east:~#
 TESTNAME=tpm-accept-04
east:~#
 TESTING=${TESTING-/testing}
east:~#
 mkdir -p /tmp/$TESTNAME
east:~#
 mkdir -p /tmp/$TESTNAME/ipsec.d/cacerts
east:~#
 mkdir -p /tmp/$TESTNAME/ipsec.d/crls
east:~#
 mkdir -p /tmp/$TESTNAME/ipsec.d/certs
east:~#
 mkdir -p /tmp/UML.d/private
east:~#
 cp /etc/ipsec.secrets                    /tmp/$TESTNAME
east:~#
 if [ -f ${TESTING}/pluto/$TESTNAME/east.secrets ]; then cat ${TESTING}/pluto/$TESTNAME/east.secrets >>/tmp/$TESTNAME/ipsec.secrets; fi
east:~#
 if [ -f ${TESTING}/pluto/$TESTNAME/east.tpm.tcl ]; then cp ${TESTING}/pluto/$TESTNAME/east.tpm.tcl /tmp/$TESTNAME/ipsec.d/tpm.tcl; fi
east:~#
 IPSEC_CONFS=/tmp/$TESTNAME export IPSEC_CONFS
east:~#
 PATH=/usr/local/sbin:$PATH
east:~#
 export PATH
east:~#
 rm -f /var/run/pluto/pluto.pid 
east:~#
 echo "Starting Openswan IPsec pluto"
Starting Openswan IPsec pluto
east:~#
 (cd /tmp && /usr/local/libexec/ipsec/pluto --nofork --secretsfile /tmp/$TESTNAME/ipsec.secrets --ipsecdir /tmp/$TESTNAME/ipsec.d --use-nostack --uniqueids --nhelpers 0 --stderrlog 2>/tmp/pluto.log ) &
[1] 9999
east:~#
sleep 1
east:~#
 ipsec whack --listen
002 listening for IKE messages
002 adding interface virtual127.0.0.1/lo 127.0.0.1:500
002 adding interface virtual192.9.2.23/eth2 192.9.2.23:500
002 adding interface virtual192.1.2.23/eth1 192.1.2.23:500
002 adding interface virtual192.0.2.254/eth0 192.0.2.254:500
002 loading secrets from "/tmp/tpm-accept-04/ipsec.secrets"
east:~#
 echo "Adding basic policy"
Adding basic policy
east:~#
 ipsec whack --name west--east-psk --encrypt --tunnel --pfs --dpdaction "hold" --psk --host "192.1.2.45" --nexthop "192.1.2.23" --updown "ipsec _updown" --id "192.1.2.45"  --sendcert "always" --to --host "192.1.2.23" --nexthop "192.1.2.45" --updown "ipsec _updown" --id "192.1.2.23"  --sendcert "always" --ipseclifetime "28800" --rekeymargin "540" --ikealg "3des-sha1-modp1024" --debug-control --keyingtries "0"    
002 added connection description "west--east-psk"
east:~#
 ipsec whack --tpmeval 'set test_stage "t04a"'
sending tpmeval: 'set test_stage "t04a"'
002 TPM evaluating 'set test_stage "t04a"' 
east:~#
 echo "Wait for west to initiate"
Wait for west to initiate
east:~#
 echo "Stage 04b"
Stage 04b
east:~#
 ipsec whack --tpmeval 'set test_stage "t04b"'
sending tpmeval: 'set test_stage "t04b"'
002 TPM evaluating 'set test_stage "t04b"' 
east:~#
 ipsec whack --tpmeval 'set stage4b_count 0'
sending tpmeval: 'set stage4b_count 0'
002 TPM evaluating 'set stage4b_count 0' 
east:~#
 echo "Wait for west to initiate"
Wait for west to initiate
east:~#
 echo "Stage 04c"
Stage 04c
east:~#
 ipsec whack --tpmeval 'set test_stage "t04c"'
sending tpmeval: 'set test_stage "t04c"'
002 TPM evaluating 'set test_stage "t04c"' 
east:~#
 ipsec whack --tpmeval 'set stage4c_count 0'
sending tpmeval: 'set stage4c_count 0'
002 TPM evaluating 'set stage4c_count 0' 
east:~#
 echo "Wait for west to initiate"
Wait for west to initiate
east:~#
 

east:~#
east:~#
 cat /tmp/pluto.log
Starting Pluto (Openswan Version 2.5.0cl8 X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEQAUNTmsT]Y)
WARNING: 1DES is enabled
Setting NAT-Traversal port-4500 floating to off
   port floating activation criteria nat_t=0/port_float=1
   including NAT-Traversal patch (Version 0.6c) [disabled]
WARNING: open of /dev/hw_random failed: No such file or directory
using /dev/random as source of random entropy
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
no helpers will be started, all cryptographic operations will be done inline
Loading TPM file: '/tmp/tpm-accept-04/ipsec.d/tpm.tcl' 
TPM enabled 
Changing to directory '/tmp/tpm-accept-04/ipsec.d/cacerts'
Could not change to directory '/tmp/tpm-accept-04/ipsec.d/aacerts'
Could not change to directory '/tmp/tpm-accept-04/ipsec.d/ocspcerts'
Changing to directory '/tmp/tpm-accept-04/ipsec.d/crls'
  Warning: empty directory
listening for IKE messages
adding interface virtual127.0.0.1/lo 127.0.0.1:500
adding interface virtual192.9.2.23/eth2 192.9.2.23:500
adding interface virtual192.1.2.23/eth1 192.1.2.23:500
