/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 /testing/x509/import.sh real/mainca/west.p12
 ipsec pk12util -w nss-pw -i real/mainca/west.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
 ipsec certutil -M -n mainca -t CT,,
 ipsec certutil -O -n west
"mainca" [E=testing@libreswan.org,CN=Libreswan test CA for mainca,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
  "west" [E=user-west@testing.libreswan.org,CN=west.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA]
west #
 # check
west #
 ipsec certutil -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west                                                         u,u,u
mainca                                                       CT,, 
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add nss-cert
"nss-cert": added IKEv1 connection
west #
 ipsec auto --status |grep nss-cert
"nss-cert": 192.0.1.254/32===192.1.2.45[@west.testing.libreswan.org]...192.1.2.23[%fromcert]===192.0.2.254/32; unrouted; my_ip=192.0.1.254; their_ip=192.0.2.254;
"nss-cert":   host: oriented; local: 192.1.2.45; remote: 192.1.2.23;
"nss-cert":   mycert=west; my_updown=ipsec _updown;
"nss-cert":   xauth us:none, xauth them:none, my_username=[any]; their_username=[any]
"nss-cert":   our auth:rsasig, their auth:rsasig, our autheap:none, their autheap:none;
"nss-cert":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
"nss-cert":   cisco-split: no; cisco-unity: no; cisco-peer: no; nm-configured: no;
"nss-cert":   sec_label:unset;
"nss-cert":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any'
"nss-cert":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"nss-cert":   iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"nss-cert":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
"nss-cert":   initial-contact:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"nss-cert":   policy: IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"nss-cert":   conn_prio: 32,32,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"nss-cert":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"nss-cert":   our idtype: FQDN; our id=@west.testing.libreswan.org; their idtype: %fromcert; their id=%fromcert
"nss-cert":   sendca: none; our sendcert: always; their sendcert: always;
"nss-cert":   dpd: passive; delay:0s; timeout:0s
"nss-cert":   nat-traversal: encapsulation:auto; keepalive:20s; ikev1-method:rfc+drafts
"nss-cert":   routing: unrouted;
"nss-cert":   conn serial: $1;
west #
 ipsec whack --impair suppress_retransmits
west #
 echo "initdone"
initdone
west #
 ipsec auto --up nss-cert
"nss-cert" #1: initiating IKEv1 Main Mode connection
"nss-cert" #1: sent Main Mode request
"nss-cert" #1: sent Main Mode I2
"nss-cert" #1: I am sending my cert
"nss-cert" #1: I am sending a certificate request
"nss-cert" #1: sent Main Mode I3
"nss-cert" #1: Peer ID is DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
"nss-cert" #1: authenticated peer certificate 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' and 3nnn-bit RSA with SHA1 signature issued by 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
"nss-cert" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
"nss-cert" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:MSGID proposal=AES_CBC-HMAC_SHA1_96, AES_CBC-HMAC_SHA2_512_256, AES_CBC-HMAC_SHA2_256_128, AES_GCM_16_128-NONE, AES_GCM_16_256-NONE, 3DES_CBC-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA2_512_256, 3DES_CBC-HMAC_SHA2_256_128 pfsgroup=MODP2048 192.0.1.254/32===192.0.2.254/32}
"nss-cert" #2: sent Quick Mode request
"nss-cert" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
west #
 echo done
done
west #
 ipsec certutil -L
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west                                                         u,u,u
mainca                                                       CT,, 
west #
