/24
-westnet-eastnet-ikev2{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs:
SPISPI_i SPISPI_o
-westnet-eastnet-ikev2{3}: 192.0.1.0/24 === 192.0.2.0/24
west #
echo done
done
testing/pluto/dnssec-pluto-01 failed west:output-different
--- MASTER/testing/pluto/dnssec-pluto-01/west.console.txt
+++ OUTPUT/testing/pluto/dnssec-pluto-01/west.console.txt
@@ -39,8 +39,6 @@
ipsec auto --status | egrep "oriented|east-from-hosts"
000 "westnet-eastnet-etc-hosts":
192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<east-from-hosts-file>[@east]===192.0.2.0/24;
unrouted; eroute owner: #0
000 "westnet-eastnet-etc-hosts": oriented; my_ip=unset;
their_ip=unset; my_updown=ipsec _updown;
-000 "westnet-eastnet-etc-hosts-auto-add":
192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<east-from-hosts-file>[@east]===192.0.2.0/24;
unrouted; eroute owner: #0
-000 "westnet-eastnet-etc-hosts-auto-add": oriented; my_ip=unset;
their_ip=unset; my_updown=ipsec _updown;
west #
echo "initdone"
initdone
testing/pluto/ikev2-55-ipseckey-01 passed
testing/pluto/ikev2-55-ipseckey-02 failed road:output-different
--- MASTER/testing/pluto/ikev2-55-ipseckey-02/road.console.txt
+++ OUTPUT/testing/pluto/ikev2-55-ipseckey-02/road.console.txt
@@ -83,9 +83,9 @@
133 "road-east-2" #1: STATE_PARENT_I1: initiate
133 "road-east-2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "road-east-2" #1: suppressing retransmit because
IMPAIR_RETRANSMITS is set.
-003 "road-east-2" #1: Can't find the private key from the NSS CKA_ID
-003 "road-east-2" #1: Failed to find our RSA key
-000 "road-east-2" #1: realse whack for IKE SA, but releasing whack for
pending IPSEC SA
+003 "road-east-2" #1: Can't find the certificate or private key from
the NSS CKA_ID
+003 "road-east-2" #1: DigSig: failed to find our RSA key
+000 "road-east-2" #1: release whack for IKE SA, but releasing whack
for pending IPSEC SA
road #
ping -n -c 4 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
testing/pluto/nss-cert-crl-03-strict failed west:output-different
--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -40,6 +40,10 @@
002 "nss-cert-crl" #1: I am sending my cert
002 "nss-cert-crl" #1: I am sending a certificate request
108 "nss-cert-crl" #1: STATE_MAIN_I3: sent MI3, expecting MR3
+003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
+003 "nss-cert-crl" #1: received and ignored informational message
+003 "nss-cert-crl" #1: discarding duplicate packet; already
STATE_MAIN_I3
+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 500ms
for response
002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
[email protected]'
002 "nss-cert-crl" #1: certificate verified OK:
[email protected],CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
004 "nss-cert-crl" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=RSA_SIG cipher=aes_256 integ=sha2_256 group=MODP2048}
testing/pluto/nss-cert-nosecret failed west:output-different
--- MASTER/testing/pluto/nss-cert-nosecret/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-nosecret/west.console.txt
@@ -159,25 +159,24 @@
000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_IPV4_ADDR '192.1.2.23'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until
TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_DER_ASN1_DN 'C=CA, ST=Ontario, L=Toronto, O=Libreswan,
OU=Test Department, CN=west.testing.libreswan.org,
[email protected]'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until
TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_USER_FQDN '[email protected]'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until
TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_FQDN '@west.testing.libreswan.org'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until
TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_USER_FQDN '[email protected]'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
-000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (has private key), until
TIMESTAMP ok
+000 TIMESTAMP, 1024 RSA Key AwXXXXXXX (no private key), until
TIMESTAMP ok
000 ID_IPV4_ADDR '192.1.2.45'
000 Issuer 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test
Department, CN=Libreswan test CA for mainca, [email protected]'
000
000 List of Pre-shared secrets (from /etc/ipsec.secrets)
000
-000 0: RSA (none) (none)
000
000 List of X.509 End Certificates:
000
testing/pluto/nss-cert-09-notyetvalid-initiator failed east:output-different
west:output-different
---
MASTER/testing/pluto/nss-cert-09-notyetvalid-initiator/east.console.txt
+++
OUTPUT/testing/pluto/nss-cert-09-notyetvalid-initiator/east.console.txt
@@ -17,7 +17,6 @@
# will only show up on east - note "expired" is wrong and should be
"not yet valid"
east #
grep "ERROR" /tmp/pluto.log
-"nss-cert" #1: ERROR: Peer's Certificate has expired.
