On 05/22/2015 09:31 AM, Tobias Brunner wrote:
Hi Michael,
What fails isn't obvious. Looking at one test I was interested in,
net2net-cert-sha2, it looked like the test actually did pass (or I just
can't find the failure.)
You may compare your results to the ones at [1].
I did, other than the plugin failed to load message, results look
similar to what I see at [1]
May 21 16:02:03 moon charon: 00[LIB] unable to load 9 plugin features (9
due to unmet dependencies)
In 5.3.0 this message is only logged if the log level is increased. As
some features will always have unmet dependencies the message was more
confusing than helpful, so it is not shown anymore by default. So if
you do see it, without having changed the test config, it would indicate
that you are not actually using 5.3.0, which is required for the
net2net-cert-sha2 test scenario.
39 tests failed, not just this one. I simply used wget to dl the
tarball, applied the patch and ran the commands.
I just ran net2net-cert-sha2,
cloud0:~/strongswan-5.3.0/testing$ sudo ./do-tests ikev2/net2net-cert-sha2
[sudo] password for thing:
Guest kernel : 3.15.1
strongSwan : 5.2.0
Date : 20150522-0958-48
[FAIL] 1 ikev2/net2net-cert-sha2: pre..test..post
Passed : 0
Failed : 1
The results are available in
/srv/strongswan-testing/testresults/20150522-0958-48
or via the link http://192.168.0.150/testresults/20150522-0958-48
Finished : 20150522-0958
But console log looks like things worked:
cloud0:/srv/strongswan-testing/testresults/20150522-0958-48/ikev2/net2net-cert-sha2$
cat console.log
TCPDUMP
sun# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log
2>&1 &
PRE-TEST
moon# iptables-restore < /etc/iptables.rules
sun# iptables-restore < /etc/iptables.rules
moon# ipsec start
Starting strongSwan 5.2.0 IPsec [starter]...
No leaks detected, 1 suppressed by whitelist
sun# ipsec start
Starting strongSwan 5.2.0 IPsec [starter]...
No leaks detected, 1 suppressed by whitelist
moon# sleep 1
moon# ipsec up net-net
initiating IKE_SA net-net[1] to 192.168.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (676 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.1[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
CERTREQ N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'moon.strongswan.org' (myself) with RSA signature
successful
sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr
AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (1724 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.1[500] (1532 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan
Root CA"
checking certificate status of "C=CH, O=Linux strongSwan,
CN=sun.strongswan.org"
fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan
Root CA"
crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl is valid: until Jun 20 14:25:51 2015
certificate status is good
reached self-signed root ca with a path length of 0
authentication of 'sun.strongswan.org' with RSA signature successful
IKE_SA net-net[1] established between
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
scheduling reauthentication in 3381s
maximum IKE_SA lifetime 3561s
connection 'net-net' established successfully
No leaks detected, 1 suppressed by whitelist
TEST
moon# cat /var/log/daemon.log | grep 'authentication
of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful' [YES]
moon# ipsec status 2> /dev/null | grep
'net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org' [YES]
net-net[1]: ESTABLISHED 0 seconds ago,
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
sun# cat /var/log/daemon.log | grep 'authentication
of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful' [YES]
sun# ipsec status 2> /dev/null | grep
'net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org' [YES]
net-net[1]: ESTABLISHED 0 seconds ago,
192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
moon# ipsec status 2> /dev/null | grep 'net-net.*INSTALLED, TUNNEL' [YES]
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: cb68e27d_i c77a128f_o
sun# ipsec status 2> /dev/null | grep 'net-net.*INSTALLED, TUNNEL' [YES]
net-net{1}: INSTALLED, TUNNEL, ESP SPIs: c77a128f_i cb68e27d_o
alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_req=1'
[YES]
64 bytes from 10.2.0.10: icmp_req=1 ttl=62 time=2.87 ms
sun# killall tcpdump
sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org >
sun.strongswan.org: ESP' [YES]
13:58:49.055214 IP moon.strongswan.org > sun.strongswan.org:
ESP(spi=0xc77a128f,seq=0x1), length 132
sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org >
moon.strongswan.org: ESP' [YES]
13:58:49.056249 IP sun.strongswan.org > moon.strongswan.org:
ESP(spi=0xcb68e27d,seq=0x1), length 132
POST-TEST
moon# ipsec stop
Stopping strongSwan IPsec...
sun# ipsec stop
Stopping strongSwan IPsec...
moon# iptables-restore < /etc/iptables.flush
sun# iptables-restore < /etc/iptables.flush
cloud0:/srv/strongswan-testing/testresults/20150522-0958-48/ikev2/net2net-cert-sha2$
I also checked other files, at first look things look right, e.g.
sun.tcpdump.log shows packets exchanged
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
