/testing/guestbin/swan-prep --hostkeys
Creating NSS database containing host keys
west #
 setenforce 1
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add ikev1-ipsec-fail
"ikev1-ipsec-fail": added IKEv1 connection
west #
 ipsec auto --add ikev1-aggr-ipsec-fail
"ikev1-aggr-ipsec-fail": added IKEv1 connection
west #
 #ipsec whack --impair timeout_on_retransmit
west #
 echo "initdone"
initdone
west #
 ipsec whack --impair revival
west #
 # ipsec fail tests
west #
 # See description of limitations of this test
west #
 ipsec auto --up ikev1-ipsec-fail #retransmits
"ikev1-ipsec-fail" #1: initiating IKEv1 Main Mode connection
"ikev1-ipsec-fail" #1: sent Main Mode request
"ikev1-ipsec-fail" #1: sent Main Mode I2
"ikev1-ipsec-fail" #1: sent Main Mode I3
"ikev1-ipsec-fail" #1: Peer ID is FQDN: '@east-v1'
"ikev1-ipsec-fail" #1: authenticated peer using preloaded certificate '@east-v1' and 2nnn-bit RSA with SHA1 signature
"ikev1-ipsec-fail" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1536}
"ikev1-ipsec-fail" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:MSGID proposal=AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_512_256, AES_CBC-HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_GCM_16_256-NONE, 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_512_256, 3DES_CBC-HMAC_SHA2_256_128 pfsgroup=MODP1536 192.0.1.0/24===66.66.66.0/24}
"ikev1-ipsec-fail" #2: sent Quick Mode request
"ikev1-ipsec-fail" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
"ikev1-ipsec-fail" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
"ikev1-ipsec-fail" #2: STATE_QUICK_I1: 2 second timeout exceeded after 2 retransmits.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
"ikev1-ipsec-fail" #2: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"ikev1-ipsec-fail" #2: IMPAIR: revival: skip scheduling revival event
"ikev1-ipsec-fail" #2: deleting IPsec SA (QUICK_I1) and NOT sending notification
west #
 ipsec auto --delete ikev1-ipsec-fail
"ikev1-ipsec-fail": terminating SAs using this connection
"ikev1-ipsec-fail" #1: deleting ISAKMP SA (MAIN_I4) and sending notification
west #
 ipsec auto --up ikev1-aggr-ipsec-fail #retransmits
"ikev1-aggr-ipsec-fail" #3: initiating IKEv1 Aggressive Mode connection
"ikev1-aggr-ipsec-fail" #3: sent Aggressive Mode request
"ikev1-aggr-ipsec-fail" #3: Peer ID is FQDN: '@east-v1'
"ikev1-aggr-ipsec-fail" #3: authenticated peer using preloaded certificate '@east-v1' and 2nnn-bit RSA with SHA1 signature
"ikev1-aggr-ipsec-fail" #3: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1536}
"ikev1-aggr-ipsec-fail" #4: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#3 msgid:MSGID proposal=AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_512_256, AES_CBC-HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_GCM_16_256-NONE, 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_512_256, 3DES_CBC-HMAC_SHA2_256_128 pfsgroup=MODP1536 192.0.1.0/24===66.66.66.0/24}
"ikev1-aggr-ipsec-fail" #4: sent Quick Mode request
"ikev1-aggr-ipsec-fail" #4: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
"ikev1-aggr-ipsec-fail" #4: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
"ikev1-aggr-ipsec-fail" #4: STATE_QUICK_I1: 2 second timeout exceeded after 2 retransmits.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
"ikev1-aggr-ipsec-fail" #4: connection is supposed to remain up; revival attempt 1 scheduled in 0 seconds
"ikev1-aggr-ipsec-fail" #4: IMPAIR: revival: skip scheduling revival event
"ikev1-aggr-ipsec-fail" #4: deleting IPsec SA (QUICK_I1) and NOT sending notification
west #
 ipsec auto --delete ikev1-aggr-ipsec-fail
"ikev1-aggr-ipsec-fail": terminating SAs using this connection
"ikev1-aggr-ipsec-fail" #3: deleting ISAKMP SA (AGGR_I2) and sending notification
west #
 echo done
done
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 grep -E -i "IKE|ipsec-" /var/log/audit/audit.log
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start direction=initiator conn-name="ikev1-ipsec-fail" connstate=1 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start conn-name="ikev1-ipsec-fail" connstate=2, satype=ipsec-policy samode=tunnel cipher=none ksize=0 integ=none in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX) out-spi=DEC(HEX) raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=destroy direction=initiator conn-name="ikev1-ipsec-fail" connstate=1 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start direction=initiator conn-name="ikev1-aggr-ipsec-fail" connstate=3 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start conn-name="ikev1-aggr-ipsec-fail" connstate=4, satype=ipsec-policy samode=tunnel cipher=none ksize=0 integ=none in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX) out-spi=DEC(HEX) raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=destroy direction=initiator conn-name="ikev1-aggr-ipsec-fail" connstate=3 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
west #