east #
east #
../bin/check-for-core.sh
---
MASTER/testing/pluto/nss-cert-09-notyetvalid-initiator/west.console.txt
+++
OUTPUT/testing/pluto/nss-cert-09-notyetvalid-initiator/west.console.txt
@@ -1,4 +1,4 @@
-/testing/guestbin/swan-prep --x509 --x509name notyetvalid
+/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
certutil -d sql:/etc/ipsec.d -D -n east
@@ -30,12 +30,18 @@
002 "nss-cert" #1: I am sending my cert
002 "nss-cert" #1: I am sending a certificate request
108 "nss-cert" #1: STATE_MAIN_I3: sent MI3, expecting MR3
-003 "nss-cert" #1: ignoring informational payload
INVALID_KEY_INFORMATION, msgid=00000000, length=12
-003 "nss-cert" #1: received and ignored informational message
-003 "nss-cert" #1: discarding duplicate packet; already STATE_MAIN_I3
-002 "nss-cert" #1: suppressing retransmit because IMPAIR_RETRANSMITS
is set
-031 "nss-cert" #1: max number of retransmissions (0) reached
STATE_MAIN_I3. Possible authentication failure: no acceptable response to our
first encrypted message
-002 "nss-cert" #1: deleting state (STATE_MAIN_I3)
+002 "nss-cert" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
[email protected]'
+002 "nss-cert" #1: certificate verified OK:
[email protected],CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
+004 "nss-cert" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG
cipher=aes_256 integ=sha2_256 group=MODP2048}
+002 "nss-cert" #2: initiating Quick Mode
RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
+117 "nss-cert" #2: STATE_QUICK_I1: initiate
+003 "nss-cert" #2: up-client command exited with status 1
+032 "nss-cert" #2: STATE_QUICK_I1: internal error
+003 "nss-cert" #2: discarding duplicate packet; already STATE_QUICK_I1
+003 "nss-cert" #2: discarding duplicate packet; already STATE_QUICK_I1
+002 "nss-cert" #2: deleting state (STATE_QUICK_I1)
+003 "nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
+003 "nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
west #
echo done
done
@@ -43,6 +49,9 @@
# will only show up on east - note "expired" is wrong and should be
"not yet valid"
west #
grep "ERROR" /tmp/pluto.log
+| complete v1 state transition with STF_INTERNAL_ERROR
+"nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
+"nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
west #
west #
../bin/check-for-core.sh
testing/pluto/nss-cert-10-notyetvalid-responder-ikev2 failed
east:output-different west:output-different
---
MASTER/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/east.console.txt
+++
OUTPUT/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/east.console.txt
@@ -24,6 +24,8 @@
# only expected to show failure on west
east #
grep "ERROR" /tmp/pluto.log
+"nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
+"nss-cert" #2: ERROR: netlink response for Del SA
[email protected] included errno 3: No such process
east #
east #
../bin/check-for-core.sh
---
MASTER/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/west.console.txt
+++
OUTPUT/testing/pluto/nss-cert-10-notyetvalid-responder-ikev2/west.console.txt
@@ -27,13 +27,6 @@
002 "nss-cert" #1: suppressing retransmit because IMPAIR_RETRANSMITS
is set.
134 "nss-cert" #2: STATE_PARENT_I2: sent v2I2, expected v2R2
{auth=IKEv2 cipher=aes_gcm_16_256 integ=n/a prf=sha2_512 group=MODP2048}
002 "nss-cert" #2: suppressing retransmit because IMPAIR_RETRANSMITS
is set.
-003 "nss-cert" #2: Certificate
[email protected],CN=notyetvalid.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA failed verification
-003 "nss-cert" #2: ERROR: Peer's Certificate has expired.
-002 "nss-cert" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA,
ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department,
CN=notyetvalid.testing.libreswan.org, [email protected]'
-003 "nss-cert" #2: no RSA public key known for 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department,
CN=notyetvalid.testing.libreswan.org, [email protected]'
-002 "nss-cert" #2: RSA authentication failed
-224 "nss-cert" #2: STATE_PARENT_I2: v2N_AUTHENTICATION_FAILED
-003 "nss-cert" #2: EXPECTATION FAILED: st != NULL && st->st_event !=
NULL && st->st_event->ev_type == EVENT_v2_RETRANSMIT (in
complete_v2_state_transition at /source/programs/pluto/ikev2.c:1827)
west #
echo done
done
@@ -41,7 +34,6 @@
# only expected to show failure on west
west #
grep "ERROR" /tmp/pluto.log
-"nss-cert" #2: ERROR: Peer's Certificate has expired.
west #
west #
../bin/check-for-core.sh
testing/pluto/ipsec-hostkey-ckaid-02-fips failed west:output-different
--- MASTER/testing/pluto/ipsec-hostkey-ckaid-02-fips/west.console.txt
+++ OUTPUT/testing/pluto/ipsec-hostkey-ckaid-02-fips/west.console.txt
@@ -4,14 +4,18 @@
FIPS mode enabled.
west #
ipsec newhostkey
-Generated RSA key pair with CKAID <<CKAID#1>> was stored in the NSS
database
+FIPS HMAC integrity verification test failed.
west #
ipsec showhostkey --list
-< 1> RSA keyid: <<KEYID#1>> ckaid: <<CKAID#1>>
west #
ckaid=$(ipsec showhostkey --list | sed -e 's/.*ckaid: //')
west #
ipsec showhostkey --left --ckaid $ckaid
- # rsakey <<KEYID#1>>
- leftrsasigkey=<<RSASIGKEY#1>>
+PATH/libexec/ipsec/showhostkey: option '--ckaid' requires an argument
+Usage: showhostkey [ --verbose ]
+ { --version | --dump | --list | --left | --right |
+ --ipseckey [ --precedence <precedence> ]
+ [ --gateway <gateway> ] }
+ [ --rsaid <rsaid> | --ckaid <ckaid> ]
+ [ --nssdir <nssdir> ] [ --password <password> ]_______________________________________________
Swan-dev mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan-dev
