/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
road #
 cp policy /etc/ipsec.d/policies/road
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 echo "initdone"
initdone
road #
 ./oe-pass.sh        --negopass --failnone
:
:
: OE testing: oe.negopass.failnone.pass -- --negopass --failnone
:
:
: oe.negopass.failnone.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failnone.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failnone --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failnone.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failnone.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negopass.failnone.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negopass.failnone.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.failnone.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negopass.failnone.pass EXPECT NO STATES
: oe.negopass.failnone.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.failnone.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negopass --failnone
:
:
: OE testing: oe.negopass.failnone.fail-ike -- --negopass --failnone --ike aes
:
:
: oe.negopass.failnone.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failnone.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failnone --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failnone.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failnone.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-ike TRY NEGOTIATION PING
up
: oe.negopass.failnone.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negopass.failnone.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.failnone.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
: oe.negopass.failnone.fail-ike EXPECT NO FAILURE STATES
: oe.negopass.failnone.fail-ike TRY FAILURE PING
: oe.negopass.failnone.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negopass --failnone
:
:
: OE testing: oe.negopass.failnone.fail-child -- --negopass --failnone --esp aes
:
:
: oe.negopass.failnone.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failnone.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failnone --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failnone.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failnone.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negopass.failnone.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.failnone.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failnone.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
: oe.negopass.failnone.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negopass.failnone.fail-child TRY FAILURE PING
: oe.negopass.failnone.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-pass.sh        --negopass --faildrop
:
:
: OE testing: oe.negopass.faildrop.pass -- --negopass --faildrop
:
:
: oe.negopass.faildrop.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.faildrop.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --faildrop --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.faildrop.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.faildrop.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negopass.faildrop.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negopass.faildrop.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.faildrop.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negopass.faildrop.pass EXPECT NO STATES
: oe.negopass.faildrop.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.faildrop.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negopass --faildrop
:
:
: OE testing: oe.negopass.faildrop.fail-ike -- --negopass --faildrop --ike aes
:
:
: oe.negopass.faildrop.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.faildrop.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --faildrop --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.faildrop.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.faildrop.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-ike TRY NEGOTIATION PING
up
: oe.negopass.faildrop.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negopass.faildrop.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.faildrop.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %drop    oe-failing
: oe.negopass.faildrop.fail-ike EXPECT NO FAILURE STATES
: oe.negopass.faildrop.fail-ike TRY FAILURE PING
down
: oe.negopass.faildrop.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negopass --faildrop
:
:
: OE testing: oe.negopass.faildrop.fail-child -- --negopass --faildrop --esp aes
:
:
: oe.negopass.faildrop.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.faildrop.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --faildrop --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.faildrop.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.faildrop.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negopass.faildrop.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.faildrop.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.faildrop.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %drop    oe-failing
: oe.negopass.faildrop.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negopass.faildrop.fail-child TRY FAILURE PING
down
: oe.negopass.faildrop.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-pass.sh        --negopass --failpass
:
:
: OE testing: oe.negopass.failpass.pass -- --negopass --failpass
:
:
: oe.negopass.failpass.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failpass.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failpass --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failpass.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failpass.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negopass.failpass.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negopass.failpass.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.failpass.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negopass.failpass.pass EXPECT NO STATES
: oe.negopass.failpass.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negopass.failpass.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negopass --failpass
