/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 # DROP
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec whack --impair v2_proposal_dh:drop-none
west #
 ipsec up dh
"dh" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"dh" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"dh" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}, initiating IKE_AUTH
"dh" #1: IMPAIR: proposal 1 transform DH=NONE excluded when counting transforms
"dh" #1: IMPAIR: proposal 1 transform DH=NONE excluded when emitting proposal
"dh" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500
"dh" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
"dh" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#2: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 # ALLOW
west #
 ipsec whack --impair v2_proposal_dh:allow-none
west #
 ipsec whack --rekey-ike   --name dh
"dh" #3: initiating rekey to replace IKE SA #1 using IKE SA #1
"dh" #3: sent CREATE_CHILD_SA request to rekey IKE SA #1 (using IKE SA #1)
"dh" #3: initiator rekeyed IKE SA #1 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}
"dh" #1: deleting IKE SA (ESTABLISHED_IKE_SA) and sending notification
west #
 ipsec whack --rekey-child --name dh
"dh" #4: initiating rekey to replace Child SA #2 using IKE SA #3
"dh" #4: IMPAIR: proposal 1 transform DH=NONE included when counting transforms
"dh" #4: IMPAIR: proposal 1 transform DH=NONE included when emitting proposal
"dh" #4: sent CREATE_CHILD_SA request to rekey Child SA #2 using IKE SA #3
"dh" #4: initiator rekeyed Child SA #2 using #3; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
"dh" #2: sent INFORMATIONAL request to delete established Child SA using IKE SA #3
"dh" #2: ESP traffic information: in=84B out=84B
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#4: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 # DROP
west #
 ipsec whack --impair v2_proposal_dh:drop-none
west #
 ipsec whack --rekey-ike   --name dh
"dh" #5: initiating rekey to replace IKE SA #3 using IKE SA #3
"dh" #5: sent CREATE_CHILD_SA request to rekey IKE SA #3 (using IKE SA #3)
"dh" #5: initiator rekeyed IKE SA #3 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}
"dh" #3: deleting IKE SA (ESTABLISHED_IKE_SA) and sending notification
west #
 ipsec whack --rekey-child --name dh
"dh" #6: initiating rekey to replace Child SA #4 using IKE SA #5
"dh" #6: IMPAIR: proposal 1 transform DH=NONE excluded when counting transforms
"dh" #6: IMPAIR: proposal 1 transform DH=NONE excluded when emitting proposal
"dh" #6: sent CREATE_CHILD_SA request to rekey Child SA #4 using IKE SA #5
"dh" #6: initiator rekeyed Child SA #4 using #5; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
"dh" #4: sent INFORMATIONAL request to delete established Child SA using IKE SA #5
"dh" #4: ESP traffic information: in=84B out=84B
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#6: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 # ALLOW
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec whack --impair v2_proposal_dh:allow-none
west #
 ipsec up dh
"dh" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"dh" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"dh" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}, initiating IKE_AUTH
"dh" #1: IMPAIR: proposal 1 transform DH=NONE included when counting transforms
"dh" #1: IMPAIR: proposal 1 transform DH=NONE included when emitting proposal
"dh" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500
"dh" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
"dh" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#2: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 # DROP
west #
 ipsec whack --impair v2_proposal_dh:drop-none
west #
 ipsec whack --rekey-ike   --name dh
"dh" #3: initiating rekey to replace IKE SA #1 using IKE SA #1
"dh" #3: sent CREATE_CHILD_SA request to rekey IKE SA #1 (using IKE SA #1)
"dh" #3: initiator rekeyed IKE SA #1 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}
"dh" #1: deleting IKE SA (ESTABLISHED_IKE_SA) and sending notification
west #
 ipsec whack --rekey-child --name dh
"dh" #4: initiating rekey to replace Child SA #2 using IKE SA #3
"dh" #4: IMPAIR: proposal 1 transform DH=NONE excluded when counting transforms
"dh" #4: IMPAIR: proposal 1 transform DH=NONE excluded when emitting proposal
"dh" #4: sent CREATE_CHILD_SA request to rekey Child SA #2 using IKE SA #3
"dh" #4: initiator rekeyed Child SA #2 using #3; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
"dh" #2: sent INFORMATIONAL request to delete established Child SA using IKE SA #3
"dh" #2: ESP traffic information: in=84B out=84B
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#4: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 # ALLOW
west #
 ipsec whack --impair v2_proposal_dh:allow-none
west #
 ipsec whack --rekey-ike   --name dh
"dh" #5: initiating rekey to replace IKE SA #3 using IKE SA #3
"dh" #5: sent CREATE_CHILD_SA request to rekey IKE SA #3 (using IKE SA #3)
"dh" #5: initiator rekeyed IKE SA #3 {cipher=AES_GCM_16_128 integ=n/a prf=HMAC_SHA1 group=MODP2048}
"dh" #3: deleting IKE SA (ESTABLISHED_IKE_SA) and sending notification
west #
 ipsec whack --rekey-child --name dh
"dh" #6: initiating rekey to replace Child SA #4 using IKE SA #5
"dh" #6: IMPAIR: proposal 1 transform DH=NONE included when counting transforms
"dh" #6: IMPAIR: proposal 1 transform DH=NONE included when emitting proposal
"dh" #6: sent CREATE_CHILD_SA request to rekey Child SA #4 using IKE SA #5
"dh" #6: initiator rekeyed Child SA #4 using #5; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE DPD=passive}
"dh" #4: sent INFORMATIONAL request to delete established Child SA using IKE SA #5
"dh" #4: ESP traffic information: in=84B out=84B
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec trafficstatus
#6: "dh", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 # east shows what was sent across the wire; expect two lines for each
west #
 # of the three connections: default (missing); integ=none included;
west #
 # integ=none excluded
west #
 grep 'chosen from remote proposal' /tmp/pluto.log | sed -e 's/SPI=[0-9a-z]*/SPI=X/'
west #
 # west shows what came back, expect two lines for each of the three
west #
 # connections: default (missing); integ=none included; integ=none
west #
 # excluded
west #
 grep 'remote accepted' /tmp/pluto.log
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_16_128;PRF=HMAC_SHA1;DH=MODP2048[first-match]
| remote accepted the proposal 1:ESP:ENCR=AES_GCM_16_128;DH=NONE;ESN=YES[first-match]
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_16_128;PRF=HMAC_SHA1;DH=MODP2048[first-match]
| remote accepted the proposal 1:ESP:ENCR=AES_GCM_16_128;ESN=YES[first-match]
| remote accepted the proposal 1:IKE:ENCR=AES_GCM_16_128;PRF=HMAC_SHA1;DH=MODP2048[first-match]
| remote accepted the proposal 1:ESP:ENCR=AES_GCM_16_128;DH=NONE;ESN=YES[first-match]
west #
 
