/testing/guestbin/swan-prep
west #
 setenforce 1
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add ikev1-ipsec-fail
002 added connection description "ikev1-ipsec-fail"
west #
 ipsec auto --add ikev1-aggr-ipsec-fail
002 added connection description "ikev1-aggr-ipsec-fail"
west #
 ipsec auto --add ikev2-ipsec-fail
002 added connection description "ikev2-ipsec-fail"
west #
 #ipsec whack --impair delete-on-retransmit
west #
 echo "initdone"
initdone
west #
 # ipsec fail tests
west #
 # See description of limitations of this test
west #
 ipsec auto --up ikev1-ipsec-fail
002 "ikev1-ipsec-fail" #1: initiating Main Mode
1v1 "ikev1-ipsec-fail" #1: STATE_MAIN_I1: sent MI1, expecting MR1
1v1 "ikev1-ipsec-fail" #1: STATE_MAIN_I2: sent MI2, expecting MR2
1v1 "ikev1-ipsec-fail" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "ikev1-ipsec-fail" #1: Peer ID is ID_FQDN: '@east-v1'
003 "ikev1-ipsec-fail" #1: Authenticated using RSA with SHA-1
004 "ikev1-ipsec-fail" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1536}
002 "ikev1-ipsec-fail" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
1v1 "ikev1-ipsec-fail" #2: STATE_QUICK_I1: sent QI1, expecting QR1
010 "ikev1-ipsec-fail" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
010 "ikev1-ipsec-fail" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
031 "ikev1-ipsec-fail" #2: STATE_QUICK_I1: 2 second timeout exceeded after 2 retransmits. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "ikev1-ipsec-fail" #2: starting keying attempt 2 of at most 1, but releasing whack
west #
 ipsec auto --delete ikev1-ipsec-fail
002 "ikev1-ipsec-fail": terminating SAs using this connection
002 "ikev1-ipsec-fail" #3: deleting state (STATE_QUICK_I1) and NOT sending notification
002 "ikev1-ipsec-fail" #1: deleting state (STATE_MAIN_I4) and sending notification
west #
 ipsec auto --up ikev1-aggr-ipsec-fail
002 "ikev1-aggr-ipsec-fail" #4: initiating Aggressive Mode
1v1 "ikev1-aggr-ipsec-fail" #4: STATE_AGGR_I1: sent AI1, expecting AR1
002 "ikev1-aggr-ipsec-fail" #4: Peer ID is ID_FQDN: '@east-v1'
002 "ikev1-aggr-ipsec-fail" #4: Peer ID is ID_FQDN: '@east-v1'
003 "ikev1-aggr-ipsec-fail" #4: Authenticated using RSA with SHA-1
004 "ikev1-aggr-ipsec-fail" #4: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA1 group=MODP1536}
002 "ikev1-aggr-ipsec-fail" #5: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
1v1 "ikev1-aggr-ipsec-fail" #5: STATE_QUICK_I1: sent QI1, expecting QR1
010 "ikev1-aggr-ipsec-fail" #5: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
010 "ikev1-aggr-ipsec-fail" #5: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
031 "ikev1-aggr-ipsec-fail" #5: STATE_QUICK_I1: 2 second timeout exceeded after 2 retransmits. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "ikev1-aggr-ipsec-fail" #5: starting keying attempt 2 of at most 1, but releasing whack
west #
 ipsec auto --delete ikev1-aggr-ipsec-fail
002 "ikev1-aggr-ipsec-fail": terminating SAs using this connection
002 "ikev1-aggr-ipsec-fail" #6: deleting state (STATE_QUICK_I1) and NOT sending notification
002 "ikev1-aggr-ipsec-fail" #4: deleting state (STATE_AGGR_I2) and sending notification
west #
 ipsec auto --up ikev2-ipsec-fail
1v2 "ikev2-ipsec-fail" #7: initiating IKEv2 IKE SA
1v2 "ikev2-ipsec-fail" #7: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "ikev2-ipsec-fail" #8: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "ikev2-ipsec-fail" #8: IKE_AUTH response contained the error notification TS_UNACCEPTABLE
036 "ikev2-ipsec-fail" #8: encountered fatal error in state STATE_PARENT_I2
west #
 ipsec auto --delete ikev2-ipsec-fail
002 "ikev2-ipsec-fail": terminating SAs using this connection
002 "ikev2-ipsec-fail" #7: deleting state (STATE_PARENT_I2) and NOT sending notification
west #
 echo done
done
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 grep -E -i "IKE|ipsec-" /var/log/audit/audit.log
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start direction=initiator conn-name="ikev1-ipsec-fail" connstate=1 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start conn-name="ikev1-ipsec-fail" connstate=2, satype=ipsec-policy samode=tunnel cipher=none ksize=0 integ=none in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX) out-spi=DEC(HEX) raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=destroy direction=initiator conn-name="ikev1-ipsec-fail" connstate=1 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start direction=initiator conn-name="ikev1-aggr-ipsec-fail" connstate=4 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start conn-name="ikev1-aggr-ipsec-fail" connstate=5, satype=ipsec-policy samode=tunnel cipher=none ksize=0 integ=none in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX) out-spi=DEC(HEX) raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=destroy direction=initiator conn-name="ikev1-aggr-ipsec-fail" connstate=4 ike-version=1 auth=RSA_SIG cipher=aes ksize=256 integ=sha1 prf=sha1 pfs=MODP1536 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=success'^]UID="root" AUID="unset"
type=CRYPTO_IPSEC_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start conn-name="ikev2-ipsec-fail" connstate=8, satype=ipsec-policy samode=tunnel cipher=none ksize=0 integ=none in-spi=DEC(HEX) out-spi=DEC(HEX) in-spi=DEC(HEX) out-spi=DEC(HEX) raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
type=CRYPTO_IKE_SA msg=audit(XXX): pid=PID uid=0 auid=AUID ses=SES subj=system_u:system_r:unconfined_service_t:s0 msg='op=start direction=initiator conn-name="ikev2-ipsec-fail" connstate=8 ike-version=2.0 auth=RSA_SIG cipher=aes_gcm_16 ksize=256 integ=none prf=sha512 pfs=MODP2048 raddr=192.1.2.23 exe="PATH/libexec/ipsec/pluto" hostname=? addr=192.1.2.45 terminal=? res=failed'^]UID="root" AUID="unset"
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