adding interface virtual192.0.2.254/eth0 192.0.2.254:500
loading secrets from "/tmp/tpm-accept-04/ipsec.secrets"
  loaded private key file '/etc/ipsec.d/private/east.pem' (963 bytes)
added connection description "west--east-psk"
TPM evaluating 'set test_stage "t04a"' 
tcl says packet from: 192.1.2.23
packet from 192.1.2.45:500: received Vendor ID payload [Openswan (this version) 2.5.0cl8  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
packet from 192.1.2.45:500: received Vendor ID payload [Dead Peer Detection]
"west--east-psk" #1: responding to Main Mode
"west--east-psk" #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"west--east-psk" #1: STATE_MAIN_R1: sent MR1, expecting MI2
tcl says packet from: 192.1.2.23
"west--east-psk" #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"west--east-psk" #1: STATE_MAIN_R2: sent MR2, expecting MI3
tcl says packet from: 192.1.2.23
t04a in  st:07
t04a inm st:07
: t04a st:7 DATA
: t04a st:7 DATA
"west--east-psk" #1: Main mode peer ID is ID_IPV4_ADDR: '192.1.2.45'
"west--east-psk" #1: I did not send a certificate because digital signatures are not being used. (PSK)
t04a out st:07
"west--east-psk" #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"west--east-psk" #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
tcl says packet from: 192.1.2.23
t04a in  st:09
t04a inm st:09
: t04a st:9 DATA
: t04a st:9 DATA
"west--east-psk" #2: responding to Quick Mode 
t04a out st:16
"west--east-psk" #2: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"west--east-psk" #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
tcl says packet from: 192.1.2.23
t04a in  st:18
t04a inm st:18
: t04a st:18 DATA
: t04a st:18 DATA
"west--east-psk" #2: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"west--east-psk" #2: STATE_QUICK_R2: IPsec SA established
TPM evaluating 'set test_stage "t04b"' 
TPM evaluating 'set stage4b_count 0' 
tcl says packet from: 192.1.2.23
"west--east-psk" #1: received Delete SA(0xSPI1SPI1) payload: deleting IPSEC State #NUM
t04b inm st:09
"west--east-psk" #1: received and ignored informational message
tcl says packet from: 192.1.2.23
"west--east-psk" #1: received Delete SA payload: deleting ISAKMP State #1
t04b inm st:09
packet from 192.1.2.45:500: received and ignored informational message
tcl says packet from: 192.1.2.23
packet from 192.1.2.45:500: received Vendor ID payload [Openswan (this version) 2.5.0cl8  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
packet from 192.1.2.45:500: received Vendor ID payload [Dead Peer Detection]
"west--east-psk" #3: responding to Main Mode
"west--east-psk" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"west--east-psk" #3: STATE_MAIN_R1: sent MR1, expecting MI2
tcl says packet from: 192.1.2.23
"west--east-psk" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"west--east-psk" #3: STATE_MAIN_R2: sent MR2, expecting MI3
tcl says packet from: 192.1.2.23
"west--east-psk" #3: Main mode peer ID is ID_IPV4_ADDR: '192.1.2.45'
"west--east-psk" #3: I did not send a certificate because digital signatures are not being used. (PSK)
t04b inm st:07
Corrupting with ABCD
"west--east-psk" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"west--east-psk" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
tcl says packet from: 192.1.2.23
"west--east-psk" #3: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
tcl says packet from: 192.1.2.23
"west--east-psk" #3: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #3: retransmitting in response to duplicate packet; already STATE_MAIN_R3
tcl says packet from: 192.1.2.23
"west--east-psk" #3: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
packet from 192.1.2.45:500: received Vendor ID payload [Openswan (this version) 2.5.0cl8  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
packet from 192.1.2.45:500: received Vendor ID payload [Dead Peer Detection]
"west--east-psk" #4: responding to Main Mode
"west--east-psk" #4: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"west--east-psk" #4: STATE_MAIN_R1: sent MR1, expecting MI2