:
:
: OE testing: oe.negopass.failpass.fail-ike -- --negopass --failpass --ike aes
:
:
: oe.negopass.failpass.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failpass.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failpass --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failpass.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failpass.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-ike TRY NEGOTIATION PING
up
: oe.negopass.failpass.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negopass.failpass.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.failpass.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
: oe.negopass.failpass.fail-ike EXPECT NO FAILURE STATES
: oe.negopass.failpass.fail-ike TRY FAILURE PING
up
: oe.negopass.failpass.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negopass --failpass
:
:
: OE testing: oe.negopass.failpass.fail-child -- --negopass --failpass --esp aes
:
:
: oe.negopass.failpass.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negopass.failpass.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negopass --failpass --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negopass.failpass.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negopass.failpass.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negopass.failpass.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negopass.failpass.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negopass.failpass.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
: oe.negopass.failpass.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negopass.failpass.fail-child TRY FAILURE PING
up
: oe.negopass.failpass.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-pass.sh        --negodrop --failnone
:
:
: OE testing: oe.negodrop.failnone.pass -- --negodrop --failnone
:
:
: oe.negodrop.failnone.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failnone.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failnone --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failnone.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failnone.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negodrop.failnone.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negodrop.failnone.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.failnone.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negodrop.failnone.pass EXPECT NO STATES
: oe.negodrop.failnone.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.failnone.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negodrop --failnone
:
:
: OE testing: oe.negodrop.failnone.fail-ike -- --negodrop --failnone --ike aes
:
:
: oe.negodrop.failnone.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failnone.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failnone --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failnone.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failnone.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 3850432 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-ike TRY NEGOTIATION PING
down
: oe.negodrop.failnone.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negodrop.failnone.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.failnone.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
: oe.negodrop.failnone.fail-ike EXPECT NO FAILURE STATES
: oe.negodrop.failnone.fail-ike TRY FAILURE PING
: oe.negodrop.failnone.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negodrop --failnone
:
:
: OE testing: oe.negodrop.failnone.fail-child -- --negodrop --failnone --esp aes
:
:
: oe.negodrop.failnone.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failnone.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failnone --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failnone.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failnone.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negodrop.failnone.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.failnone.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failnone.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
: oe.negodrop.failnone.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negodrop.failnone.fail-child TRY FAILURE PING
: oe.negodrop.failnone.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-pass.sh        --negodrop --faildrop
:
:
: OE testing: oe.negodrop.faildrop.pass -- --negodrop --faildrop
:
:
: oe.negodrop.faildrop.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.faildrop.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --faildrop --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.faildrop.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.faildrop.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negodrop.faildrop.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negodrop.faildrop.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.faildrop.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negodrop.faildrop.pass EXPECT NO STATES
: oe.negodrop.faildrop.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.faildrop.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negodrop --faildrop
:
:
: OE testing: oe.negodrop.faildrop.fail-ike -- --negodrop --faildrop --ike aes
:
:
: oe.negodrop.faildrop.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.faildrop.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --faildrop --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.faildrop.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.faildrop.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 3850432 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-ike TRY NEGOTIATION PING
down
: oe.negodrop.faildrop.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negodrop.faildrop.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.faildrop.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %drop    oe-failing
: oe.negodrop.faildrop.fail-ike EXPECT NO FAILURE STATES
: oe.negodrop.faildrop.fail-ike TRY FAILURE PING
