I'm planning on removing the sanitizer ipsec-auto-up.n.sed. It removes what I consider to be important contextual information from console.txt. For instance, consider this output:
--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt @@ -41,8 +41,10 @@ 1v1 "nss-cert-crl" #1: sent Main Mode I3 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, [email protected]' 002 "nss-cert-crl" #1: certificate verified OK: E= [email protected],CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1 the duplicate "ignoring informational payload" seems to be from the other end spontaneously sending duplicates (this is IKEv1 after all), and things take time to establish because the other end was slow. However, once retransmits are visible: --- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt +++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt @@ -41,8 +41,10 @@ 1v1 "nss-cert-crl" #1: sent Main Mode I3 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION +010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, [email protected]' 002 "nss-cert-crl" #1: certificate verified OK: E= [email protected],CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1 it looks more likely that the re-transmit triggered forward progress. Similarly, but in contrast: --- MASTER/testing/pluto/ikev2-keyingtries-01/west.console.txt +++ OUTPUT/testing/pluto/ikev2-keyingtries-01/west.console.txt @@ -28,7 +28,9 @@ 002 "westnet-eastnet-k1" #1: IMPAIR: omitting KE payload 1v2 "westnet-eastnet-k1" #1: sent IKE_SA_INIT request 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni +010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni +010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni 031 "westnet-eastnet-k1" #1: STATE_PARENT_I1: 3 second timeout exceeded after 2 retransmits. No response (or no acceptable response) to our first IKEv2 message 002 "westnet-eastnet-k1" #1: deleting state (STATE_PARENT_I1) and NOT sending notification the re-transmits suggest they are just adding noise to the test (and it could delete-on-retransmit).
_______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