tcl says packet from: 192.1.2.23
"west--east-psk" #4: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"west--east-psk" #4: STATE_MAIN_R2: sent MR2, expecting MI3
tcl says packet from: 192.1.2.23
"west--east-psk" #4: Main mode peer ID is ID_IPV4_ADDR: '192.1.2.45'
"west--east-psk" #4: I did not send a certificate because digital signatures are not being used. (PSK)
t04b inm st:07
"west--east-psk" #4: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"west--east-psk" #4: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
tcl says packet from: 192.1.2.23
"west--east-psk" #5: responding to Quick Mode 
t04b inm st:16
"west--east-psk" #5: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"west--east-psk" #5: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
TPM evaluating 'set test_stage "t04c"' 
TPM evaluating 'set stage4c_count 0' 
tcl says packet from: 192.1.2.23
"west--east-psk" #5: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"west--east-psk" #5: STATE_QUICK_R2: IPsec SA established
tcl says packet from: 192.1.2.23
"west--east-psk" #4: received Delete SA(0xSPI1SPI1) payload: deleting IPSEC State #NUM
t04c inm st:09 (QR1:16)
"west--east-psk" #4: received and ignored informational message
tcl says packet from: 192.1.2.23
"west--east-psk" #4: received Delete SA payload: deleting ISAKMP State #4
t04c inm st:09 (QR1:16)
packet from 192.1.2.45:500: received and ignored informational message
tcl says packet from: 192.1.2.23
packet from 192.1.2.45:500: received Vendor ID payload [Openswan (this version) 2.5.0cl8  X.509-1.5.4 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
packet from 192.1.2.45:500: received Vendor ID payload [Dead Peer Detection]
"west--east-psk" #6: responding to Main Mode
"west--east-psk" #6: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"west--east-psk" #6: STATE_MAIN_R1: sent MR1, expecting MI2
tcl says packet from: 192.1.2.23
"west--east-psk" #6: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"west--east-psk" #6: STATE_MAIN_R2: sent MR2, expecting MI3
tcl says packet from: 192.1.2.23
"west--east-psk" #6: Main mode peer ID is ID_IPV4_ADDR: '192.1.2.45'
"west--east-psk" #6: I did not send a certificate because digital signatures are not being used. (PSK)
t04c inm st:07 (QR1:16)
"west--east-psk" #6: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"west--east-psk" #6: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
tcl says packet from: 192.1.2.23
"west--east-psk" #7: responding to Quick Mode 
t04c inm st:16 (QR1:16)
Corrupting with XYZX
"west--east-psk" #7: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"west--east-psk" #7: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
tcl says packet from: 192.1.2.23
"west--east-psk" #6: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #6: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #7: discarding duplicate packet; already STATE_QUICK_R1
tcl says packet from: 192.1.2.23
"west--east-psk" #7: discarding duplicate packet; already STATE_QUICK_R1
tcl says packet from: 192.1.2.23
"west--east-psk" #6: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #6: Informational Exchange message must be encrypted
tcl says packet from: 192.1.2.23
"west--east-psk" #8: responding to Quick Mode 
t04c inm st:16 (QR1:16)
"west--east-psk" #8: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
"west--east-psk" #8: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
tcl says packet from: 192.1.2.23
"west--east-psk" #8: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
"west--east-psk" #8: STATE_QUICK_R2: IPsec SA established
tcl says packet from: 192.1.2.23
"west--east-psk" #6: received Delete SA(0xSPI1SPI1) payload: deleting IPSEC State #NUM
t04c inm st:09 (QR1:16)
"west--east-psk" #6: received and ignored informational message
tcl says packet from: 192.1.2.23
"west--east-psk" #6: received Delete SA payload: deleting ISAKMP State #6
t04c inm st:09 (QR1:16)
packet from 192.1.2.45:500: received and ignored informational message
east:~#
 if [ -f /tmp/core ]; then echo CORE FOUND; mv /tmp/core /var/tmp; fi
east:~#

