/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
east #
 # System Role deployment on nic will push configurations to our machine
east #
 # into /etc/ipsec.d/
east #
 # because it will change files, we can't mount bind them. So use a fressh empty dir
east #
 rm -rf OUTPUT/east/ipsec.d
east #
 mkdir -p OUTPUT/east/ipsec.d
east #
 chmod 777 OUTPUT/east
east #
 mount -o bind,rw OUTPUT/east/ipsec.d /etc/ipsec.d
east #
 # initnss normally happens in the initsystem - but not for namespace testing
east #
 # ../../guestbin/if-namespace.sh ipsec initnss
east #
 ipsec initnss
Initializing NSS database
east #
 ipsec pk12util -i /testing/x509/pkcs12/mainca/east.p12 -w /testing/x509/nss-pw
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 # test config for syntax errors
east #
 ipsec addconn --checkconfig --config /etc/ipsec.conf
east #
 # start for test
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 # test secrets reading for early warning of syntax errors
east #
 ipsec secrets
loading secrets from "/etc/ipsec.secrets"
east #
 ../../guestbin/if-namespace.sh PATH/sbin/sshd -o PidFile=/var/run/pluto/sshd.pid
east #
 # ready for System Role to drop file(s) into /etc/ipsec.d/
east #
 echo "initdone"
initdone
east #
 # New files should have dropped in, and we are ready to restart
east #
 ipsec restart
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec status | grep 192.1.2
interface eth1 192.1.2.23:UDP/4500 (NAT)
interface eth1 192.1.2.23:UDP/500
"192.1.2.23-to-192.1.2.45": 192.1.2.23...192.1.2.45[%fromcert]; routed-ondemand; my_ip=unset; their_ip=unset;
"192.1.2.23-to-192.1.2.45":   host: oriented; local: 192.1.2.23; remote: 192.1.2.45;
"192.1.2.23-to-192.1.2.45":   mycert=east; my_updown=ipsec _updown;
"192.1.2.23-to-192.1.2.45":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
"192.1.2.23-to-192.1.2.45":   our auth:rsasig(RSASIG+RSASIG_v1_5), their auth:RSASIG+ECDSA+RSASIG_v1_5, our autheap:none, their autheap:none;
"192.1.2.23-to-192.1.2.45":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
"192.1.2.23-to-192.1.2.45":   sec_label:unset;
"192.1.2.23-to-192.1.2.45":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any'
"192.1.2.23-to-192.1.2.45":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"192.1.2.23-to-192.1.2.45":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
"192.1.2.23-to-192.1.2.45":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"192.1.2.23-to-192.1.2.45":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+ROUTE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"192.1.2.23-to-192.1.2.45":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
"192.1.2.23-to-192.1.2.45":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"192.1.2.23-to-192.1.2.45":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"192.1.2.23-to-192.1.2.45":   our idtype: ID_IPV4_ADDR; our id=192.1.2.23; their idtype: %fromcert; their id=%fromcert
"192.1.2.23-to-192.1.2.45":   liveness: passive; dpddelay:0s; retransmit-timeout:60s
"192.1.2.23-to-192.1.2.45":   nat-traversal: encapsulation:auto; keepalive:20s
"192.1.2.23-to-192.1.2.45":   routing: routed-ondemand;
"192.1.2.23-to-192.1.2.45":   conn serial: $1;
east #
 echo done
done
east #
 ipsec stop
Redirecting to: [initsystem]
east #
 #rm -f /etc/ipsec.d/*.*
east #
 #umount /etc/ipsec.d
east #
 test -f /var/run/pluto/sshd.pid && kill -9 `cat /var/run/pluto/sshd.pid` >/dev/null
east #
 
