I will fix these. It is because they wrongly loaded both certificates and I fixed that in ipsec.conf.common and I need to rewrite those s tests to add leftcert= to west / road and rightcert=east to east
Sent from mobile device > On Oct 23, 2018, at 15:34, Andrew Cagney <[email protected]> wrote: > > The tests seem to have two new failures. For instance in > testing/pluto/ikev2-04-basic-x509-nhelpers0/west.console.txt > > - it can't find a certificate > > @@ -52,23 +51,18 @@ > 002 "westnet-eastnet-ikev2" #1: initiating v2 parent SA > 133 "westnet-eastnet-ikev2" #1: initiate > 133 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 > -134 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: sent v2I2, expected > v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 > group=MODP2048} > -002 "westnet-eastnet-ikev2" #2: certificate verified OK: > [email protected],CN=east.testing.libreswan.org,OU=Test > Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA > -002 "westnet-eastnet-ikev2" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: > 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, > CN=east.testing.libreswan.org, [email protected]' > -003 "westnet-eastnet-ikev2" #2: Authenticated using RSA > -002 "westnet-eastnet-ikev2" #2: negotiated connection > [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] > -004 "westnet-eastnet-ikev2" #2: STATE_V2_IPSEC_I: IPsec SA > established tunnel mode {ESP=>0xESPESP <0xESPESP > xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} > +003 "westnet-eastnet-ikev2" #1: Can't find the certificate or private > key from the NSS CKA_ID > +003 "westnet-eastnet-ikev2" #1: Failed to find our RSA key > +002 "westnet-eastnet-ikev2" #1: deleting state (STATE_PARENT_I2) and > NOT sending notification > > - and there's been churn in the output > > -000 "westnet-eastnet-ikev2": > 192.0.1.0/24===192.1.2.45<192.1.2.45>[C=CA, ST=Ontario, L=Toronto, > O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, > [email protected]]...192.1.2.23<192.1.2.23>[C=CA, > ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, > CN=east.testing.libreswan.org, > [email protected]]===192.0.2.0/24; unrouted; eroute > owner: #0 > -000 "westnet-eastnet-ikev2": oriented; my_ip=unset; > their_ip=unset; mycert=west; hiscert=east; my_updown=ipsec _updown; > +000 "westnet-eastnet-ikev2": > 192.0.1.0/24===192.1.2.45<192.1.2.45>[%fromcert]...192.1.2.23<192.1.2.23>[%fromcert]===192.0.2.0/24; > unrouted; eroute owner: #0 > +000 "westnet-eastnet-ikev2": oriented; my_ip=unset; > their_ip=unset; my_updown=ipsec _updown; > > I don't think this was me. > _______________________________________________ > Swan-dev mailing list > [email protected] > https://lists.libreswan.org/mailman/listinfo/swan-dev _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
