/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 ipsec certutil -D -n east
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.23/32"  >> /etc/ipsec.d/policies/private-or-clear
road #
 # scan every 10s
road #
 ipsec pluto --config /etc/ipsec.conf --expire-shunt-interval 10
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 10,' -- ipsec auto --status
Total IPsec connections: loaded 10, active 0
road #
 echo "initdone"
initdone
road #
 # We should already have a %trap policy because we have a
road #
 # 192.1.2.23/32 group-instance
road #
 ../../guestbin/ipsec-kernel-policy.sh 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 # Trigger a private-or-clear.  Since the peer is down will fail after
road #
 # several IKE_SA_INIT retransmits.
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 # Wait for the first retransmit and then check that policy et.al. are
road #
 # correct.  At this point, since the connection owns the kernel
road #
 # policy, there are no bare shunts.
road #
 ../../guestbin/wait-for-pluto.sh '^".*#1: .*retransmission; will wait 0.5 seconds'
"private-or-clear#192.1.2.23/32"[1] ...192.1.2.23 #1: IKE_SA_INIT_I: retransmission; will wait 0.5 seconds for response
road #
 ../../guestbin/ipsec-kernel-policy.sh 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
road #
 ipsec showstates
#1: "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23:500 IKE_SA_INIT_I (sent IKE_SA_INIT request); RETRANSMIT in XXs; idle;
#1: pending Child SA for "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23
road #
 # Since there's already an IKE_SA in-flight, pings at this point
road #
 # should be ignored.
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 ipsec showstates
#1: "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23:500 IKE_SA_INIT_I (sent IKE_SA_INIT request); RETRANSMIT in XXs; idle;
#1: pending Child SA for "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23
road #
 # Now wait for the fatal timeout.  This triggers the deletion of both
road #
 # the state and the template connection, and the kernel policy will be
road #
 # owned by a bare shunt.
road #
 ../../guestbin/wait-for-pluto.sh '^".*#1:.* 5 second timeout exceeded'
"private-or-clear#192.1.2.23/32"[1] ...192.1.2.23 #1: IKE_SA_INIT_I: 5 second timeout exceeded after 4 retransmits.  No response (or no acceptable response) to our first IKEv2 message
road #
 ../../guestbin/ipsec-kernel-policy.sh 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing $10
road #
 ipsec showstates
road #
 # Since there's a bare shunt ignoring things, pings at this point
road #
 # should be ignored and no new states should be created.
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 ipsec showstates
road #
 # Now wait for the bare shunt to expire.
road #
 ../../guestbin/wait-for.sh --no-match oe-failing -- ipsec whack --shuntstatus
road #
 ../../guestbin/ipsec-kernel-policy.sh 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
road #
 ipsec showstates
road #
 # Since the bare shunt as gone, a ping should start a new IKE SA.
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 ../../guestbin/wait-for-pluto.sh '^".*#2: .*retransmission; will wait 0.5 seconds'
"private-or-clear#192.1.2.23/32"[2] ...192.1.2.23 #2: IKE_SA_INIT_I: retransmission; will wait 0.5 seconds for response
road #
 