down
: oe.negodrop.faildrop.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negodrop --faildrop
:
:
: OE testing: oe.negodrop.faildrop.fail-child -- --negodrop --faildrop --esp aes
:
:
: oe.negodrop.faildrop.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.faildrop.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --faildrop --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.faildrop.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.faildrop.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negodrop.faildrop.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.faildrop.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.faildrop.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %drop    oe-failing
: oe.negodrop.faildrop.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negodrop.faildrop.fail-child TRY FAILURE PING
down
: oe.negodrop.faildrop.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-pass.sh        --negodrop --failpass
:
:
: OE testing: oe.negodrop.failpass.pass -- --negodrop --failpass
:
:
: oe.negodrop.failpass.pass RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failpass.pass LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failpass --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failpass.pass EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.pass TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failpass.pass ESTABLISH
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
up
: oe.negodrop.failpass.pass EXPECT IPSEC POLICY
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 3850432 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 3850432 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid 16397 mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.pass EXPECT ONE PACKET
#2: "road#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='ID_NULL'
: oe.negodrop.failpass.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.failpass.pass SHUTDOWN
"road#192.1.2.0/24"[1] ...192.1.2.23: initiating delete of connection's IKE SA #1 (and Child SA #2)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent INFORMATIONAL request to delete IKE SA
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: ESP traffic information: in=84B out=84B
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (established IKE SA)
: oe.negodrop.failpass.pass EXPECT NO STATES
: oe.negodrop.failpass.pass EXPECT NO SHUNTS
Bare Shunt list:
 
: oe.negodrop.failpass.pass EXPECT TRAP POLICY
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-ike.sh    --negodrop --failpass
:
:
: OE testing: oe.negodrop.failpass.fail-ike -- --negodrop --failpass --ike aes
:
:
: oe.negodrop.failpass.fail-ike RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failpass.fail-ike LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failpass --ike aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failpass.fail-ike EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-ike TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failpass.fail-ike EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 3850432 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-ike TRY NEGOTIATION PING
down
: oe.negodrop.failpass.fail-ike WAIT FOR IKE_SA_INIT TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: ignoring IKE_SA_INIT response containing NO_PROPOSAL_CHOSEN notification (Message ID 0; message payloads N, missing SA,KE,Ni)
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: deleting IKE SA (sent IKE_SA_INIT request)
: oe.negodrop.failpass.fail-ike WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.failpass.fail-ike FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-ike FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
: oe.negodrop.failpass.fail-ike EXPECT NO FAILURE STATES
: oe.negodrop.failpass.fail-ike TRY FAILURE PING
up
: oe.negodrop.failpass.fail-ike WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ./oe-fail-child.sh  --negodrop --failpass
:
:
: OE testing: oe.negodrop.failpass.fail-child -- --negodrop --failpass --esp aes
:
:
: oe.negodrop.failpass.fail-child RESTARTING PLUTO
begin #
 ipsec stop
Redirecting to: [initsystem]
end #
begin #
 ipsec start
Redirecting to: [initsystem]
end #
: oe.negodrop.failpass.fail-child LOADING CONNECTION
begin #
 ipsec addconn --name road --retransmit-timeout 5s --retransmit-interval 5s --host 192.1.3.209 --nexthop 192.1.3.254 --authby null --id %null --negodrop --failpass --esp aes --to --host %opportunisticgroup --authby null --id %null
"road": added IKEv2 connection
end #
listening for IKE messages
loading secrets from "/etc/ipsec.secrets"
loading group "/etc/ipsec.d/policies/road"
: oe.negodrop.failpass.fail-child EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-child TRIGGERING OE
fired and forgotten
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
: oe.negodrop.failpass.fail-child EXPECT NEGOTIATION KERNEL POLICY
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-child WAIT FOR IKE_AUTH TO FAIL
"road#192.1.2.0/24"[1] ...192.1.2.23 #1: initiator established IKE SA; authenticated peer using authby=null and NULL 'ID_NULL'
"road#192.1.2.0/24"[1] ...192.1.2.23 #2: IKE_AUTH response rejected Child SA with NO_PROPOSAL_CHOSEN
: oe.negodrop.failpass.fail-child WAIT FOR ACQUIRE TO EXPIRE
: oe.negodrop.failpass.fail-child FAILURE KERNEL POLICY - WHEN failpass OR faildrop
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
: oe.negodrop.failpass.fail-child FAILURE SHUNT - WHEN failpass OR faildrop
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
: oe.negodrop.failpass.fail-child EXPECT NO FAILURE STATES -- SHOULD BE NONE BUT THERE ARE - BUG
#1: "road#192.1.2.0/24"[1] ...192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
: oe.negodrop.failpass.fail-child TRY FAILURE PING
up
: oe.negodrop.failpass.fail-child WAIT FOR FAILURE SHUNT TO EXPIRE
: EXPECT TRAP KERNEL POLICY FOR 192.1.2.0/24
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 3850449 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
